Turf Wars: DragonForce vs. RansomHub in Ransomware

Overview of the Extortion Ecosystem

The ransomware-as-a-service (RaaS) model has transformed cybercrime into a professionalized industry, where operators provide turnkey toolkits—malware binaries, encryption routines, command-and-control (C2) infrastructure—on the dark web. Affiliates purchase or lease these resources to breach corporate networks through phishing, exploit kits, or compromised remote desktop protocols. Once inside, attackers use frameworks like Cobalt Strike, Mimikatz, and Empire to escalate privileges, conduct lateral movement, and exfiltrate data via encrypted channels. At the final stage, they deploy encryption payloads—often AES-256-CBC with RSA-4096 key wrapping—and publish stolen data on leak sites to pressure victims into paying ransoms in Bitcoin or privacy coins such as Monero.

The DragonForce vs. RansomHub Conflict

DragonForce, first identified in August 2023, and RansomHub, active since mid-2023, recently entered a turf war that underscores the no-holds-barred nature of ransomware cartels. Both groups operate RaaS affiliate portals with tiered profit-sharing—typically 70/30 splits—and vet partners via invitation-only schemes. Tensions escalated in March 2025 when DragonForce rebranded as a ransomware “cartel,” expanding its service portfolio to include double extortion, leak site management, and DDoS extortion add-ons.

Timeline of Key Events

1. March 3, 2025: DragonForce defaced the RansomHub leak site, posting R.I.P 3/3/25 and claiming a hostile takeover of its servers, as reported by Sophos.
2. March 5, 2025: RansomHub retaliated by hacking DragonForce’s hidden Tor service, labeling the group traitors.
3. April 2025: DragonForce allegedly targeted backup servers of BlackLock and Mamona, injecting rogue payloads to taunt rival affiliates.

Technical Tactics and Payloads

• Initial Access: Phishing emails with malicious macros or exploitation of Exchange ProxyShell vulnerabilities.
• Post-Exploitation: Deployment of Cobalt Strike BEACON over HTTPS, credential harvesting via Mimikatz, and Kerberoasting against on-prem Active Directory.
• Data Exfiltration: Use of RClone to upload compressed archives to compromised AWS S3 buckets over secure protocols.
• Encryption: File encryption using AES-256-CBC and elliptical curve key exchange (ECDH) for session keys, followed by RSA-4096 wrapping.
• Extortion: Publishing data on Tor-based leak sites and invoking triple extortion tactics including DDoS threats and targeted doxing.

Implications for Corporate Victims

Experts warn that this internecine conflict could lead to double extortion, where a single victim endures ransom demands from both groups. UnitedHealth Group experienced a similar scenario in 2024 due to a fallout between RaaS providers, culminating in over $22 million in attempted ransoms.

The global cost of cybercrime is projected to hit $10 trillion by 2025, up from $3 trillion in 2015, driven by the increasing professionalization of RaaS offerings and affiliate networks.

Incident Response and Mitigation Strategies

Security teams must adapt to this volatile landscape with robust defenses:

• Endpoint Detection and Response: Deploy EDR solutions with behavioral analytics to detect anomalous process injections and lateral movement.
• Network Segmentation: Isolate critical assets using micro-segmentation and zero-trust access controls.
• Multi-Factor Authentication: Enforce MFA on all remote access and privileged accounts to mitigate credential reuse attacks.
• Threat Hunting: Proactively scan logs for indicators of compromise, such as Cobalt Strike beacons or anomalous RClone traffic.
• Data Backup and Recovery: Maintain offline, immutable backups and regularly test restoration workflows.

Future Trends in Ransomware Evolution

Analysts predict several developments as RaaS cartels vie for dominance:

• AI-Driven Payloads: Use of machine learning for dynamic encryption schema and evasion of signature-based antivirus.
• Automated Negotiation Bots: Chatbots negotiating ransom terms in real-time on leak sites.
• Quantum-Resistant Encryption: Early adoption of post-quantum algorithms to thwart future decryption efforts by law enforcement.
• Supply Chain Attacks: Increased targeting of cloud service providers to maximize affiliate reach.

Conclusion

The proxy war between DragonForce and RansomHub highlights the chaotic, profit-driven nature of modern cybercrime. Organizations must strengthen defenses, implement zero-trust principles, and prepare for the growing risk of multi-party extortion.