- Dragonforce is selling its ransomware as a service that can be changed
- The group will handle malware development, leakage sites and more
- Raas democratizes malware, as if AI had not done enough damage
Inspired by drug gangs, the Ransomware Dragonforce group is bringing a new business model to the ransomware scene, and involves cooperating with other ransomware gangs.
It has been observed that Dragonforce offers a white label affiliate model, allowing others to use their infrastructure and malware while brand attacks under their own name.
With this model, affiliates will not need to manage infrastructure and dragonforce will be in charge of negotiation sites, malware development and data leakage sites.
Dragonforce evolves the ransomware scene with a new business model
“The announced features include administration and customer panels, encryption tools and rescue negotiation, a file storage system, a fugging site based on tor and domain. Donation and support services,” said Secureworks cyber security researchers.
Secureworks explained that, in an underground publication of March 2025, Dragonforce was renamed as a “poster”, announcing a change to a distributed model. Dragonforce first appeared in August 2023.
Anubis, a much newer ransomware group that has been operating since December 2024, has also launched its own affiliate scheme, including a traditional ransomware product as a service that joins 80% of its bailouts.
Like artificial intelligence has already democratized access to coding, these models are further expanding access to ransomware, which means that less technical threat actors can point to victims. Flexibility and reduced operational loads are also key sales.
However, the exact number of affiliates who use these schemes is practically impossible to track Bleeping computer He has reported that Ransombay has already joined the Dragonforce scheme.
“Cybercriminals are motivated by financial gain, so they are adopting aggressive pressure and tactical models to change the trend in their favor,” Secureworks added.
The usual principles apply when it comes to protecting from any type of ransomware: regularly patching internet oriented devices, the implementation of multifactor authentication (MFA) resistant to phishing, maintaining robust backup copies and monitoring networks for malicious activities are important steps to follow.
