The ransomware scene is undergoing a profound transformation. DragonForce, a well-known cybercriminal gang, is leading a movement to bring together different ransomware operations under an organized cartel-style structure. To achieve this, they have launched a white label model that allows other groups to operate as affiliates, providing them with all the infrastructure necessary to execute attacks without taking on the costs and complexity of maintaining their own systems. Although their motivations are clearly financial, they claim to follow certain ethical principles, such as avoiding attacking healthcare organizations.
This strategic shift not only makes it easier for more players to join the ransomware business without advanced technical expertise, but also exponentially increases the volume and sophistication of attacks. Understanding this evolution is key to anticipating risks, strengthening defenses and preparing for a threat that is becoming increasingly accessible and dangerous.
In a typical ransomware-as-a-service (RaaS) operation, things work something like this: the group developing the ransomware creates the malware that encrypts the files and takes care of all the technical infrastructure. On the other hand, the affiliates (who are like their partners) take that package, give it their own twist if they want, infiltrate the victims' networks and launch the attacks. Moreover, they are the ones who handle the decryption keys and negotiate directly with the victims to collect the ransom.
The developer is also often in charge of something known as a “data leak site” (DLS), where they publish the stolen information of victims who refuse to pay. All this is not free, of course: in exchange for using the malware and the entire platform, affiliates have to hand over a portion of the ransom they manage to collect. Typically, the developer gets around 30%.
DragonForce decided to take their operation to the next level and now refer to themselves as a "ransomware cartel." Under this new model, they keep 20% of every ransom they successfully collect.
What do they offer in return? Affiliates are given access to everything they need: tools to negotiate with victims, secure space to store stolen data, and full malware management. Additionally, affiliates are allowed to use the well-known DragonForce encryptor, but with customized branding for each affiliate.
This "new direction" was announced in March, inviting interested parties to create their own brand within an infrastructure that has already been proven in the field. According to their explanation, their goal is to manage an unlimited number of different brands, capable of targeting a wide range of systems: from ESXi servers and NAS devices to BSD and Windows systems.
DragonForce Announces a RaaS Model Similar to SaaS (Source: Secureworks)
DragonForce explained that their structure operates like an open marketplace: affiliates can choose to launch attacks under the DragonForce name or, if they prefer, build their own fully customized brand.
In short, cybercriminal groups can use DragonForce’s tools and services while presenting it all as their own creation. In return, they avoid having to deal with the heavy lifting: no need to set up data leak sites, negotiate with victims, or develop malware from scratch.
However, it’s not a "free-for-all." There are strict rules, and if an affiliate messes up, they are expelled without hesitation. "We are honest partners who respect the rules," DragonForce representatives stated. And they maintain absolute control: everything runs on their own servers, so if someone strays from the rules, they detect it immediately.
That said, these rules only apply to threat actors who officially join their new ransomware-as-a-service (RaaS) model. When asked if hospitals or healthcare organizations are on their list of prohibited targets, they showed some empathy:
"We don’t attack cancer or heart patients; if we can, we even prefer to send them money to help. We are here for business and money, not to kill people," explained one of their representatives.
This approach from DragonForce could attract an even larger audience of affiliates, especially those who lack advanced technical skills. With more affiliates joining their network, DragonForce could boost their profits thanks to the flexibility and ease their new system offers.
It is still unknown how many ransomware groups have already joined their cartel, but DragonForce claims that some well-known names in the cybercrime world are already among their members. In fact, a new gang called RansomBay has joined DragonForce’s model and has begun operating under this new scheme.
Read more: How to detect Medusa Ransomware with Wazuh?
What DragonForce is doing might just be the beginning of something much bigger (and more dangerous). With this white-label ransomware model, we are likely to soon see:
Underground marketplaces filled with ready-to-use ransomware kits, as if they were generic products.
Ransomware-as-a-service offerings that are even easier to hire and accessible to anyone with malicious intent.
Automated digital extortion campaigns, targeting multiple sectors simultaneously with an increasing level of professionalism.
This entire movement could lead to massive economic losses and place tremendous pressure on cybersecurity teams, who are already heavily burdened.
Although the situation sounds complicated, not all is lost. There are very effective ways to strengthen your defenses and minimize risks.
The first shield remains knowledge. Training your team to recognize phishing emails, malicious links, and social engineering techniques can prevent many problems before they even start.
Having updated, automatic, and offline backups is crucial to avoiding ransom dependence. This is where TecnetProtect comes in — it not only provides traditional backups but also offers active ransomware protection. This solution detects suspicious file changes in real time, blocks malicious encryption processes, and automatically restores any affected files, all without disrupting the user's work.
An outdated system is like leaving the door wide open. Installing security patches as soon as they are available closes vulnerabilities that attackers love to exploit.
A basic antivirus is no longer enough. You need to use more complete solutions that include:
Advanced endpoint protection
Anomalous behavior detection
Network segmentation
Tools like TecnetProtect combine all of this into a single platform: secure backups + anti-malware protection + vulnerability management. A comprehensive defense, specifically designed to stop attacks like those from DragonForce before they cause damage.
It’s not enough to just have a document saved in a folder. Your incident response plan must be practical, up-to-date, and regularly rehearsed with the entire team to act quickly and minimize damage if something ever happens.
The white-label ransomware model is a major warning sign: cyberattacks will become more frequent, more personalized, and more dangerous. Protecting yourself means not only investing in technology but also educating people and always staying one step ahead.
Solutions like TecnetProtect offer exactly that advantage: they protect data, block ransomware before it causes damage, and allow you to recover everything within minutes if necessary. In times where every second counts, having this kind of tool can make the difference between losing everything and continuing operations as if nothing ever happened.