DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
Summary
Hide ▲
Show ▼
DragonForce has shifted into a cartel-style ransomware-as-a-service model, letting affiliates launch their own brands while sharing a common umbrella. That change expands coordination and resource sharing across the ransomware ecosystem, making attacks harder to contain. The group’s new structure also supports data-audited extortion, helping operators tune ransom pressure with more precision. The result is a more organized and scalable criminal model that can raise risk for enterprise victims.
Related Happenings
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
VenomStealer ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 31.03.2026 17:51
Last: 31.03.2026 17:51
Sources 1
About this happening:
**VenomStealer** is being run as a **licensed underground service** with an **affiliate program**, shifting it from a single malware kit into a repeatable operator ecosystem that...
VenomStealer ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **VenomStealer** is being run as a **licensed underground service** with an **affiliate program**, shifting it from a single malware kit into a repeatable operator ecosystem that...
Timeline
-
05.02.2026 00:14 2 articles · 3mo ago
DragonForce adopts cartel-style ransomware model
Campaign Scope UpdateDragonForce shifts its ransomware-as-a-service into a cartel-like umbrella where affiliates can run their own brands while sharing petabytes of storage, 24/7 server monitoring, professional file analysis and decryption services, dry runs, test attacks, and a Company Data Audit that helps tune ransom pressure; the group also launches automated affiliate signup without vetting or initial deposits, and LevelBlue says the ransomware overlaps with leaked Conti source code features such as deleting shadow copies, scanning SMB ports, and using multithreading across Windows, Linus, and ESXi.
Show sources
- Ransomware Gang Goes Full 'Godfather' With Cartel — www.darkreading.com — 05.02.2026 00:14
- Ransomware Gang Goes Full 'Godfather' With Cartel — www.darkreading.com — 05.02.2026 00:14