Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce and Anubis ransomware operators in 2025.
These groups are adapting to law enforcement pressures with novel affiliate models designed to maximize profits and expand their reach, showcasing the resilience and ingenuity of modern cybercriminals in underground forums.
DragonForce Pioneers a Distributed Affiliate Branding Model
DragonForce, first identified in August 2023 as a conventional ransomware-as-a-service (RaaS) operation, has undergone a significant transformation by March 2025.
.png
)
Initially gaining traction after advertising on dark web forums in February 2024, the group amassed a victim count of 136 on its leak site as of March 24, 2025.
In a bold move announced on March 19 via an underground post, DragonForce rebranded itself as a “cartel” and shifted to a distributed model.
This new approach allows affiliates to establish their own unique “brands” while leveraging DragonForce’s robust infrastructure, including administration panels, encryption tools, ransom negotiation systems, Tor-based leak sites, and support services.
Unlike traditional RaaS schemes, affiliates are not mandated to use DragonForce’s ransomware, offering unprecedented flexibility.
This model lowers the technical barriers for less-skilled threat actors while appealing to sophisticated operators who prefer to deploy custom malware without building their own backend.
However, this shared infrastructure introduces a potential vulnerability if one affiliate is compromised, it could expose operational details of others, posing risks to the entire network.
This strategic pivot is poised to broaden DragonForce’s affiliate base, potentially amplifying its financial gains while challenging defenders with a more diverse threat landscape.
Anubis Introduces Multi-Mode Extortion Tactics
Simultaneously, the Anubis ransomware group, advertised since late February 2025 on underground platforms, has rolled out a distinctive extortion framework with three affiliate options tailored to varying skill levels and operational focuses.
According to Secureworks Report, the first is a traditional RaaS model with file encryption, offering affiliates an 80% ransom share.
The second, a “data ransom” mode, focuses solely on data theft, providing a 60% cut by publishing detailed “investigative articles” on compromised data to a password-protected Tor site, pressuring victims through public leak threats and notifications to customers via an X (formerly Twitter) account.
Uniquely, Anubis escalates by threatening to report breaches to regulatory bodies like the UK’s ICO, the US HHS, and the European EDPB an aggressive tactic echoing past actions by groups like GOLD BLAZER in 2023 with the SEC.
The third option, “accesses monetization,” assists affiliates in extorting already compromised victims with detailed data analyses for negotiation leverage, offering a 50% ransom share.
Notably, Anubis excludes targets in post-Soviet states, BRICS nations, and sectors like education and government, but leaves healthcare organizations exposed, likely due to their sensitive data and compliance pressures.
This multi-tiered model diversifies Anubis’s appeal, drawing in a spectrum of cybercriminals while intensifying victim coercion through regulatory threats.
These developments underscore the relentless adaptability of ransomware operators, as DragonForce and Anubis refine their business models to evade disruption and maximize impact.
Cybersecurity professionals must anticipate these evolving tactics by enhancing detection, incident response, and international cooperation to counter the growing sophistication of such threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
