Cybercriminal Landscape Shifting as DragonForce Targets RansomHub Affiliates
Recent developments in the cybercrime realm have emerged, with the hacking group DragonForce reportedly targeting affiliates of RansomHub in a move that raises concerns over the stability within the ransomware ecosystem. Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group, indicated that this strategy might be aimed at attracting members from RansomHub, while also hinting that DragonForce is linked to assaults on rival groups, including BlackLock and Mamona.
The implications of such internal conflicts among cybercriminal organizations are significant, as Stark emphasized that heightened instability could result in an uptick in cyberattacks. “The instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims,” she mentioned. This environment raises the stakes for businesses as they navigate threats from multiple adversaries who can exploit weaknesses in a compromised target.
While double extortion scenarios are relatively infrequent, the UnitedHealth Group case from the previous year serves as a stark reminder of their potential reality. In this incident, RansomHub faced a second round of extortion initiated by the hacker group Notchy, which had previously left RansomHub’s original partner in the lurch after absconding with a $22 million ransom payment. Cybersecurity experts suggest that multiple extortion attempts are becoming increasingly common, though follow-up efforts often stem from opportunistic behaviors rather than credible claims.
As Rafe Pilling, director of threat intelligence at Sophos, noted, the rivalry between DragonForce and RansomHub could culminate in both groups targeting the same organization simultaneously, risking a scenario where a victim is subjected to extortion multiple times. This highlights the inherently cutthroat nature of cybercrime, where betrayal among partners can transform a single attack into a dual threat.
Globally, the cost of cybercrime is projected to hit $10 trillion by 2025, reflecting a significant rise from $3 trillion just a decade ago. This alarming trend is due in part to the aggressive strategies employed by hacking collectives striving to maximize their financial gain through various forms of cyberattacks.
Both DragonForce and RansomHub have quickly escalated their presence on the cyber landscape; DragonForce first surfaced in August 2023, reporting 82 victims on its dark-web site within a year, while RansomHub, also emerging in 2023, documented around 500 victims in 2024, as indicated by the cybersecurity firm Group-IB.
The volatility inherent in this environment places additional stress on corporate defense and response strategies, according to Jake Moore, global cybersecurity adviser at ESET. He stressed that the lack of established norms in this lawless cyber territory amplifies vulnerabilities for organizations seeking to protect themselves against such threats.
In light of these unfolding events, business owners should be acutely aware of the tactics and techniques that might be deployed in similar attacks. Potential MITRE ATT&CK framework tactics—such as initial access, exploitation of vulnerabilities, and persistence—could all play a role in how these groups execute their strategies. Awareness of these tactics can help organizations bolster their preparedness and response capabilities as cybercriminals continue to evolve and adapt their methods.
As the cyber threat landscape grows ever more complex, it is crucial for business leaders to remain vigilant and informed regarding the dynamics and risks present in the ransomware ecosystem. The current state of play not only emphasizes the need for robust cybersecurity measures but also highlights the unpredictability that organizations must navigate in order to stay secure.
