The DragonForce Cartel: Scattered Spider at the gate

SUMMARY :

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate program, allowing partners to white-label payloads and create variants. The group has exposed over 200 victims on its leak site, targeting various sectors. DragonForce's partnership with Scattered Spider, known for sophisticated social engineering techniques, has led to high-profile breaches. The group's ransomware samples show significant overlap with Conti's leaked source files and use ChaCha20 encryption.

OPENCTI LABELS :

affiliate program,mamona,global,devman,dragonforce,conti,byovd,encryption,social engineering,ransomware,scattered spider,cartel


AI COMMENTARY :

1. In early 2023 a previously unknown ransomware-as-a-service collective emerged under the name DragonForce and quickly evolved into a cartel with ambitions far beyond traditional extortion models. The group’s rebranding signaled its intent to establish a global network of affiliates, codenamed mamona and devman among others, that could tap into specialized skills and infrastructure to amplify threat operations. This transformation positioned DragonForce as both a strategic coordinator and an enabler for partners seeking turnkey access to sophisticated ransomware tools and underground marketplaces for compromised data.

2. Central to DragonForce’s expansion has been its affiliate program, which offers a white-label framework allowing partners to customize payloads and build unique ransomware variants. Affiliates receive support in deploying the Conti-derived codebase, instructions on leveraging BYOVD techniques to terminate critical processes on victim environments, and guidance on integrating ChaCha20 encryption for robust file encryption. By facilitating flexible branding and modular payload design, the cartel fosters a competitive ecosystem in which affiliates vie to produce more evasive or destructive ransomware strains.

3. From a technical perspective, DragonForce’s reliance on Conti source code leakages underscores a shift toward maximizing previous leaks for new operations. The threat actors repurposed key encryption and obfuscation routines while introducing novel process-killing modules powered by driver vulnerabilities. Leveraging low-level BYOVD attacks not only undermines endpoint detection and response tools but also streamlines the encryption workflow by shutting down backup and security services before file lockdown. This combination of tried-and-true techniques with fresh innovations has yielded a potent toolset for industrial-scale extortion.

4. The cartel’s alliances with high-profile threat groups such as Scattered Spider, LAPSUS$ and ShinyHunters have further intensified its impact. Scattered Spider, renowned for its social engineering prowess in gaming and entertainment sectors, contributes reconnaissance and initial access capabilities. LAPSUS$ affiliates lend expertise in supply-chain disruptions, while ShinyHunters focus on data exfiltration and leak site operations. Together, these coalitions demonstrate how modern ransomware cartels orchestrate multi-vector campaigns that combine social engineering, credential theft and high-volume data dumps to pressure victims into paying ransoms.

5. Since announcing its cartel structure, DragonForce has publicly exposed over 200 victims across healthcare, manufacturing, finance and government organizations. The leak site’s public shaming strategy intensifies reputational damage, often prompting rapid payouts and fueling media coverage that reinforces the group’s fearsome brand. Observed compromises show attackers employing a mixture of phishing, remote desktop exploitation and virtualization escape exploits, followed by lateral movement and the strategic deployment of customized ransomware payloads that sport unique logos and ransom notes on behalf of each affiliate.

6. For defenders and threat intelligence practitioners, the rise of DragonForce underscores the importance of proactive detection and rapid incident response. Monitoring for indicators tied to BYOVD driver loads, unusual ChaCha20 encryption calls and known Command & Control infrastructure can help identify compromises early. Organizations should harden authentication mechanisms to thwart social engineering ploys by Scattered Spider, conduct regular backups disconnected from domain controllers, and engage in threat hunting exercises focused on emerging affiliate-specific payload signatures.

7. The DragonForce cartel exemplifies how ransomware operations have matured into multi-faceted criminal enterprises that blend code reuse, alliance building and affiliate incentives to maximize profit and impact. As the cartel continues to adapt and recruit new partners, collaboration among public and private sector defenders will be vital to track evolving techniques and disrupt the ransomware supply chain before the next wave of global extortion campaigns takes hold.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


The DragonForce Cartel: Scattered Spider at the gate