New observations printed by Secureworks’ Counter Risk Unit (CTU) have discovered that legislation enforcement exercise has compelled ransomware teams to shift away from the standard affiliate mannequin, notably utilized by the notorious LockBit gang.
The CTU noticed DragonForce and Anubis ransomware operators introducing novel fashions to draw associates and improve earnings.
DragonForce’s Distributed Mannequin
DragonForce, which emerged in August 2023 as a ransomware-as-a-service (RaaS) scheme, has not too long ago rebranded itself as a “cartel.”
In keeping with Securework’s CTU, an underground publish by the group on March 19, 2025, DragonForce introduced its shift to a distributed mannequin that permits associates to create their very own “manufacturers”.
“Because the ransomware ecosystem continues to flex and adapt we’re seeing wider experimentation with totally different working fashions,” Rafe Pilling, Director of Risk Intelligence, Counter Risk Unit, Secureworks, a Sophos firm, stated.
Within the new distributed mannequin, DragonForce gives its infrastructure and instruments however doesn’t require associates to deploy its ransomware.
Marketed options embody administration and shopper panels, encryption and ransom negotiation instruments, a file storage system, a Tor-based leak website and .onion area, and assist companies.
This might be interesting to associates with restricted technical information.
By broadening its affiliate base, DragonForce can improve its potential for monetary achieve, the Secureworks CTU commented. Nonetheless, the shared infrastructure does introduce threat to DragonForce and its associates. If one affiliate is compromised, different associates’ operational and sufferer particulars might be uncovered as effectively, the agency added.
Anubis’ A number of Choices
In the meantime, Anubis, an extortion scheme first marketed on underground boards in late February 2025, presents three fashions to its associates.
- RaaS – a standard method that entails file encryption and presents associates 80% of the ransom
- Information ransom – an information theft-only extortion choice wherein associates obtain 60% of the ransom
- Accesses monetization – a service that helps risk actors extort victims they’ve already compromised and presents associates 50% of the ransom
The “knowledge ransom” choice entails publishing an in depth “investigative article” to a password-protected Tor web site, the CTU staff defined. The article incorporates an evaluation of the sufferer’s delicate knowledge which is shipped to the sufferer alongside a hyperlink to barter cost.
If the sufferer doesn’t pay the ransom, the risk actors threaten to publish the article on the Anubis leak website.
The operators improve strain by publishing sufferer names through an X (previously Twitter) account. The risk actors declare they will even notify the victims’ prospects in regards to the compromise.
This tactic has been utilized by different ransomware teams, however Anubis goes a step additional by threatening to report victims to the authorities, together with the UK’s Data Commissioners Workplace, the US Division of Well being and Human Companies or the European Information Safety Board.
Just one different group seems to have used this tactic.
In November 2023, BlackCat/ALPHV reported considered one of its victims to the US Securities and Change Fee (SEC), in a bid to strain cost.
Pilling commented, “LockBit had mastered the affiliate scheme however within the wake of the enforcement motion in opposition to them it isn’t stunning to see new schemes and strategies being tried and examined. These two examples shine a light-weight on a few of how that is taking form within the ecosystem. Understanding how these teams are working, tooling and monetizing is essential in deploying the precise defenses to safe individuals and companies.”
CTU researchers suggest that organizations repeatedly patch internet-facing units, implement phishing-resistant multi-factor authentication (MFA) as a part of a conditional entry coverage, keep strong backups, and monitor their community and endpoints for malicious exercise.
