April 26, 2025 By Ionut Ilascu
The ransomware scene is re-organizing, with one gang known as DragonForce working to gather other operations under a cartel-like structure.
DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort.
A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations.
Typically, a RaaS operation has its own affiliates or partners, and the ransomware developer provides the file-encrypting malware and the infrastructure.
Affiliates would build a variant of the encrypting package, breach victim networks, and deploy the ransomware. They would also manage the decryption keys and usually negotiate with the victim for a ransom payment.
The developer also maintains a so-called data leak site (DLS) where they publish information stolen from victims who did not pay the attacker.
In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%.