Increased law enforcement pressure has forced ransomware groups like DragonForce and Anubis to abandon traditional affiliate models in favor of decentralized and multi-tiered schemes. These adaptations aim to evade detection while maintaining profitability, as seen in recent operations targeting LockBit and its affiliates1, 2. This article examines the technical and operational shifts, their implications, and defensive countermeasures.
TL;DR: Key Developments
- DragonForce adopts a “Cartel Model” allowing affiliates to operate independent brands using shared infrastructure (admin panels, Tor sites)
- Anubis introduces three-tiered affiliate options including data theft-only extortion and access monetization
- Law enforcement’s Operation Cronos (Feb 2024) compromised LockBit’s infrastructure, leading to affiliate migration to Akira/BlackSuit
- New tactics include regulatory blackmail (UK ICO/US HHS reports) alongside traditional data leaks
Evolution of Ransomware Affiliate Models
DragonForce’s March 2025 shift to a distributed “Cartel Model” represents a significant departure from conventional Ransomware-as-a-Service (RaaS) frameworks. Affiliates now leverage DragonForce’s infrastructure—including negotiation tools and leak sites—while deploying custom-branded ransomware variants. This creates operational challenges for defenders, as compromised infrastructure from one affiliate could expose the entire network3.
Anubis has implemented a more granular approach, offering affiliates:
| Option | Revenue Share | Description |
|---|---|---|
| Traditional RaaS | 80% | Full ransomware deployment with encryption+extortion |
| Data theft-only | 60% | Exfiltration without file encryption |
| Access monetization | 50% | Selling compromised credentials to other threat actors |
Both models emerged following the LockBit takedown, with groups seeking to reduce single points of failure while maintaining affiliate recruitment4.
Law Enforcement Impact and Countermeasures
Operation Cronos demonstrated the effectiveness of coordinated action, with Europol-led seizures of 34 servers and arrests of key affiliates in Poland/Ukraine5. However, the rapid reconstitution of LockBit’s operations within a week highlights the resilience of these networks.
Defensive recommendations from Secureworks and Talos include:
“Prioritize patching internet-facing systems, particularly VPNs and RDP services. Implement phishing-resistant MFA (FIDO2/WebAuthn) and monitor for anomalous endpoint file encryption patterns.”
The No More Ransom initiative provides decryption tools for historical LockBit variants, though newer strains require behavioral detection methods6.
Operational Relevance
For defensive teams, these developments necessitate:
- Enhanced monitoring of regulatory threat tactics (e.g., fake breach notifications to authorities)
- Network segmentation to limit lateral movement from initial access brokers
- Threat hunting for shared TTPs across DragonForce/Anubis affiliates
Red teams should test detection capabilities against triple extortion scenarios combining DDoS, data leaks, and regulatory pressure tactics.
Conclusion
The ransomware ecosystem continues evolving in response to law enforcement pressure, with groups testing increasingly fragmented operational models. While takedowns disrupt operations temporarily, the adaptive nature of affiliate networks ensures persistent threats. Organizations must balance technical controls with legal preparedness for regulatory extortion scenarios.
References
- “Novel ransomware affiliate schemes uncovered,” Infosecurity Magazine, 2025. [Online]. Available: https://www.infosecurity-magazine.com/news/novel-ransomware-affiliate-schemes/
- “Ransomware groups test new business models,” The Record, 2025. [Online]. Available: https://therecord.media/ransomware-groups-test-new-business-models-dragonforce-anubis
- “Novel affiliate models unveiled by ransomware operations,” SC World, 2025. [Online]. Available: https://www.scworld.com/brief/novel-affiliate-models-unveiled-by-ransomware-operations
- “Law enforcement disrupts world’s biggest ransomware operation,” Europol, 2024. [Online]. Available: https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation
- “Ransomware affiliate model evolution,” Talos Intelligence, 2024. [Online]. Available: https://blog.talosintelligence.com/ransomware-affiliate-model/
- “LockBit, Evil Corp targeted in anti-ransomware crackdown,” BankInfoSecurity, 2024. [Online]. Available: https://www.bankinfosecurity.com/lockbit-evil-corp-targeted-in-anti-ransomware-crackdown-a-26422
