Find notable cyber news and cases, enriched with sources, timelines, and signals.

DragonForce shifts from RaaS to a cartel-style affiliate model

Threat Actor Meta
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

DragonForce has moved from ransomware-as-a-service to a cartel-style affiliate model, expanding its reach across the ransomware ecosystem. The shift encourages branded variants, affiliate recruitment, and stronger control over partner activity, which can increase operational scale and market pressure on rival crews.

Related Happenings

INC ransomware group’s RaaS expansion and victim growth in 2026

Threat Actor Meta
H score45 First: 18.06.2026 17:12 Last: 18.06.2026 17:12 Sources 1

About this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...

DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure

Threat Actor Meta
H score26 First: 18.06.2026 16:30 Last: 18.06.2026 16:30 Sources 1

About this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...

DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella

Threat Actor Meta
H score38 First: 05.02.2026 00:14 Last: 05.02.2026 00:14 Sources 1

About this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...

DragonForce campaign expands across multiple victims

Campaign
H score39 First: 03.12.2025 17:05 Last: 03.12.2025 17:05 Sources 1

How related: This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”

About this happening: **DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...

Timeline

  1. 04.11.2025 15:45 2 articles · 8mo ago

    DragonForce shifts to a cartel-style affiliate model

    Initial Disclosure

    DragonForce, a Conti-derived ransomware operation, moves from a standard ransomware-as-a-service model to a cartel-style structure that encourages affiliates to create branded variants while using a shared platform. Acronis Threat Research Unit researchers say the group retains Conti-like ChaCha20 and RSA encryption, per-file unique keys, a 10-byte metadata block, SMB-based network spreading, and a hidden configuration system that replaces visible command-line parameters.

    Show sources