DragonForce shifts from RaaS to a cartel-style affiliate model
Threat Actor Meta
Summary
Hide ▲
Show ▼
DragonForce has moved from ransomware-as-a-service to a cartel-style affiliate model, expanding its reach across the ransomware ecosystem. The shift encourages branded variants, affiliate recruitment, and stronger control over partner activity, which can increase operational scale and market pressure on rival crews.
Related Happenings
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor Meta
H score45
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
**INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor MetaAbout this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
**Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
H score38
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce campaign expands across multiple victims
Campaign
H score39
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
How related:
This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”
About this happening:
**DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
DragonForce campaign expands across multiple victims
CampaignHow related: This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”
About this happening: **DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
Timeline
-
04.11.2025 15:45 2 articles · 8mo ago
DragonForce shifts to a cartel-style affiliate model
Initial DisclosureDragonForce, a Conti-derived ransomware operation, moves from a standard ransomware-as-a-service model to a cartel-style structure that encourages affiliates to create branded variants while using a shared platform. Acronis Threat Research Unit researchers say the group retains Conti-like ChaCha20 and RSA encryption, per-file unique keys, a 10-byte metadata block, SMB-based network spreading, and a hidden configuration system that replaces visible command-line parameters.
Show sources
- DragonForce Cartel Emerges as Conti-Derived Ransomware Threat — www.infosecurity-magazine.com — 04.11.2025 15:45
- DragonForce Cartel Emerges as Conti-Derived Ransomware Threat — www.infosecurity-magazine.com — 04.11.2025 15:45