Ransomware Ecosystem Fragmentation and the Emergence of DragonForce
Threat intelligence reporting describes DragonForce as a rapidly evolving ransomware operation that brands itself as a “cartel” and runs an affiliate service called Ransombay, offering customizable payload options and reportedly advertising an 80% revenue split to attract pentesters and initial access brokers. Researchers assess DragonForce’s tooling as heavily derived from LockBit 3.0 and Conti, and report signs of consolidation behavior, including infrastructure/code overlap with groups such as BlackLock, RansomHub, and LockBit; one cited incident involved DragonForce abusing a rival’s misconfiguration and a Local File Inclusion (LFI) weakness to obtain information including credentials, followed by defacement of the rival’s leak site.
Separate industry reporting indicates ransomware victimization continued to rise sharply in 2025, with GuidePoint Security tracking a 58% year-over-year increase and 7,515 claimed victims across leak sites, alongside a more fragmented landscape (124 named groups, up 46% from 2024). The same reporting highlights concentration of victimization in the United States (55%) and heavy targeting of manufacturing, with healthcare also significantly impacted (500+ victims) and Qilin described as the most prolific RaaS group in 2025 with disproportionate healthcare targeting—context that aligns with the broader trend of many smaller, high-volume groups rather than a few dominant actors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
S2W publishes technical analysis of DragonForce
S2W released research describing DragonForce as a rapidly growing cartel-style ransomware operation tied to LockBit, Conti, BlackLock, and RansomHub, and said it recovered a decryptor for a specific victim due to a hardcoded RSA private key.
DragonForce accesses and defaces BlackLock infrastructure
S2W linked DragonForce to an incident in which the group exploited a misconfiguration and a local file inclusion flaw to gain access to BlackLock infrastructure and deface its leak site.
GuidePoint publishes 2025 ransomware trends report
On publication of the report, GuidePoint assessed that law-enforcement actions had fragmented the ransomware ecosystem into many smaller groups, with the United States and manufacturing remaining the most targeted and healthcare suffering more than 500 victims.
December 2025 reaches 814 claimed ransomware victims
GuidePoint said December 2025 peaked at 814 claimed ransomware victims, up 42% year over year, making it the most active month highlighted in the report.
Q4 2025 records 2,287 ransomware victims
GuidePoint reported that the fourth quarter of 2025 alone saw 2,287 unique claimed ransomware victims, underscoring accelerating activity late in the year.
Ransomware victim claims rise sharply across 2025
GuidePoint Security's GRIT tracked 7,515 claimed ransomware victims in 2025, a 58% year-over-year increase and the highest annual total the firm has recorded.
Law enforcement disrupts LockBit, but the group later resurges
GuidePoint reported that LockBit experienced a disruption in 2024 and later re-emerged, illustrating that major law-enforcement pressure did not end overall ransomware activity.
DragonForce ransomware first detected
Researchers said the DragonForce ransomware group was first observed in late 2023, marking the emergence of a new extortion operation later described as a cartel-style service.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DragonForce Ransomware Expands RaaS Operations With Dual-Extortion and a “Cartel” Affiliate Model
**DragonForce**, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has been linked to a growing set of intrusions targeting “critical business” environments across multiple industries, with a focus on **manufacturing, business services, technology, and construction**. Reporting attributes the group with **dual-extortion** tactics—stealing data prior to encryption and then threatening publication on a **data leak site (DLS)** to increase pressure on victims. Researchers also describe DragonForce as operationally adaptable, including changes in how it hosts and organizes leaked victim data. LevelBlue analysis cited in reporting indicates DragonForce has evolved its business approach beyond a typical affiliate program into a **“cartel” model**, allowing member groups to operate under their own brands while leveraging shared DragonForce infrastructure and services. Described offerings to affiliates include large-scale storage, continuous server monitoring, support services around file analysis/decryption, and assistance with test attacks; LevelBlue also highlighted an “**Company Data Audit**” service intended to help affiliates value stolen data and shape negotiation pressure (including prepared communications such as scripts and executive-facing letters). The group’s tooling is described as **multi-platform**, with the ability to target **Windows, Linux, ESXi, BSD, and NAS** systems and to use different encryption modes (e.g., full, header, partial), increasing potential impact across enterprise and virtualized environments.
Mar 21, 2026
DragonForce Ransomware Operations and High-Profile Breaches
DragonForce, a ransomware group that has evolved into a self-described "ransomware cartel," has intensified its global operations, targeting organizations with advanced tactics and forming alliances with other cybercriminal collectives. Security researchers have detailed how DragonForce leverages vulnerable drivers such as `truesight.sys` and `rentdrv2.sys` to disable security software and has improved its encryption methods to address previously exploited vulnerabilities. The group, which began by using the LockBit 3.0 builder and later adopted a modified Conti v3 source code, now operates a ransomware-as-a-service (RaaS) model, offering affiliates a significant share of profits and customizable tools to attract new participants. Notably, DragonForce has collaborated with groups like Scattered Spider and has been linked to the compromise of major organizations, including a high-profile breach of Marks & Spencer. Recently, DragonForce claimed responsibility for a significant breach at Mobilelink USA, a major dealer for Cricket Wireless, exfiltrating 5.04 TB of data and threatening to leak sensitive information, including personally identifiable and financial data of millions of customers across 21 states. The group has also reportedly allied with other ransomware gangs such as Qilin and LockBit, and has taken over operations or leak sites from other ransomware groups like RansomHub, BlackLock, and Mamona. In 2025 alone, DragonForce has impacted at least 185 organizations, with most attacks occurring in the last six months, underscoring the growing threat posed by this increasingly organized and aggressive ransomware operation.
Mar 21, 2026
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026