The DragonForce Cartel: Scattered Spider at the Gate

DragonForce, a ransomware-as-a-service (RaaS) group emerging in 2023 from leaked Conti v3 code, has rebranded as a “cartel” in early 2025, offering affiliates 80% profits, customizable encryptors, and shared infrastructure. This model enables white-label variants like Devman and Mamona/Global, while defacing rivals such as BlackLock and attempting takeovers of RansomHub to assert dominance. Over 200 victims across retail, airlines, insurance, and MSPs have appeared on their leak site since late 2023, with high-profile attacks on Marks & Spencer and Harrods.

Technically, DragonForce bolsters its encryptor with BYOVD attacks using vulnerable drivers truesight.sys and rentdrv2.sys to terminate EDR processes; it swiftly patched encryption flaws exposed in an Akira analysis on Habr. Built with MinGW for cross-platform unity (Windows, Linux, ESXi), the malware retains Conti’s ChaCha20-RSA scheme, encrypted configs, and network enumeration, while affiliates leverage the builder for branded payloads.

Scattered Spider, a phishing and SIM-swapping specialist, partners with DragonForce for initial access, deploying RMM tools like AnyDesk, enumerating AD and backups, then exfiltrating data to MEGA or S3 before ransomware deployment. This alliance extends to LAPSUS$ and ShinyHunters in the “Scattered LAPSUS$ Hunters” collective within the “Hacker Com” ecosystem, signaling a shift from rivalry to collaborative cartels that complicate attribution and amplify global threats.

Acronis detects these evolving strains; organizations must prioritize MFA hardening, driver vulnerability management, and rapid incident response to counter this persistent successor to Conti.