Secureworks Counter Threat Unit (CTU) researchers have identified significant shifts in the operational strategies of the DragonForce and Anubis ransomware groups in early 2025. Both groups have launched innovative affiliate programs designed to maximize profits while mitigating risks from law enforcement disruptions. These adaptations highlight the evolving tactics of ransomware operators in response to increased global counter-ransomware efforts.
Executive Summary for Security Leaders
The DragonForce and Anubis ransomware groups have restructured their operations following the takedown of major ransomware-as-a-service (RaaS) platforms like LockBit. DragonForce now operates as a “cartel” offering infrastructure support for affiliates’ custom malware, while Anubis provides three distinct extortion models with varying profit-sharing structures. Both groups are leveraging regulatory pressure tactics against victims, including threats to report data breaches to authorities.
- DragonForce: Adopted a “Bring Your Own Malware” model, providing Tor leak sites and negotiation tools while allowing affiliates to use their own ransomware variants
- Anubis: Offers tiered affiliate options including traditional RaaS (80% share), data ransom (60%), and access monetization (50%)
- New Tactics: Both groups now threaten to report victims to regulators (SEC, EU Data Protection Board) if ransoms aren’t paid
- Targeting: Anubis avoids BRICS nations and government/education sectors, focusing on healthcare organizations
Detailed Analysis of New Affiliate Models
DragonForce’s March 2025 rebranding as a “cartel” represents a strategic shift toward decentralized operations. According to Dark Reading1, the group now provides infrastructure components like Tor-based leak sites and negotiation platforms without requiring affiliates to use its ransomware binaries. This model lowers the technical barrier for entry but introduces shared infrastructure risks – if one affiliate’s operations are compromised, all participants using the same infrastructure may be exposed.
Anubis has implemented a more structured multi-tiered approach, as reported by Infosecurity Magazine2. Their affiliate program offers:
| Model | Profit Share | Description |
|---|---|---|
| Traditional RaaS | 80% | Standard ransomware deployment with encryption |
| Data Ransom | 60% | Publishes “investigative articles” about stolen data |
| Access Monetization | 50% | Helps affiliates sell pre-compromised system access |
Operational Security Implications
The distributed nature of these new models presents challenges for both defenders and law enforcement. DragonForce’s shared infrastructure model creates potential forensic opportunities – security teams monitoring these platforms may gather intelligence about multiple operations simultaneously. However, as noted by Recorded Future3, Anubis’s selective targeting of healthcare organizations while avoiding BRICS nations suggests sophisticated geopolitical awareness in their targeting decisions.
Group-IB’s research4 reveals that DragonForce affiliates continue using known techniques like Bring Your Own Vulnerable Driver (BYOVD) to disable security tools. This persistence in tactics despite model changes indicates that while business structures evolve, core technical methods remain consistent.
Defensive Recommendations
Organizations should prioritize patching internet-facing systems, particularly those with known vulnerabilities historically exploited by ransomware groups. The implementation of phishing-resistant multi-factor authentication (MFA) remains critical, as credential theft continues to be a primary infection vector.
Security teams should monitor for:
- Unusual network traffic patterns indicating data exfiltration
- Threats of regulatory reporting in ransom notes
- Emerging discussion of these models on dark web forums
Conclusion
The adaptation of DragonForce and Anubis demonstrates ransomware groups’ resilience in the face of law enforcement pressure. Their new affiliate models reflect strategic shifts toward decentralization and diversified revenue streams. While these changes may temporarily reduce operational visibility for defenders, they also create new vulnerabilities in ransomware ecosystems that security professionals can potentially exploit for intelligence gathering and disruption.
References
- “Ransomware Gangs Innovate with New Affiliate Models,” Dark Reading, Apr. 23, 2025. [Online]. Available: https://www.darkreading.com/data-privacy/ransomware-gangs-innovate-new-affiliate-models
- “Novel Ransomware Affiliate Schemes Emerge,” Infosecurity Magazine, Apr. 25, 2025. [Online]. Available: https://www.infosecurity-magazine.com/news/novel-ransomware-affiliate-schemes/
- “Ransomware Groups Test New Business Models,” The Record, 2025. [Online]. Available: https://therecord.media/ransomware-groups-test-new-business-models-dragonforce-anubis
- “DragonForce Ransomware Expands RaaS Targets,” Hackread, 2025. [Online]. Available: https://hackread.com/dragonforce-ransomware-expands-raas-targets-firms/
