Law Enforcement Crackdowns Drive Novel Ransomware Affiliate Schemes

New observations published by Secureworks’ Counter Threat Unit (CTU) have found that law enforcement activity has forced ransomware groups to shift away from the traditional affiliate model, notably used by the infamous LockBit gang.

The CTU observed DragonForce and Anubis ransomware operators introducing novel models to attract affiliates and increase profits.

DragonForce’s Distributed Model

DragonForce, which emerged in August 2023 as a ransomware-as-a-service (RaaS) scheme, has recently rebranded itself as a “cartel.”

According to Securework’s CTU, an underground post by the group on March 19, 2025, DragonForce announced its shift to a distributed model that allows affiliates to create their own “brands”.

“As the ransomware ecosystem continues to flex and adapt we are seeing wider experimentation with different operating models,” Rafe Pilling, Director of Threat Intelligence, Counter Threat Unit, Secureworks, a Sophos company, said.

In the new distributed model, DragonForce provides its infrastructure and tools but doesn’t require affiliates to deploy its ransomware.

Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services.

This could be appealing to affiliates with limited technical knowledge.

By broadening its affiliate base, DragonForce can increase its potential for financial gain, the Secureworks CTU commented. However, the shared infrastructure does introduce risk to DragonForce and its affiliates. If one affiliate is compromised, other affiliates’ operational and victim details could be exposed as well, the firm added.

Anubis’ Multiple Offerings

Meanwhile, Anubis, an extortion scheme first advertised on underground forums in late February 2025, offers three models to its affiliates.

• RaaS – a traditional approach that involves file encryption and offers affiliates 80% of the ransom
• Data ransom – a data theft-only extortion option in which affiliates receive 60% of the ransom
• Accesses monetization – a service that helps threat actors extort victims they’ve already compromised and offers affiliates 50% of the ransom

The “data ransom” option involves publishing a detailed “investigative article” to a password-protected Tor website, the CTU team explained. The article contains an analysis of the victim’s sensitive data which is sent to the victim alongside a link to negotiate payment.

If the victim does not pay the ransom, the threat actors threaten to publish the article on the Anubis leak site.

The operators increase pressure by publishing victim names via an X (formerly Twitter) account. The threat actors claim they will also notify the victims’ customers about the compromise.

This tactic has been used by other ransomware groups, but Anubis goes a step further by threatening to report victims to the authorities, including the UK’s Information Commissioners Office, the US Department of Health and Human Services or the European Data Protection Board.

Only one other group appears to have used this tactic.

In November 2023, BlackCat/ALPHV reported one of its victims to the US Securities and Exchange Commission (SEC), in a bid to pressure payment.

Pilling commented, “LockBit had mastered the affiliate scheme but in the wake of the enforcement action against them it’s not surprising to see new schemes and methods being tried and tested. These two examples shine a light on some of how this is taking shape in the ecosystem. Understanding how these groups are operating, tooling and monetizing is crucial in deploying the right defenses to secure people and businesses.”

CTU researchers recommend that organizations regularly patch internet-facing devices, implement phishing-resistant multi-factor authentication (MFA) as part of a conditional access policy, maintain robust backups, and monitor their network and endpoints for malicious activity.