Ransomware groups test new business models to hit more victims, increase profits

April 30, 2025

The ransomware industry is currently in a state of severe flux. As law enforcement has taken a more proactive role in shutting ransomware operations down and security personnel have improved their ability to decrypt ransomware without payment, ransom payments have declined significantly in the last year. This has necessarily forced adaptation on the part of the remaining ransomware groups, and researchers are beginning to see new business innovations coming from some of them. According to a report from Secureworks, the DragonForce group, originally established as a ransomware-as-a-service (RaaS) provider in August 2023, has begun a significant rebranding effort, referring to itself as the DragonForce Ransomware Cartel.

The ransomware cartel model moves away from the older form of affiliate branding, where affiliates used the specific ransomware provided by their patron in exchange for part of the proceeds. According to the new model put forth by DragonForce, affiliates are given the tools and infrastructure to develop their own ransomware programs, under their own programming, to use at their own discretion. What is provided by the cartel includes administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site, and support services. This model offers significant improvements to DragonForce in particular. By avoiding being associated with ransomware attacks through differences in branding, they are less likely to draw the ire of law enforcement. By giving more flexibility to their affiliates, they also significantly broaden their potential customer base, drawing in experienced threat actors who may simply want to offload some of the work involved in maintaining a ransomware operation. However, the shared infrastructure also presents a potential risk: if one affiliate becomes compromised, operational details from other affiliates may also be exposed.

Another ransomware group, Anubis, has altered its affiliate model in a different way. Following the trend of other RaaS models abandoning encryption to focus on data extortion, Anubis is offering new affiliate options that eschew encryption altogether. Interestingly, the new options give Anubis an increased share of the ransom. Affiliates can choose between traditional RaaS, which gives affiliates 80 percent, an extortion only option that gives affiliates 60%, or a new access monetization service which helps threat actors extort victims they’ve already compromised, in exchange for a full 50% of the ransom. Notably, part of the extortion provided by this package includes reporting data insecurity and confidential data to official law enforcement bodies, such as the UK Information Commissioner’s Office, the US department of Health and Human Services, and the EU European Data Protection Board. These two examples are both at the forefront of changes in the ransomware space, and we can expect more threat actors to follow suit in the coming year.

More from Blackwired

April 23, 2025

Researchers claim breakthrough in fight against AI’s frustrating security hole

CaMeL secures AI by isolating untrusted input, using dual LLMs and strict code control to block prompt injections.

Read more
April 16, 2025

The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders

Precision-validated phishing targets specific emails, blocking others, evading detection and complicating traditional defenses.

Read more
April 9, 2025

Hunters International Dumps Ransomware, Goes Full-on Extortion

Ransomware groups shift to data privacy extortion as law enforcement and reduced profits make double-extortion less viable.

Read more