In the coming weeks and months, the global cybercrime landscape may undergo a significant transformation, as ransomware gangs increasingly move toward a cartel-like model of operation. Rather than competing aggressively with one another, several groups are now seeking cooperation and coordination to strengthen their attacks, reduce internal rivalry, and ensure long-term survival within the underground economy. This smart shift mirrors the structure of traditional organized crime syndicates, where collaboration often outweighs competition.
One ransomware group at the center of this evolution is DragonForce, which first emerged on the cybercrime scene in 2023. Initially known as a conventional ransomware operator, DragonForce now appears to be repositioning itself as a highly organized criminal enterprise. By leveraging what can be described as “muscle power” in cyberspace—intimidation, coercion, and strategic alliances—the group is attempting to consolidate influence and gain momentum within the ransomware ecosystem.
Research conducted by LevelBlue, a Texas-based cybersecurity firm, indicates that DragonForce is actively recruiting newcomers into cybercrime by offering extensive infrastructure and operational support. Rather than acting solely as a ransomware gang, DragonForce is promoting itself as a service provider and coordinator, encouraging aspiring criminals to join as affiliates or partners. This approach lowers the technical barrier to entry for new actors while expanding DragonForce’s reach and profitability.
Affiliates are reportedly allowed to operate independently, with the freedom to develop and deploy ransomware variants under their own branding. In exchange, they must share a portion of their ransom earnings with DragonForce. The group, in turn, provides access to petabytes of data storage, server monitoring capabilities, file analysis and decryption services, and dedicated testing environments for launching attacks. This model closely resembles legitimate “ransomware-as-a-service” operations, but on a far more aggressive and centralized scale.
DragonForce has also advertised additional services on dark web forums, including exclusive data audit offerings. These services allow affiliates to assess the financial value of stolen data before launching double-extortion attacks, where victims are threatened not only with data encryption but also with public data leaks. By helping criminals accurately estimate the market value of stolen information, DragonForce increases the efficiency and potential profitability of these attacks.
Recent intelligence suggests that DragonForce has secured a prominent position within the ransomware ecosystem, ranking just behind major groups such as Akira and Qilin. This assessment aligns with findings published in a July 2025 report by Check Point Research. Beyond technical capabilities, DragonForce has allegedly engaged in aggressive tactics against rivals, including defacing competitors’ websites and attempting to lure their members away. Such behavior has earned the group a reputation for being both dominant and cannibalistic.
These actions have led some observers to label DragonForce the “Godfather” of ransomware gangs. The title gained further attention after a rival group, RansomHub, publicly accused DragonForce of collaborating with Russia’s Federal Security Service (FSB) to suppress competition in the ransomware market—an allegation that underscores the murky intersection between cybercrime and geopolitics.
As ransomware continues to evolve into a coordinated criminal enterprise, the urgency for international law enforcement cooperation has never been greater. Agencies across the United States, the United Kingdom, Italy, Germany, and Australia must work collectively to dismantle these emerging cybercrime cartels. Without decisive action, today’s “Godfathers” of ransomware may only be the beginning of a far more entrenched and dangerous digital underworld.
Join our LinkedIn group Information Security Community!
