DRAGONFORCE , a ransomware-as-a-service outfit that first surfaced in 2023, is described as drawing heavily from the organised crime playbook by creating a cartel and seeking mafia-style territorial organisation within the ransomware ecosystem. The analysis by LevelBlue shows the group has shifted to a model where affiliates can create their own brands while operating under a cartel umbrella, with access to resources such as petabytes of storage, 24/7 server monitoring, and decryption services.
LevelBlue notes features aimed at intelligence-driven extortion, including data analysis, tailored messaging, and negotiation guidance to maximise ransom outcomes. The article also highlights an automated signup system that lowers barriers for new affiliates, and cites at least 250 victims as of July 2025, according to Check Point Research.
As the cartel proposes cooperation between major operations to stabilise the ransomware market, defenders face a model that enables resource sharing, standardised tactics, and cross-group influence across victims in multiple sectors and regions. DragonForce has even compelled rivals to gaslight affiliates and has been accused of colluding with Russia’s FSB, claims the report mentions.
DragonForce’s cartel model, according to the LevelBlue researchers, could complicate defence and response for enterprise security teams. According to LevelBlue, the threat landscape is shifting toward coordination and extended networks of affiliates rather than standalone attacks.