DragonForce has quickly transformed from the shadows of obscurity into one of the most watched ransomware cartels of 2025, marking a significant evolution in both the scale and style of cyber extortion.
First identified by security researchers in 2023, DragonForce initially operated as a Ransomware-as-a-Service (RaaS) enterprise, rapidly gaining notoriety in 2024 with high-profile attacks and an aggressive affiliate program. Despite ongoing debate about its true origins —possibly tied to the Malaysian-based hacktivist group “DragonForce Malaysia” — the cartel’s operational maturity and escalating frequency of attacks make it a central focus for defenders and analysts alike.
As of early 2025, DragonForce formalized its cartel status, inviting other cybercriminal groups to collaborate to monetize ransomware infrastructure like never before.
What Makes a Ransomware Cartel?
A ransomware cartel is best described as a decentralized coalition of threat actors and affiliate hackers who cooperate under a shared infrastructure, branding, and criminal marketplace. Unlike traditional RaaS groups — which often maintain central leadership and exclusivity — a cartel structure encourages cross-group collaboration, resource sharing, and independent branding for attacks. Cartel members are free to launch ransomware campaigns using the cartel’s signatures or tools, or under their own brand, as long as they adhere to a marketplace-style division of labor and profit. This model boosts agility, innovation, and scalability, allowing the cartel to outpace defenders and rapidly adapt its techniques.
A ransomware cartel is best described as a decentralized coalition of threat actors and affiliate hackers who cooperate under a shared infrastructure, branding, and criminal marketplace.
The DragonForce cartel in particular stands out for its elaborate affiliate program, which offers customizable ransomware builders, multi-platform encryptors, and support services. Its marketplace approach mirrors tactics seen in major cybercriminal forums, with affiliates keeping up to 80% of ransoms for successful attacks. The cartel actively recruits both solo threat actors and entire RaaS operations while facilitating press outreach — sometimes even issuing statements to the media to pressure victims and rival syndicates. Some representatives claim to abide by a “moral code” by avoiding ransomware campaigns against critical healthcare targets, though the sincerity and consistency of these claims remain controversial.
In effect, the cartel model transforms ransomware from isolated criminal enterprises into sprawling, collaborative marketplaces — creating a more unpredictable and resilient threat landscape for defenders.
DragonForce: Timeline and Transformation
DragonForce’s climb to prominence is marked by rapid evolution and aggressive self-promotion across the criminal underground. First observed operating as a Ransomware-as-a-Service (RaaS) provider in 2023, the group targeted high-profile organizations with sophisticated multi-platform ransomware variants, including a notorious attack impacting the Ohio Lottery and a major UK retail chain in 2025. The losses reported by these victims reached hundreds of millions, underscoring DragonForce’s ability to both inflict damaging breaches and amplify reputational pressure.
In early 2024, DragonForce launched a leak site and expanded its affiliate program, offering customizable ransomware builders and keeping up to 20% of proceeds, while their partners retained the lion’s share. By spring 2025, DragonForce announced its transition to a formal cartel model. This transformation included attempts to absorb or collaborate with other ransomware groups — most notably a takeover bid and subsequent infrastructure consolidation involving RansomHub, BlackLock, and Mamona, with public invitations to rival syndicates through dark web messages and leak site “portals”.
By spring 2025, DragonForce announced its transition to a formal cartel model. This transformation included attempts to absorb or collaborate with other ransomware groups…
DragonForce’s innovation is not limited to collaboration. In August 2025, it debuted a “data analysis service” for affiliates — an extortion enhancement that assesses stolen data, crafts custom call scripts and legal drafts, and dynamically increases ransom pressure on victims. Their outreach extends beyond technical support: DragonForce frequently contacts media outlets directly, tailoring press releases to maximize both panic and negotiation leverage.
Notable Ransomware Cartels and Groups
The ransomware cartel ecosystem in 2025 includes several dominant and emerging players, each with distinct operational models and regional footprints:
| Cartel/Group | Unique Features | Recent Activity | Relative Scale |
|---|---|---|---|
| LockBit Cartel | Extensive affiliate program and modular ransomware. Has made attempts to create a cartel, reaching out to Qilin and other groups. Collaboration is attempted, but rivalries and forum disputes also exist, questioning the stability of these alliances. | Targeting global critical infrastructure, ongoing collaboration with splinter groups | LockBit continues to target global infrastructures and operates at the largest global scale |
| Qilin | Most prolific ransomware group in 2025, responsible for hundreds of attacks and dominating both Europe and Asia. Replaced RansomHub after its shutdown, absorbing many affiliates and outpacing previous top groups. | Leading attack volumes in 2025, targeting consumer and manufacturing sectors | Dominant in Europe and Asia |
| RansomHub | Known for double extortion and leak site tactics, RansomHub saw a decline and rumored hostile takeover or consolidation by DragonForce during 2025. | Notable for strategic alliances and hostile takeovers | Had strong U.S. presence, but after April 2025, its affiliates dispersed, with many joining Qilin and DragonForce. |
| Akira | Multi-factor authentication bypass methods, modular delivery platforms | Surge in victim count, focus on manufacturing and business sectors | Fastest growth quarter-on-quarter |
| BlackLock/Mamona | Both BlackLock and Mamona were taken offline after being defaced by DragonForce; there are credible links between DragonForce and these groups. | Linked with DragonForce activities and “DevMan” variant | Notable for technical innovation |
| Scattered Spider/“Com” | Cited in industry reports for initial access brokerage, social engineering, and vishing-based extortion, partnering with DragonForce for multi-stage attacks (e.g., the UK retail attack) in 2025. | Orchestrated multi-stage attacks in tandem with DragonForce | Known for agility and social engineering skills |
These cartels collectively drive global ransomware operations, increasingly blurring the lines between technical, criminal, and extortion industries. Their collaboration and adoption of innovations — such as AI-generated payloads and multi-stage extortion — continue to reshape ransomware threats in unpredictable ways.
