Full Report
Increased law enforcement pressure has forced ransomware groups like DragonForce and Anubis to move away from traditional affiliate models
Analysis Summary
# Threat Actor: DragonForce Ransomware Group
## Attribution & Identity
The group is identified as the **DragonForce** ransomware operator. They emerged in August 2023 as a Ransomware-as-a-Service (RaaS) scheme but have recently rebranded internally as a "cartel." Their activity is noted as a response by ransomware entities adapting to increased law enforcement crackdowns, moving away from traditional affiliate models previously used by groups like LockBit.
## Activity Summary
DragonForce, operating since August 2023, has recently announced a shift in its business model in response to law enforcement pressure. On March 19, 2025, they announced a transition to a **"distributed model"** designed to allow affiliates to create their own ransomware "brands." The group now provides infrastructure and tools but does not mandate the deployment of the original DragonForce ransomware by its affiliates.
## Tactics, Techniques & Procedures
The TTPs relate to the infrastructure and services provided under its new model, enabling affiliates to conduct ransomware operations independently under their operational umbrella:
- Provision of encryption and ransom negotiation tools.
- Provision of administration and client panels.
- Provision of a file storage system.
- Operation of a Tor-based leak site and associated `.onion` domain.
- Provision of support services for affiliates.
*Note: Specific execution TTPs (e.g., initial access, execution methods) for affiliates were not detailed, only the services DragonForce provides to enable these operations.*
## Targeting
- **Sectors:** Not explicitly specified, typical of general ransomware operations.
- **Geography:** Not explicitly specified.
- **Victims:** No specific victims mentioned in the provided context.
## Tools & Infrastructure
- **Malware families used:** DragonForce ransomware (as the foundation RaaS offering).
- **Infrastructure (C2, domains, IPs):**
- Tor-based leak site infrastructure.
- Provision of `.onion` domains for operations.
## Implications
The shift by DragonForce to a distributed, cartel-like model represents an evolution in the ransomware ecosystem, likely intended to increase operational resilience against law enforcement disruption. By allowing affiliates to brand their own efforts while still leveraging DragonForce's core tools and infrastructure, the ecosystem fragments and makes centralized takedowns less effective, posing a significant challenge for threat mitigation.
## Mitigations
The context suggests mitigation against the *new model* rather than specific technical execution:
- Monitor underground forums for discussions regarding novel RaaS structures (cartels, shared infrastructure models).
- Be prepared for ransomware attacks where the observable name/brand may differ from the underlying toolset provider (DragonForce).
- Implement robust detection and response capabilities able to identify the core features provided (encryption tools, custom panels).