• Home
  • cyber
  • Mamona: DragonForce Engages in "Turf War" for Ransomware Dominance
cyber Cyber Attack

Mamona: DragonForce Engages in "Turf War" for Ransomware Dominance

Dec 25, 2025 2 min read
Mamona: DragonForce Engages in "Turf War" for Ransomware Dominance

DragonForce Escalates Cybercrime Turf War, Disrupts RansomHub and Rivals

A new report from Sophos reveals that the ransomware group DragonForce is waging a “turf war” against rival operators as it seeks to dominate the cybercrime marketplace. The group’s aggressive expansion—including a hostile takeover attempt—may have contributed to RansomHub’s infrastructure outage in late March 2025, leading to a notable drop in ransomware attacks in April.

DragonForce’s Cartel Model and Expansion

In March 2025, DragonForce rebranded as a ransomware cartel, adopting a RaaS (Ransomware-as-a-Service) syndicate model that allows affiliates to operate under their own brands while leveraging DragonForce’s infrastructure. The group introduced “RansomBay”, a white-label service enabling affiliates to rebrand its ransomware tools. In exchange, DragonForce takes a 20% cut of ransom payments, providing affiliates with technical support, leak-site hosting, and operational backing.

This model has already seen use in high-profile attacks, including those by Scattered Spider against UK retailers Marks & Spencer (M&S), the Co-operative Group, and Harrods in late April 2025.

Attacks on Competing RaaS Groups

Sophos researchers noted that DragonForce’s cartel announcement in March coincided with defacements of leak sites operated by rival groups BlackLock and Mamona, both of which were replaced with DragonForce’s logo. The move signals an aggressive push to undermine competitors and consolidate control over the ransomware ecosystem.

The disruption of RansomHub and the broader decline in ransomware activity suggest DragonForce’s tactics may be reshaping the cybercrime landscape—at least temporarily.

Source: https://www.infosecurity-magazine.com/news/dragonforce-turf-war-ransomware/

Morado cybersecurity rating report: https://www.rankiteo.com/company/morado-intelligence

"id": "MOR1766630178",
"linkid": "morado-intelligence",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Cybercrime',
                        'name': 'RansomHub',
                        'type': 'Ransomware-as-a-Service (RaaS) Operator'},
                       {'industry': 'Cybercrime',
                        'name': 'BlackLock',
                        'type': 'Ransomware-as-a-Service (RaaS) Operator'},
                       {'industry': 'Cybercrime',
                        'name': 'Mamona',
                        'type': 'Ransomware-as-a-Service (RaaS) Operator'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Marks and Spencer (M&S)',
                        'type': 'Retailer'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'The Co-operative Group',
                        'type': 'Retailer'},
                       {'industry': 'Retail',
                        'location': 'UK',
                        'name': 'Harrods',
                        'type': 'Retailer'}],
 'attack_vector': 'Ransomware-as-a-Service (RaaS), Affiliate Exploitation, '
                  'Leak Site Defacement',
 'date_detected': '2025-03',
 'date_publicly_disclosed': '2025-04',
 'description': "DragonForce is engaged in a 'turf war' with rival ransomware "
                'operators, including an attempted hostile takeover of '
                'RansomHub, leading to infrastructure outages and a decline in '
                'ransomware attacks in April 2025. The group rebranded as a '
                "'cartel' in March 2025 to expand its reach and launched "
                "'RansomBay,' a white-label ransomware service for affiliates. "
                'DragonForce also defaced leak sites of rival groups like '
                'BlackLock and Mamona.',
 'impact': {'brand_reputation_impact': 'Negative for affected RaaS groups '
                                       '(e.g., RansomHub, BlackLock, Mamona)',
            'downtime': 'Significant (RansomHub outage in late March 2025)',
            'operational_impact': 'Decline in ransomware attacks in April '
                                  '2025, Disruption of rival RaaS operations',
            'systems_affected': 'RansomHub infrastructure, BlackLock and '
                                'Mamona leak sites'},
 'investigation_status': 'Ongoing',
 'motivation': 'Dominance in cybercrime marketplace, Financial gain, Expansion '
               'of RaaS operations',
 'post_incident_analysis': {'root_causes': "DragonForce's expansion strategy, "
                                           'Competition in RaaS marketplace, '
                                           'Affiliate-driven attacks'},
 'references': [{'source': 'Sophos Research'}],
 'threat_actor': 'DragonForce',
 'title': "DragonForce's Turf War and Hostile Takeover of RansomHub",
 'type': 'Ransomware, Cyber Turf War, Infrastructure Disruption'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.