Core Trends in Cartel Operations
DragonForce exemplifies a new wave of ransomware cartel operations defined by several recurring trends. The affiliate-driven model allows threat actors to join the cartel’s ranks while retaining significant autonomy — they can launch attacks under the DragonForce brand or their own, using shared infrastructure and reinvesting up to 80% of ransom proceeds directly. Centralized resources span leak site hosting, ransomware building, payment systems, and secure command-and-control infrastructure, modeled after legitimate technology companies but serving criminal purposes.
A notable innovation is the cartel’s “white-label” service: affiliates create customized ransomware samples and ransom notes, choose encryption techniques, and receive ongoing technical support and updates for bypassing defenses. DragonForce’s infrastructure regularly integrates new attack vectors and BYOVD (Bring Your Own Vulnerable Driver) techniques to bypass EDR/AV. In spring 2025, the group unveiled a “data analysis service,” enabling affiliates to mine stolen data and craft targeted extortion campaigns — making ransom demands more persuasive and harder to ignore.
Double extortion is now routine: campaigns focus equally on encrypting files and leveraging sensitive stolen data for negotiation pressure. Cartel members also use heightened media outreach, often contacting journalists to maximize reputational damage and pressure on victims. Some affiliates claim to follow loose “codes of ethics,” such as avoiding attacks on healthcare or critical services, although these claims lack consistency and are sometimes disputed by victim counts. The overall result is a decentralized, scalable, and innovation-driven operational environment that makes modern ransomware cartels increasingly unpredictable and resilient.
Defensive Strategies and Industry Response
The rise of DragonForce and its cartel peers has forced defenders to adapt quickly, focusing on intelligence-driven response and layered defense. Successful organizations increasingly rely on threat sharing, rapid detection, and coordinated response teams to counter not just individual ransomware strains but entire cartel operations. Proactive strategies include constant vulnerability management, multifactor authentication, regular data backups, and simulated ransom scenarios for incident readiness.
Successful organizations increasingly rely on threat sharing, rapid detection, and coordinated response teams…
Industry advisories from CISA, FBI, and Europol specifically highlight cartel behaviors such as collaborative group extortion, initial access brokering, and multi-stage victim targeting. Defensive tools are evolving to spot cartel tactics: monitoring for dual extortion markers, tracking ransomware infrastructure overlaps, and analyzing behavioral clustering on leak sites. Mitigation also involves responding to PR campaigns — the cartel’s outreach to journalists and public statements require tailored communications to avoid reputational damage and discourage ransoms.
Emerging best practices combine threat intelligence feeds, partnership with external experts, automated containment technologies, and employee training to counter social engineering and lateral movement. Ultimately, the industrialization of ransomware — and the cartel model pioneered by DragonForce — requires cybersecurity teams to recognize adversaries as collaborative organizations, not just isolated criminal actors.
Wrapping It Up
The rapid evolution of the ransomware ecosystem, epitomized by cartels like DragonForce, marks a turning point for defenders and organizations worldwide. In 2025, ransomware has matured from isolated criminal operations into sprawling, franchise-like networks — affiliates leverage shared infrastructure, advanced tools, and public extortion strategies that blur lines between cybercrime and legitimate tech business models. Cartel models not only drive innovation but also amplify complexity: attacks now feature multi-stage intrusion, targeted double or triple extortion, and highly coordinated media outreach, making detection and response more challenging than ever.
As a result, organizations face unprecedented unpredictability — fragmentation among groups, a surge in active leak sites, and shifting alliances create a world where traditional playbooks often fall short. Effective defense now requires a multi-pronged approach: robust threat intelligence sharing, layered security controls, precise crisis communications, and the flexibility to respond to rapid changes in adversary tactics. The rise of DragonForce and its peers serves as a stark signal that cybercrime’s future lies in collaboration, scalability, and relentless adaptation. Those who understand and anticipate these cartel-driven dynamics will be best positioned to safeguard critical assets and build lasting resilience.
