According to Infosecurity Magazine, the DragonForce ransomware operation has emerged using Conti’s leaked source code with cartel-like ambitions in the cybercrime ecosystem. The group retains Conti’s core encryption behavior and network-spreading capabilities while conducting coordinated attacks and recruiting affiliates through a shared platform. DragonForce has shifted from standard ransomware-as-a-service to a self-styled cartel structure that encourages affiliates to create branded variants, as seen with the Devman group deploying ransomware compiled with DragonForce’s builder. The ransomware uses the same ChaCha20 and RSA encryption combination found in Conti, generating unique keys per file and appending 10-byte metadata blocks. Operators have continued active campaigns, threatening to delete decryptors and leak data on September 2 and September 22 while encrypting both local storage and network shares via SMB.
Sponsored content — provided for informational and promotional purposes.
The Cartel Playbook
Here’s the thing about DragonForce’s “cartel” rebrand – it’s not just marketing. This represents a fundamental shift in how ransomware groups organize themselves. Instead of just providing tools to affiliates, they’re creating an ecosystem where different brands can operate under shared infrastructure and tooling. Basically, it’s franchising for cybercrime. The Devman group’s transition from Mamona to DragonForce shows how this model works in practice – test your branding with one platform, then move to a more established ecosystem when you’re ready to scale.
Building Dangerous Alliances
Now, the really concerning development is DragonForce’s alignment with Scattered Spider. This isn’t just two random groups working together – it’s a strategic partnership that combines DragonForce’s encryption capabilities with Scattered Spider’s proven initial access expertise. The Marks & Spencer incident shows how effective this combination can be. When you’ve got specialists who can breach networks teaming up with groups that know how to encrypt them efficiently, that’s a nightmare scenario for defenders.
The Rivalry Game
DragonForce isn’t just building alliances – they’re actively targeting competitors. Defacing BlackLock’s leak site and attempting to take over Ransomhub’s servers? That’s some aggressive territory marking. This kind of inter-group conflict actually creates more instability in the ransomware ecosystem, which might sound good but actually makes things less predictable. When groups are fighting for dominance, they tend to launch more attacks to prove their capabilities. Some Ransomhub affiliates apparently migrated to DragonForce after the pressure campaign – so the strategy is working.
What This Means for Defense
So where does this leave security teams? The cartel model means we’re likely to see more consistent attack patterns across different “brands” since they’re all using the same underlying tools. The unchanged Conti-style routines actually work in defenders’ favor – we know what to look for. But the hidden configuration system that replaces visible command-line parameters? That’s going to make detection trickier. The fundamentals still apply – robust backups, network segmentation, monitoring SMB access – but we need to assume these groups are getting more sophisticated in their coordination. The question isn’t whether another cartel will emerge, but when.
