DragonForce, a ransomware-as-a-service operation active since 2023, has dramatically evolved into what researchers now describe as a structured cybercriminal cartel, leveraging the publicly leaked Conti v3 source code to establish a formidable threat infrastructure.
The group initially relied on the LockBit 3.0 builder for developing encryptors before transitioning to a customized Conti v3 codebase, giving it significant operational advantages and technical capabilities that rival established ransomware operations.
The transition marked a turning point in DragonForce’s evolution. Rather than operating as a traditional ransomware group, the organization rebranded itself as a cartel in early 2025, fundamentally changing how it conducts business.
This shift enables affiliates to white-label payloads and create their own branded variants while maintaining operational independence under DragonForce’s infrastructure umbrella.
By offering affiliates 80 percent of profits, the cartel structure removes technical barriers to entry and incentivizes recruitment of new operators.
The group now provides comprehensive tools including automated deployment systems, customizable encryptors, reliable infrastructure with 24/7 monitoring, and support for multiple platforms spanning Windows, ESXi, Linux, BSD, and NAS systems.
Acronis researchers and threat analysts identified that DragonForce employs sophisticated attack methodologies alongside Scattered Spider, a financially motivated initial access broker specializing in social engineering and multi-factor authentication bypass tactics.
.webp "DragonForce Cartel Emerges From the Leaked Source Code of Conti v3 Ransomware 3")
Scattered Spider conducts reconnaissance on target employees through social media and open-source intelligence, crafting convincing pretexts to orchestrate phishing campaigns and voice phishing attacks.
Once credentials are compromised, the group deploys remote monitoring tools like ScreenConnect and AnyDesk to establish persistence, then conducts extensive network reconnaissance focusing on backup infrastructure, credential repositories, and VMware environments.
Advanced Encryption Mechanisms and Technical Refinement
DragonForce’s technical sophistication distinguishes it from competing operations.
The malware employs ChaCha20 encryption for configuration files and generates unique encryption keys for each targeted file.
Notably, after security researchers disclosed encryption weaknesses in Akira ransomware through a Habr article, DragonForce promptly reinforced its own cipher implementation, demonstrating active threat intelligence monitoring and rapid technical adaptation.
The group implements multiple encryption modes including full, header, and partial encryption, with configurable thresholds determining encryption strategies for individual files.
A particularly concerning technique involves BYOVD attacks utilizing vulnerable drivers like truesight.sys and rentdrv2.sys to terminate security software and protected processes.
The malware communicates with these drivers through DeviceIoControl functions using specific control codes, effectively bypassing endpoint detection and response solutions.
Configuration parameters reveal sophisticated operational planning, with targeted process termination lists including SQL Server instances, Oracle databases, and Microsoft productivity applications to maximize encryption success rates.
Since late 2023, DragonForce has exposed more than 200 victims across retail, airlines, insurance, managed service providers, and enterprise sectors.
The Marks & Spencer attack, attributed to Scattered Spider and DragonForce collaboration, exemplifies the operational effectiveness of their partnership.
As DragonForce continues recruiting affiliates and establishing market dominance through infrastructure takeovers targeting rival groups, the cartel model represents a concerning evolution in ransomware operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
