A ransomware group known as DragonForce has introduced a new business model in the cybercrime world by offering ransomware as a service (RaaS) with a white-label affiliate scheme. This development allows other cybercriminal groups to use DragonForce's ransomware infrastructure and malware while conducting attacks under their own branding. The change is part of DragonForce’s evolution towards a distributed, cooperative "cartel" model, which it announced in an underground post in March 2025. DragonForce first surfaced in August 2023.

Under this model, affiliates do not need to manage the technical components typical of ransomware operations. DragonForce will handle critical elements such as malware development, the negotiation sites for ransom discussions, and data leak platforms, which are hosted on the dark web via Tor-based ".onion" domains. Cybersecurity researchers from Secureworks detailed that the offered package includes administration and client panels, encryption and ransom negotiation tools, file storage systems, and dedicated support services, all designed to simplify ransomware attacks for affiliates.

This approach mirrors trends seen in other criminal enterprises such as drug cartels, where cooperation and distribution networks facilitate broader reach and operational efficiency. It aligns with ongoing trends in ransomware operations where ease of access and reduced technical barriers are expanding the pool of actors able to carry out attacks.

Another ransomware group, Anubis, which began operations in December 2024, has similarly launched an affiliate programme. This scheme offers an 80% cut of ransom payments to participating affiliates, further indicating a move towards commercial-style partnerships in cybercrime.

The exact number of affiliates leveraging these schemes remains unclear; however, reports from Bleeping Computer confirm that at least one group, RansomBay, has joined DragonForce’s affiliate programme.

Secureworks commented on the development, stating, "Cybercriminals are motivated by financial gain, so they are adopting innovative models and aggressive pressure tactics to shift the trend in their favour."

The Tech Radar article noted the increasing democratization of ransomware, likening it to how artificial intelligence has broadened access to programming. By lowering the technical threshold and bearing operational complexity, ransomware-as-a-service schemes empower less technically skilled threat actors to target victims more effectively.

Security experts continue to recommend measures to mitigate ransomware risks, including regularly updating internet-facing devices, using phishing-resistant multi-factor authentication, maintaining reliable backups, and monitoring networks for suspicious activities. These practices remain crucial as ransomware operations become more accessible to a wider range of criminals.

Source: Noah Wire Services