According to Infosecurity Magazine, the DragonForce ransomware operation has emerged using Conti’s leaked source code with cartel-like ambitions in the cybercrime world. The group retains Conti’s core encryption behavior and network-spreading capabilities while conducting coordinated attacks and recruiting affiliates through a shared platform. DragonForce has shifted from standard ransomware-as-a-service to a self-styled cartel structure that encourages branded variants, with groups like Devman already deploying ransomware compiled using DragonForce’s builder. The ransomware uses the same ChaCha20 and RSA encryption combination found in Conti, generating unique keys per file and appending 10-byte metadata blocks. Operators have threatened to delete decryptors and leak data on September 2 and September 22 during active campaigns targeting both local storage and network shares via SMB.
Sponsored content — provided for informational and promotional purposes.
The Cartel Playbook
Here’s the thing about DragonForce’s evolution – they’re not just another ransomware group. They’re trying to build something bigger. By rebranding as a “cartel,” they’re essentially creating a franchise model where affiliates can use their tools and infrastructure while maintaining their own branding. Look at Devman – they started with Mamona ransomware, then shifted to DragonForce’s builder while keeping their own identity. Basically, DragonForce provides the engine while affiliates build the car bodies. And that’s smart business when you think about it. More brands under one umbrella means more attacks, more revenue, and ultimately more power in the ransomware ecosystem.
Playing Well With Others
What really makes DragonForce dangerous isn’t just their technology – it’s their partnerships. They’ve aligned with Scattered Spider, a group known for initial access operations tied to BlackCat, Ransomhub and Qilin. This is like the perfect criminal marriage: one group specializes in breaking in, the other specializes in locking everything up and demanding payment. Researchers attribute the Marks & Spencer incident to this cooperative activity shortly after DragonForce rebranded as a cartel. So they’re not just building their own operation – they’re forming strategic alliances that make the entire ecosystem more efficient and dangerous.
Bullying Their Way to the Top
DragonForce isn’t playing nice with competitors either. They’ve been pursuing aggressive dominance tactics, including defacing BlackLock’s leak site and attempting to take over Ransomhub’s servers. Think about that for a second – they’re not just competing, they’re actively trying to dismantle rival operations. This pressure may have forced some Ransomhub affiliates to migrate to rivals like Qilin and, you guessed it, DragonForce. It’s a classic mob tactic: eliminate the competition through intimidation, then absorb their business. Acronis put it perfectly – by rebranding as a cartel, DragonForce aimed to strengthen its influence and prove dominance by controlling rival infrastructure.
What Security Teams Should Do
So what can organizations actually do against this kind of threat? The advice remains consistent but crucial. Robust backup practices are your absolute first line of defense – if you can restore without paying, you’ve won. Restricting lateral movement through network segmentation is huge too, since DragonForce inherits Conti‘s network-spreading capabilities. Monitoring for unusual access to shared resources can catch them early. And honestly? Consistent patching, endpoint protection, and user awareness training remain your bread and butter. These groups are financially motivated – they’ll always go for the easiest targets. Make your organization harder than the next one, and you significantly reduce your risk.
