Cybercriminals Adapt: Insights into DragonForce and Anubis Ransomware Innovations in 2025
In a recent report by researchers from Secureworks Counter Threat Unit (CTU), significant advancements in ransomware strategies have been uncovered, particularly showcasing the robust adaptability of two particular groups: DragonForce and Anubis. As the landscape of cybercrime evolves, these operators are developing sophisticated affiliate models that aim to increase their profitability and extend their influence, all while navigating increasing pressures from law enforcement agencies.
DragonForce’s Dynamic Branding Model
First identified in August 2023, DragonForce emerged as a conventional ransomware-as-a-service (RaaS) operation. However, by March 2025, the group had dramatically transformed its structure and strategies in response to the changing digital environment. Initially gaining traction through aggressive marketing on dark web forums, DragonForce reported a victim count of 136 on their leak site by March 24, 2025.
On March 19, 2025, the group made headlines by announcing a strategic overhaul, rebranding themselves as a “cartel” and opting for a distributed affiliate branding model. This innovative framework allows various affiliates to create their own unique brands while still utilizing DragonForce’s extensive infrastructure, which includes administrative tools, encryption solutions, and support services. Unlike traditional RaaS models, affiliates are no longer required to use DragonForce’s variant of ransomware, granting them unprecedented flexibility in their operations.
This shift significantly lowers the technical barriers for less experienced threat actors and provides experienced criminals the means to deploy custom malware without the hassle of developing their own backend systems. However, embracing such a shared infrastructure introduces vulnerabilities; should one affiliate experience a breach, it could lead to the exposure of operational details affecting others in the network.
The implications of this new affiliate model are profound. By broadening its affiliate base, DragonForce stands to significantly amplify its financial gains. However, this increased diversity in operations could also challenge cybersecurity defenders, who now must contend with a more complex threat landscape.
Anubis and Its Multi-Tiered Extortion Framework
At the same time, the Anubis ransomware group, which began making its presence known in late February 2025, has launched a unique three-tier extortion framework. This model caters to a range of skills and operational focuses among affiliates, further diversifying its potential for exploitation.
According to Secureworks’ report, Anubis offers a traditional RaaS model with file encryption, promising affiliates an enticing 80% share of the ransom collected. The second tier introduces a “data ransom” approach that emphasizes data theft. This method not only offers a 60% cut of the profits but also leverages detailed “investigative articles” published on password-protected Tor sites to exert pressure on victims. Anubis escalates its threats by promising to notify regulatory bodies such as the UK’s Information Commissioner’s Office (ICO) and the US Department of Health and Human Services (HHS) if victims do not comply.
Furthermore, the third option under Anubis’s framework focuses on “access monetization,” where affiliates can extort already compromised victims, providing a 50% cut of the ransom. This multifaceted approach not only increases the pressure on victims but also attracts a wide range of cybercriminals, making it a versatile operation.
Interestingly, Anubis has strategically opted to exclude targets in regions such as post-Soviet states and BRICS nations, specifically avoiding sectors like education and government. Nonetheless, healthcare organizations remain vulnerable, likely due to the sensitive nature of their data and the compliance pressures they face.
Evolving Threats and Cybersecurity Responses
The strategies employed by DragonForce and Anubis underscore the relentless adaptability of contemporary ransomware operators. Both groups are refining their business models to avoid disruption and maximize their impact in an increasingly challenging environment. This evolution in tactics signifies a growing sophistication in the cybercrime sphere, requiring heightened vigilance from cybersecurity professionals.
To address these emerging threats, it is crucial that cybersecurity experts enhance their detection capabilities, improve incident response strategies, and foster international cooperation. As cybercriminals continue to refine their methodologies, proactive measures and innovative counter-strategies will be essential in combating the growing complexity of ransomware attacks and safeguarding sensitive data.
In summary, the ongoing evolution of operations like DragonForce and Anubis not only highlights the ingenuity of cybercriminals but also presents an urgent call for enhanced cybersecurity measures in an increasingly digital world. As these groups continue to adapt, stakeholders across industries must remain aware of these shifting dynamics to effectively mitigate risks.