DragonForce Competes for Ransomware Supremacy

DragonForce is engaged in a significant “turf war” with competing ransomware groups as it aims to establish its supremacy in the cybercrime landscape, as delineated by recent findings from cybersecurity researchers. This engagement highlights the complexities and escalating competition within the ransomware ecosystem.

In a notable incident, DragonForce is believed to have caused a substantial outage to RansomHub’s infrastructure in late March 2025, resulting in a remarkable decline in ransomware attacks throughout April. This incident may signify DragonForce’s strategic move to exert control over the ransomware market.

The researchers further noted that DragonForce’s campaigns against rival ransomware-as-a-service (RaaS) operators intensified following its rebranding as a “cartel” in March 2025. This shift was aimed at broadening its operational scope and influence.

DragonForce’s Revamped Cartel Model

This newly adopted cartel model offers affiliates the opportunity to utilize DragonForce’s infrastructure and ransomware tools while maintaining their own branding. In early 2025, DragonForce initiated “RansomBay,” a white-label service allowing affiliates to reconfigure the ransomware under different labels. Under this model, affiliates are obligated to remit 20% of any successful ransom to DragonForce while retaining the remainder. DragonForce is responsible for maintaining the underlying infrastructure, providing technical support, and hosting leak sites.

Reports indicate that DragonForce’s resources were leveraged by the Scattered Spider group to target major UK retailers, including Marks and Spencer, Co-operative Group, and Harrods, in late April.

Attacks on Rival RaaS Operators

Findings from researchers reveal that the cartel’s announcement aligned with the defacement of leak sites belonging to the BlackLock and Mamona ransomware groups, displaying DragonForce’s insignia prominently.

In the aftermath of these attacks, evidence emerged of a fierce conflict developing between DragonForce and RansomHub. Initially, signals indicated potential collaboration, as a post appeared on RansomHub’s leak site welcoming DragonForce into the cartel fold.

However, a subsequent DragonForce communication alluded to a collaboration with RansomHub, indicating that the latter was shifting operations to DragonForce’s infrastructure. Contrarily, a follow-up message indicated that RansomHub had not endorsed DragonForce’s proposal, expressed by the note, “RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks.”

Shortly thereafter, RansomHub’s leak site unexpectedly went offline, displaying a tribute message, which suggested a significant operational disruption. Researchers noted that this relationship seemed less like cooperation and more akin to a hostile acquisition by DragonForce.

In retaliation, a known RansomHub actor reportedly defaced the DragonForce homepage, conveying a veiled accusation of betrayal and possible collusion with law enforcement.

Impact of Internal Warfare on Threat Landscape

The ongoing strife between DragonForce and its competitors illustrates an effort to attain dominance within the ransomware arena, inspired by the successful operational frameworks of established RaaS entities like LockBit. In the wake of several high-profile law enforcement initiatives that have disrupted notorious ransomware groups, the ecosystem has become increasingly fragmented, with many groups vying for prominence.

Experts emphasize that while internal conflicts among these ransomware groups can disrupt their operations, they do not mitigate the overall risk faced by organizations. On the contrary, increased competition may precipitate more erratic and opportunistic attacks as groups escalate their efforts to assert dominance and capitalize on stolen data in innovative ways.

Organizations are advised to reassess their incident response protocols, threat intelligence frameworks, and third-party risk management strategies to maintain resilience in an environment characterized by pronounced volatility and escalating threats.