Secureworks Counter Threat Unit (CTU) researchers have identified significant evolutions in the business models of two notorious ransomware operations: DragonForce and Anubis.
Despite the global crackdown on cybercrime by law enforcement agencies, these ransomware groups have demonstrated remarkable adaptability by rolling out sophisticated affiliate programs designed to broaden their reach and maximize profits.
DragonForce Adopts Distributed Affiliate Branding Model
DragonForce, which debuted as a traditional ransomware-as-a-service (RaaS) operation in August 2023, has taken a novel approach to affiliate engagement.
Following increased activity on underground forums in early 2024, the group saw a marked rise in victim disclosures, with numbers climbing to 136 by late March 2025.
On March 19, 2025, DragonForce announced its rebranding as a “cartel” and revealed a distributed model enabling affiliates to create their own distinct brands.
In this updated program, DragonForce supplies the technical infrastructure including administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site, and full support services while granting affiliates the flexibility to deploy either the DragonForce ransomware or their own malware of choice.
This evolution marks a notable departure from conventional RaaS schemes.
The model is tailored to attract a wider spectrum of cybercriminals, including those with limited technical prowess who benefit from an established backend as well as skilled actors seeking infrastructure support without the burden of building and maintaining their own systems.
By lowering operational barriers and expanding the affiliate base, DragonForce enhances its potential for financial gain.
However, this shared environment is not without risk; operational compromise of one affiliate could jeopardize the security and anonymity of others, amplifying exposure for the group as a whole.
Anubis Offers Multi-Tiered Extortion Tactics
Meanwhile, the Anubis ransomware group has adopted a three-pronged affiliate model, first publicized on underground forums in February 2025.
Affiliates may choose among three distinct approaches: a classic RaaS model with 80% ransom commission, a data-theft-only “data ransom” option where affiliates collect 60% of the proceeds, and an “accesses monetization” service offering a 50% share for assisting in post-compromise extortion.
The “data ransom” variant introduces an innovative mechanism that leverages investigative articles analyzing stolen sensitive data, posted to password-protected Tor sites.
Victims receive access to these reports and an avenue for negotiation; failure to comply results in public exposure on the Anubis leak site and additional pressure via social media.
Notably, the group has escalated extortion tactics by threatening to notify not only the victims’ customers but also regulatory authorities such as the UK Information Commissioner’s Office, the U.S.
Department of Health and Human Services, and the European Data Protection Board, marking a significant intensification of coercive leverage.
Anubis’s “accesses monetization” service targets threat actors who already possess victim access, providing data analysis tools to increase ransom negotiation pressure.
The group’s affiliate guidelines, while excluding educational institutions, government, and non-profits, do not specifically spare healthcare organizations, which are particularly susceptible due to regulatory constraints and the value of sensitive data.
According to SecureWorks Report, the ongoing innovations from DragonForce and Anubis underscore the adaptive strategies of ransomware syndicates in the face of escalating law enforcement measures.
By adopting flexible, multi-faceted affiliate models and heightened extortion techniques, these groups are not only broadening their appeal within the cybercriminal ecosystem but are also amplifying the complexity of the threat landscape for victims and defenders alike.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
