- The 5 gadgets I can't travel without (and why they make such a big difference)
- These are the Memorial Day sales fitness enthusiasts should shop
- Samsung is giving away free 27-inch Odyssey G55C monitors - here's how to qualify
- Get a 230-piece Craftsman toolset for just $99 at Lowe's right now
- Cisco Customer Achievement Awards: Americas 2025 Finalists
DragonForce Engages in
DragonForce is fighting a “turf war” with rival ransomware operators as it seeks to assert its dominance in the cybercrime marketplace, according to new Sophos research.
The group appears to be responsible for RansomHub’s infrastructure outage in late March 2025, which contributed to a significant fall in ransomware attacks in April.
This may be the result of an attempted “hostile takeover” of the group by DragonForce.
The researchers observed DragonForce’s attacks on ransomware-as-a-service (RaaS) rivals began after it rebranded as a ‘cartel’ in March 2025 in order to expand its reach.
DragonForce’s Revamped Cartel Model
The cartel model allows affiliates the flexibility to leverage DragonForce’s infrastructure and ransomware tools while operating under their own brands.
The syndicate set the scene for the model in early 2025 by launching “RansomBay,” a white-label service that lets affiliates rebrand the ransomware under a different name.
Affiliates pay a 20% cut of any ransom haul and keep the rest, while DragonForce handles the underlying infrastructure, technical support and leak-site hosting.
DragonForce’s infrastructure was reportedly leveraged by Scattered Spider to target UK retailers Marks and Spencer (M&S), the Co-operative Group and Harrods in late April.
Attacks on Rival RaaS Operators
Sophos researchers observed that the cartel announcement in March coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups. The defacements show DragonForce’s logo.
Following these attacks, a major turf war appeared to unfold between DragonForce and RansomHub.
Initially, it appeared the groups may start working together, with a post appearing on the RansomHub leak site titled ‘Welcome to the DragonForce Cartel’.
A subsequent DragonForce post on the RAMP underground forum also indicated a collaboration, stating that RansomHub was moving to its infrastructure.
However, a postscript suggested that RansomHub had not agreed to DragonForce’s offer, reading “RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks.”
Shortly after these posts, RansomHub’s leak site went offline, displaying the message ‘RansomHub R.I.P 03/03/2025’.
Sophos researchers noted, “The ‘collaboration’ between DragonForce and RansomHub appears to have been more of a hostile takeover by DragonForce.”
In an apparent revenge attack, a prominent RansomHub member under the persona ‘koley’, posted a defacement of the DragonForce homepage on RAMP along with the message “@dragonforce guess you have traitors…”
Additional posts by koley accused DragonForce of working with law enforcement, attacking rivals and telling lies.
Sophos said that DragonForce’s leak site is back online following an extended period of down time.
During the downtime, the homepage displayed a message stating that it would be up again soon, and a similar message appears on the RansomBay leak site.
Impact of Internal Warfare on Threat Landscape
DragonForce’s conflicts with rival groups is likely part of efforts to dominate the ransomware marketplace, emulating the success of RaaS groups like LockBit.
In recent years, a series of high-profile law enforcement operations have disrupted some of the most notorious ransomware groups, including LockBit. This has resulted in a more fragmented ransomware ecosystem, with a growing number of active groups competing against each other.
William Lyne of the UK’s National Crime Agency (NCA) recently told Infosecurity that the ransomware landscape has entered a “post-trust ecosystem,” where fragmented and increasingly mistrustful cybercrime groups operate in a climate of heightened law enforcement scrutiny.
The Sophos researchers warned that while internal warfare among ransomware groups is disruptive to their own operations, it does not reduce the level of risk faced by organizations.
“In fact, it may lead to more erratic, opportunistic attacks as groups scramble to assert dominance and monetize stolen data in new ways,” they wrote. “Organizations must therefore revisit their incident response, threat intelligence, and third-party risk management strategies to remain resilient in an increasingly chaotic threat environment.”
