According to Infosecurity Magazine, the DragonForce ransomware operation has emerged using Conti’s leaked source code with cartel-like ambitions in the cybercrime world. The group retains Conti’s core encryption behavior and network-spreading capabilities while conducting coordinated attacks and recruiting affiliates through a shared platform. DragonForce shifted from standard ransomware-as-a-service to a cartel structure that encourages branded variants, with recent samples showing groups like Devman deploying ransomware compiled with DragonForce’s builder. Acronis researchers confirmed DragonForce uses Conti’s same ChaCha20 and RSA encryption combination, generating unique keys per file and appending 10-byte metadata blocks. The operators have been actively threatening to delete decryptors and leak data on September 2 and September 22, while encrypting both local storage and network shares via SMB with unchanged Conti-style routines.
Sponsored content — provided for informational and promotional purposes.
The Cartel Model Changes Everything
Here’s the thing about DragonForce calling itself a cartel – it’s not just branding. This represents a fundamental shift in how ransomware groups organize themselves. Instead of just renting out their tools to anyone who pays, they’re creating an ecosystem where affiliates can build their own branded variants while still operating under the DragonForce umbrella. Basically, it’s franchising for cybercrime. The Devman group’s transition from Mamona-based ransomware to DragonForce-built strains shows how this model works in practice. They tested the waters with one platform, then moved to DragonForce for better tooling and infrastructure. This creates stickiness – once you’re in their ecosystem, why would you leave?
Dangerous Partnerships Forming
Now, the really concerning development is DragonForce’s alignment with Scattered Spider. That’s the group known for initial access operations tied to BlackCat, Ransomhub and Qilin. When you combine DragonForce’s encryption capabilities with Scattered Spider’s expertise in breaking into networks, you’ve got a serious threat. The Marks & Spencer incident in the UK appears to be their handiwork, happening right after DragonForce rebranded as a cartel. This partnership model means they can specialize – one group focuses on getting in, the other on locking everything down. And that’s bad news for defenders who now have to watch for multiple attack vectors.
Aggressive Dominance Tactics
DragonForce isn’t playing nice with competitors either. They’ve been defacing BlackLock’s leak site and attempting takeovers of Ransomhub’s servers. That’s some serious gangster behavior in the cybercrime world. This pressure might actually be working too – some Ransomhub affiliates appear to be migrating to rivals including DragonForce. When ransomware groups start fighting over territory and affiliates, it creates chaos in the criminal ecosystem. But it also means they’re getting more sophisticated about business operations. They’re not just techies writing malware anymore – they’re running criminal enterprises with market strategies.
The Defense Reality Check
So what does this mean for organizations trying to defend themselves? The standard advice still applies – robust backups, network segmentation, monitoring for unusual access. But here’s the uncomfortable truth: these groups are evolving faster than many companies can keep up with. When you’ve got coordinated teams sharing infrastructure and tools, your security team is essentially fighting a well-funded organization. Consistent patching and endpoint protection matter, but user awareness training becomes critical when groups like Scattered Spider are involved in social engineering. The bottom line? DragonForce represents the next evolution of ransomware – more organized, more aggressive, and more business-savvy than ever before.
