DragonForce shifts from RaaS to a cartel-style affiliate model
Threat Actor Meta
Summary
Hide ▲
Show ▼
DragonForce has moved from ransomware-as-a-service to a cartel-style affiliate model, expanding its reach across the ransomware ecosystem. The shift encourages branded variants, affiliate recruitment, and stronger control over partner activity, which can increase operational scale and market pressure on rival crews.
Related Happenings
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce campaign expands across multiple victims
Campaign
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
How related:
This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”
About this happening:
**DragonForce** and **Scattered Spider** are driving a **multistage ransomware campaign** that pairs social engineering with follow-on encryption to hit **high-value targets world...
DragonForce campaign expands across multiple victims
CampaignHow related: This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”
About this happening: **DragonForce** and **Scattered Spider** are driving a **multistage ransomware campaign** that pairs social engineering with follow-on encryption to hit **high-value targets world...
DragonForce rebrands as a ransomware cartel and expands its affiliate model
Threat Actor Meta
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
About this happening:
**DragonForce** rebranded itself as a **ransomware cartel** in **2025**, widening its affiliate model and lowering entry barriers for new operators. The shift matters because the...
DragonForce rebrands as a ransomware cartel and expands its affiliate model
Threat Actor MetaAbout this happening: **DragonForce** rebranded itself as a **ransomware cartel** in **2025**, widening its affiliate model and lowering entry barriers for new operators. The shift matters because the...
Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Threat Actor Meta
First: 14.11.2025 12:37
Last: 14.11.2025 12:37
Sources 1
About this happening:
**Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...
Ransomware-as-a-service ecosystem splinters into 85-group market in Q3 2025
Threat Actor MetaAbout this happening: **Q3 2025** marked a major **ransomware ecosystem** shift as **85 active groups** and **14 new brands** pushed the market toward fragmentation. The change raises risk because **fo...
Timeline
-
04.11.2025 15:45 2 articles · 6mo ago
DragonForce shifts to a cartel-style affiliate model
Initial DisclosureDragonForce, a Conti-derived ransomware operation, moves from a standard ransomware-as-a-service model to a cartel-style structure that encourages affiliates to create branded variants while using a shared platform. Acronis Threat Research Unit researchers say the group retains Conti-like ChaCha20 and RSA encryption, per-file unique keys, a 10-byte metadata block, SMB-based network spreading, and a hidden configuration system that replaces visible command-line parameters.
Show sources
- DragonForce Cartel Emerges as Conti-Derived Ransomware Threat — www.infosecurity-magazine.com — 04.11.2025 15:45
- DragonForce Cartel Emerges as Conti-Derived Ransomware Threat — www.infosecurity-magazine.com — 04.11.2025 15:45