DragonForce: Inside the White-Label RaaS Cartel Model Disrupting Ransomware in 2025

Threat Intelligence

DragonForce launched a white-label ransomware-as-a-service cartel in 2025, allowing other criminal groups to operate under their infrastructure. A profile of the business model, affiliate recruitment, notable 2025 campaigns, and detection guidance.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 19, 2025 · 10 min read

DragonForce began in 2023 as a financially motivated ransomware group with a comparatively conventional RaaS model. By early 2025, the group had evolved its offering into something qualitatively different from standard RaaS operations: a white-label cartel model that allows other criminal groups to operate their own ransomware brands using DragonForce's underlying infrastructure, encryptors, and negotiation platform. The result is a criminal franchise that aggregates risk, expertise, and victim impact across multiple nominally independent groups.

The cartel model represents a meaningful evolution in ransomware economics. Rather than recruiting individual technical affiliates who execute attacks, DragonForce recruits entire criminal organisations — including smaller RaaS operations, access brokers with established networks, and former affiliates of disrupted operations — and provides them with a turnkey operational platform. Prominent criminal group Scattered Spider was linked to DragonForce operations in 2025, significantly amplifying the cartel's reach.

The White-Label Cartel Model Explained

In the white-label model, DragonForce provides member criminal groups with: a customisable ransomware encryptor with the member's chosen branding and ransom note, access to the shared Tor-hosted leak site infrastructure where each member operates a sub-site under their own brand, negotiation support services with staffed negotiators available in multiple languages, and cryptocurrency handling and laundering infrastructure. Member groups handle their own victim targeting, initial access, and network operations.

• Encryptor-as-a-service: custom-branded encryptors built on DragonForce's codebase, configurable per campaign
• Leak site infrastructure: members operate branded sub-sites; DragonForce handles hosting, uptime, and Tor hidden service management
• Negotiation platform: web-based victim negotiation portal with multi-language support and automated follow-up sequences
• Cryptocurrency infrastructure: mixing and OTC exchange access to convert ransom payments to clean fiat
• Technical support: malware support tickets, EDR bypass guidance, and deployment troubleshooting for member groups

Scattered Spider Partnership

The most significant development in the DragonForce ecosystem in 2025 was the operational link to Scattered Spider, also known as UNC3944 or Octo Tempest. Scattered Spider is a primarily English-speaking criminal group known for exceptionally sophisticated social engineering: SIM swapping, help desk vishing attacks, and multi-factor authentication fatigue attacks. The group's technical access capabilities, combined with DragonForce's ransomware infrastructure, produced a highly effective operation against large enterprises.

The UK retail attacks in Q2 2025 — affecting Marks and Spencer and Co-op — demonstrated the combination in practice. Initial access was achieved through social engineering of IT help desk staff using Scattered Spider TTPs, followed by Active Directory compromise and widespread deployment of DragonForce ransomware encryptors across ESXi infrastructure. The combination of human-centric initial access with industrial-scale encryption created significant recovery challenges for both organisations.

TTPs and Targeting

DragonForce-affiliated campaigns target large organisations with revenues above $100 million, focusing on sectors where operational disruption creates immediate victim pressure: retail, hospitality, healthcare, and logistics. Initial access methods vary by affiliate but include vishing attacks against IT help desks, Microsoft Teams-based phishing for credentials, and exploitation of internet-facing VPN and RDP services.

• Help desk vishing: calling IT support and social-engineering password resets or MFA bypass for executive accounts
• Teams phishing: external Teams messages from compromised tenants delivering credential harvesting links
• ESXi targeting: final encryption phase targets VMware ESXi hypervisors to maximise impact per deployed encryptor
• Active Directory destruction: AD databases deleted or corrupted to maximise recovery time and ransom pressure
• Data exfiltration before encryption: sensitive customer data extracted for double-extortion leverage
• Backups specifically targeted: Veeam, Commvault, and Rubrik APIs accessed and backup jobs deleted before encryption

Detection and Mitigation

• Help desk authentication hardening: require video identity verification and multi-factor confirmation before any password reset or MFA bypass
• External Teams message controls: disable external Teams federation or require explicit approval for external messaging
• ESXi network segmentation: ESXi management interfaces must not be accessible from general corporate network; require jump host
• Veeam and Commvault API access logging: alert on backup deletion, repository removal, or schedule disablement events
• AD tiered access model: domain admin credentials must not be accessible from workstations — use PAWs and tier-0 isolation
• DragonForce IOCs: encryptor binary hash families tracked by Secureworks, Sophos, and ESET — subscribe to vendor threat intel feeds

DragonForce's cartel model is a business process innovation as much as a technical one. The company structure of franchised criminal operations, with shared infrastructure and specialised service tiers, mirrors legitimate franchise businesses. The defence must treat it the same way: address the infrastructure, the access brokers, and the social engineering layer independently.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.