Despite a series of successful international crackdowns on ransomware operations, cybercriminals continue to evolve. In 2025, researchers from the Secureworks Counter Threat Unit (CTU) observed two ransomware groups—DragonForce and Anubis—introducing new affiliate models designed to attract a broader range of partners and boost profits.
Initially launched in August 2023 as a conventional ransomware-as-a-service (RaaS) operation, DragonForce has steadily gained traction, with 136 victims listed on its leak site by March 24, 2025. On March 19, DragonForce announced its rebranding as a “cartel” via an underground forum post, and rolling out a distributed affiliate branding model.
The new model allows affiliates to build their own ransomware "brands" while leveraging DragonForce’s infrastructure. Affiliates can choose whether or not to deploy the group’s ransomware, gaining access to a suite of tools including admin and client panels, encryption software, negotiation platforms, and a .onion-based leak site. This flexibility is aimed at both novice cybercriminals lacking technical skills and experienced threat actors looking for customizable options without infrastructure burdens.
However, the shared infrastructure model introduces operational risk: if one affiliate is compromised, the data and identities of others may also be exposed.
Meanwhile, the Anubis group, first advertised in late February 2025, is luring affiliates with a three-tiered extortion system:
-
Traditional RaaS – Standard file encryption model offering 80% of ransom profits to affiliates.
-
Data Ransom – A theft-only model granting affiliates 60% of ransom from data-related extortion.
-
Access Monetization – Helping threat actors monetize existing access for a 50% cut.
In its “data ransom” model, Anubis publishes a confidential “investigative article” analyzing stolen data on a Tor site, allowing victims to review and negotiate payment. If ransom demands are not met, the article is published publicly, and the group escalates pressure through public shaming via an X (formerly Twitter) account. Anubis threatens to notify not only the victim’s customers but also regulatory authorities—tactics first seen in isolated incidents like AlphV/BlackCat’s SEC disclosure.
Secureworks notes that while data-focused extortion is not new, direct exploitation of compliance bodies as an extortion tool was not widely seen in previous ransomware campaigns.
