DragonForce expands ransomware model with white-label branding scheme

The ransomware scene is re-organizing, with one gang known as DragonForce working to gather other operations under a cartel-like structure.

DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort.

A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations.

Typically, a RaaS operation has its own affiliates or partners, and the ransomware developer provides the file-encrypting malware and the infrastructure.

Affiliates would build a variant of the encrypting package, breach victim networks, and deploy the ransomware. They would also manage the decryption keys and usually negotiate with the victim for a ransom payment.

The developer also maintains a so-called data leak site (DLS) where they publish information stolen from victims who did not pay the attacker.

In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%.

The DragonForce ransomware business

DragonForce now calls itself a “ransomware cartel” and takes 20% of the paid ransoms.

Under its model, affiliates get access to the infrastructure (negotiation tools, storage for stolen data, malware administration), and use the DragonForce encryptor under their own branding.

The group announced the “new direction” in March, saying that affiliates can create their “own brand under the auspices of an already proven partner.”

As the post below says, DragonForce aims to manage “unlimited brands” that can target ESXi, NAS, BSD, and Windows systems.

DragonForce told BleepingComputer that their structure is that of a marketplace, where affiliates can choose to deploy attacks under the DragonForce brand or a different one.

Basically, groups of threat actors can use the service and white label under their own name so it appears they are their own brand.

In return, they don’t have to deal with the headache of running data leak and negotiation sites, develop malware, or deal with negotiations.

There are rules to abide by, though, and affiliates will be kicked out at the first misstep. “We are honest partners who respect the rules,” the DragonForce representative told us.

“They have to follow the rules, and we can control that because everything we run is on our servers, otherwise it wouldn't make sense,” DragonForce says.

Those rules, however, are available only to threat actors embracing the newly proposed ransomware business model.

When asked if hospitals or healthcare organizations are off limits, DragonForce said that it all depends on the type of hospital, and showed what could be described as empathy.

“We don't attack cancer patients or anything heart related, we'd rather send them money and help them. We're here for business and money, I didn't come here to kill people, and neither did my partners,” the threat actor told BleepingComputer.

Researchers at cybersecurity company Secureworks say that DragonForce’s model may appeal to a wider range of affiliates and attract less technical threat actors.

By increasing the affiliate base, DragonForce could look at larger profits driven by the flexibility of its proposed model.

It is unclear how many ransomware affiliates have contacted DragonForce cartel about the new service model but the threat actor said that the member list includes well-known gangs.

"I can't tell you the exact number, but we have players who come to us that you often write about and want to cooperate with us," DragonForce told BleepingComputer.

One new ransomware gang called RansomBay has already subscribed to DragonForce's model.