New insights unveiled by Secureworks’ Counter Threat Unit (CTU) indicate a significant evolution in the tactics of ransomware groups in response to increased law enforcement actions. This shift notably affects the operations of ransomware collectives, particularly those like the infamous LockBit gang, traditionally known for their affiliate-based business models.
According to observations from the CTU, recent trends reveal that operators of ransomware entities like DragonForce and Anubis are now exploring innovative frameworks to attract affiliates and enhance their profitability. These new approaches represent a marked departure from conventional strategies, aimed at adapting to the ever-evolving cybercrime landscape.
DragonForce’s Distributed Model
Emerging in August 2023, DragonForce initially positioned itself within the domain of ransomware-as-a-service (RaaS). Recent developments have led the group to rebrand its operations as a “cartel,” signifying a strategic pivot towards a more decentralized operational method.
As reported by Secureworks’ CTU, DragonForce made a notable announcement via an underground forum on March 19, 2025, detailing its transition to a distributed model. This new framework permits affiliates to generate their own brand identities while utilizing DragonForce’s resources. Such flexibility marks a significant transformation within the ransomware ecosystem, according to Rafe Pilling, the Director of Threat Intelligence at Secureworks. He noted that this adaptability reflects the broader experimentation currently underway in the realm of cybercrime.
In this distributed model, DragonForce furnishes affiliates with essential infrastructure and tools without mandating the use of its specific ransomware. Features advertised by DragonForce include administrative and client panels, tools for encryption and ransom negotiations, a secure file storage system, a Tor-based leak site, and dedicated support services. This array of offerings caters predominantly to affiliates who may possess limited technical skills.
The implications of this model are profound. By attracting a larger pool of affiliates, DragonForce can maximize its financial advantages. However, with shared infrastructure comes heightened risk. Should one affiliate be compromised, there’s a potential exposure of operational and victim details that could adversely affect other affiliates within the network.
Anubis’ Multiple Offerings
In parallel, the Anubis ransomware group, which first appeared on underground forums in late February 2025, is also pursuing a multifaceted approach to affiliate engagement. Anubis has introduced three distinct operational models for its affiliates:
- RaaS: A conventional model centered around file encryption, offering affiliates 80% of the ransom collected.
- Data Ransom: A unique extortion method focused exclusively on data theft, providing affiliates with 60% of the ransom.
- Accesses Monetization: A service aimed at aiding threat actors in extorting victims they have already compromised, granting affiliates 50% of the ransom.
The “data ransom” model is particularly striking, as it involves publishing a detailed “investigative article” on a password-protected Tor site. This article analyzes the victim’s sensitive data and is sent to the victim alongside payment negotiation details. If they refuse to settle, Anubis threats include publishing the article on its leak site, amplifying the pressure on victims.
Moreover, the operators of Anubis have adopted proactive tactics by releasing victim names on platforms like X (formerly Twitter). They also claim they will reach out to the victims’ customers regarding the breach, further intensifying the pressure to comply with their demands.
A distinctive method employed by Anubis involves threatening to report victims to relevant authorities, including the UK’s Information Commissioners Office, the US Department of Health and Human Services, and the European Data Protection Board. This tactic is not commonly seen, with only one other group, BlackCat/ALPHV, having executed a similar strategy by reporting a victim to the US Securities and Exchange Commission (SEC) in November 2023 to induce payment.
Pilling emphasized the significance of these new strategies, particularly in light of law enforcement actions against groups like LockBit, which had previously perfected the affiliate model. The emergence of DragonForce and Anubis serves as evidence of ongoing innovation in the ransomware ecosystem. He underlined the importance of understanding these operational shifts to effectively counteract such threats and bolster defenses for organizations and individuals alike.
In response to these evolving threats, CTU researchers advocate for organizational practices including regular patching of internet-facing devices, implementing phishing-resistant multi-factor authentication (MFA) as part of a conditional access policy, maintaining robust backup protocols, and vigilant monitoring of networks and endpoints for suspicious activities. By adopting these measures, businesses can better safeguard themselves against the ever-adaptive strategies employed by modern ransomware groups.