Hoplon InfoSec
27 Apr, 2025
In 2025, ransomware continues to disrupt organizations worldwide despite significant law enforcement efforts to dismantle major criminal operations. Two emerging groups—DragonForce and Anubis—are pioneering new affiliate models that enable them to diversify their techniques, reach more victims, and sustain profitability even as businesses bolster their defenses. Understanding these developments is crucial for any organization seeking to protect its data and reputation.
DragonForce first appeared in August 2023 as a typical ransomware-as-a-service (RaaS) provider, leasing its encryption tools to affiliates in exchange for a ransom share. By February 2024, the group was aggressively advertising on underground forums to recruit partners. Their leak site listed 136 victim organizations by March 2025, a testament to the operation’s rapid expansion.
Recently, DragonForce rebranded itself as a “cartel,” signaling a strategic shift. Instead of a centralized brand, the cartel model allows affiliates to launch sub-brands under the DragonForce umbrella. These sub-brands can operate with customized names, logos, and affiliate terms while relying on DragonForce’s infrastructure for encryption, payment processing, and leak sites. This distributed approach offers affiliates greater autonomy and helps DragonForce evade disruption by diluting the visibility of any single brand.
Anubis emerged on underground forums in late February 2025 with a novel recruitment pitch: three distinct extortion options, each with its profit-sharing ratio. By diversifying beyond straightforward encryption, Anubis appeals to a broader range of cyber criminals and complicates defensive planning.
Anubis’s “data ransom” strategy includes publishing in-depth “investigative articles” on Tor, complete with excerpts of stolen documents. These articles are password-protected, allowing victims to review evidence and negotiate directly. If negotiations stall, Anubis escalates by publicly naming victims on social media (e.g., X, formerly Twitter) and notifying their customers, partners, and regulators.
Most striking is the threat to report non-paying organizations to data protection authorities, such as the UK Information Commissioner’s Office, the U.S. Department of Health and Human Services, and the European Data Protection Board. While ransomware groups have occasionally leveraged regulatory pressure before—such as the GOLD BLAZER group’s reported ALPHV breach to the U.S. SEC in November 2023—Anubis institutionalizes this tactic as part of its core model.
Organizations are becoming more resilient: improved backups, zero-trust architectures, and cyber insurance policies reduce the likelihood and impact of ransom payments. In response, ransomware operations innovate their business models. DragonForce and Anubis can maintain revenue streams even if one tactic becomes less effective by offering flexible affiliate terms and varied extortion methods.
These models complicate threat detection and incident response. Security teams must anticipate not only encryption-based attacks but also stealthy data exfiltration and reputational blackmail. Traditional endpoint defenses may stop file encryption but miss data theft. Likewise, public relations and legal teams must be prepared for the social and regulatory fallout engineered by threat actors.
The ransomware landscape 2025 is characterized by agile business models that blend traditional encryption with data extortion and reputational blackmail. DragonForce’s “cartel” framework and Anubis’s three-tiered extortion options exemplify how cybercriminals evolve in response to stronger defenses. Organizations must likewise adapt by strengthening data-centric protections, enhancing detection capabilities, and preparing for the broader consequences of an incident. Businesses can only stay one step ahead of these innovative threat actors through a holistic, forward-looking security strategy.
Share this :