• Home
  • cyber
  • RansomHub: Ransomware Gang Goes Full 'Godfather' With Cartel
cyber Ransomware

RansomHub: Ransomware Gang Goes Full 'Godfather' With Cartel

Jul 1, 2025 2 min read
RansomHub: Ransomware Gang Goes Full 'Godfather' With Cartel

DragonForce Ransomware Cartel Emerges as a Major Threat with Mafia-Style Tactics

Since its launch in 2023, the DragonForce ransomware-as-a-service (RaaS) operation has rapidly evolved into a sophisticated cartel, adopting organized crime tactics to dominate the ransomware ecosystem. The group offers affiliates a full suite of tools, including customizable encryption models for Windows, Linux, and ESXi systems, with features like delayed execution, multithreading for faster attacks, and SMB port scanning to identify targets. Analysis by LevelBlue reveals that DragonForce’s code shares striking similarities with the leaked Conti ransomware source code, including the ability to delete shadow copies and optimize encryption speeds.

Beyond technical capabilities, DragonForce has embraced a cartel-style business model, encouraging cooperation among ransomware gangs to standardize tactics, eliminate competition, and maximize profits. The group provides members with petabytes of storage, 24/7 server monitoring, decryption services, and even "dry run" attack simulations along with a "Company Data Audit" service to assess stolen data’s value and craft tailored extortion strategies. To attract affiliates, DragonForce has eliminated vetting and deposit requirements, streamlining onboarding through an automated registration system.

The cartel’s aggressive expansion has included harassment of rival groups, such as defacing BlackLock’s leak site and attempting to mislead RansomHub affiliates into believing they had joined the cartel a move that prompted public accusations of collaboration with Russia’s FSB intelligence service. DragonForce’s victimology targets manufacturing, technology, business services, and construction sectors, with a focus on organizations in the U.S., UK, Italy, Germany, and Australia. As of July 2025, the group had claimed at least 250 victims via its data leak site, positioning itself as a major player in the ransomware landscape.

By fostering a unified front among cybercriminals, DragonForce exemplifies a troubling shift toward intelligence-driven extortion, where threat actors adopt consulting-like strategies to refine negotiations and increase ransom payouts. The cartel’s rise underscores the growing challenge for defenders, as shared tactics and pooled resources make these groups harder to counter.

Source: https://www.darkreading.com/cyber-risk/ransomware-gang-full-godfather-cartel

Flashpoint cybersecurity rating report: https://www.rankiteo.com/company/flashpoint-intel

"id": "FLA1770252228",
"linkid": "flashpoint-intel",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Manufacturing',
                                     'Technology',
                                     'Business Services',
                                     'Construction'],
                        'location': ['U.S.',
                                     'UK',
                                     'Italy',
                                     'Germany',
                                     'Australia'],
                        'type': 'Organization'}],
 'attack_vector': 'Ransomware-as-a-Service (RaaS)',
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'date_publicly_disclosed': '2023',
 'description': 'Since its launch in 2023, the DragonForce '
                'ransomware-as-a-service (RaaS) operation has rapidly evolved '
                'into a sophisticated cartel, adopting organized crime tactics '
                'to dominate the ransomware ecosystem. The group offers '
                'affiliates a full suite of tools, including customizable '
                'encryption models for Windows, Linux, and ESXi systems, with '
                'features like delayed execution, multithreading for faster '
                'attacks, and SMB port scanning to identify targets. Beyond '
                'technical capabilities, DragonForce has embraced a '
                'cartel-style business model, encouraging cooperation among '
                'ransomware gangs to standardize tactics, eliminate '
                'competition, and maximize profits. The cartel’s aggressive '
                'expansion has included harassment of rival groups, such as '
                'defacing BlackLock’s leak site and attempting to mislead '
                'RansomHub affiliates. DragonForce’s victimology targets '
                'manufacturing, technology, business services, and '
                'construction sectors, with a focus on organizations in the '
                'U.S., UK, Italy, Germany, and Australia. As of July 2025, the '
                'group had claimed at least 250 victims via its data leak '
                'site.',
 'impact': {'data_compromised': True,
            'systems_affected': ['Windows', 'Linux', 'ESXi']},
 'motivation': ['Financial gain', 'Extortion', 'Elimination of competition'],
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'DragonForce'},
 'references': [{'source': 'LevelBlue'}],
 'threat_actor': 'DragonForce Ransomware Cartel',
 'title': 'DragonForce Ransomware Cartel Emerges as a Major Threat with '
          'Mafia-Style Tactics',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.