For years, the ransomware playbook followed a predictable structure. A core development team built and maintained the malware. Affiliates paid to use it, ran their own intrusions, handed over a cut of each ransom, and operated under the parent group's brand. Law enforcement targeted the brand. Take down the infrastructure, seize the domains, arrest a developer, and you might knock out dozens of affiliates in a single operation.
The cartel model breaks that logic entirely.
Under the cartel structure pioneered by DragonForce, affiliates no longer operate under a shared brand. They bring their own branding, their own malware if they choose, and their own targets. The cartel provides the plumbing — infrastructure, leak sites, negotiation panels, encryption tooling, data analysis services — while remaining effectively invisible to the victim and largely disconnected from the attack itself. Law enforcement now faces a far more distributed target with no clean central node to sever.
This is the story of how that model emerged, why it worked, what it has done to the ransomware landscape, and what it means for defenders heading into 2026.
The Collapse That Made the Cartel Possible
To understand why the cartel model gained traction so quickly, you need to understand the context it emerged from. By early 2025, the ransomware ecosystem was in crisis — not because attacks were slowing down, but because the major brands were collapsing faster than affiliates could find new homes.
Operation Cronos in February 2024 had devastated LockBit. The operation seized infrastructure, exposed internal affiliate data, and forced the group into a sustained operational limp. LockBit spent most of 2024 and early 2025 posting recycled victim data and making comeback claims that failed to materialize. Its final blow came in May 2025 when its own infrastructure was breached — internal chat logs, Bitcoin wallet addresses, affiliate details, and encryption keys were publicly dumped.
ALPHV/BlackCat had already imploded in an exit scam in early 2024, vanishing after collecting a $22 million ransom from Change Healthcare and disappearing before paying out its own affiliates. That betrayal sent shockwaves through the underground ecosystem and eroded the trust between operators and the affiliates who depended on them.
RansomHub filled the vacuum left by LockBit's decline, quickly becoming the dominant RaaS operation of 2024 and the first quarter of 2025. Then, in early April 2025, it went dark too. Its infrastructure dropped offline, affiliates were left mid-negotiation with victims, and claims of an exit scam began circulating on RAMP, the primary underground forum where ransomware operators recruit and communicate.
H1 2025
all of 2025
Q2–Q3 2025
historic low
The result was a massive pool of displaced, capable affiliates — intrusion specialists with victim access already in hand, negotiation experience, and no platform to work from. They couldn't simply pause. They had networks already compromised, deadlines ticking on active negotiations, and money on the table that evaporated the moment their platform went offline.
DragonForce had its announcement ready.
What "Cartel" Actually Means
The word cartel is doing specific work here. It is not just branding. DragonForce chose it deliberately to signal a structural shift in how ransomware operations are organized, and the distinction matters for anyone trying to understand or disrupt these groups.
In a traditional RaaS model, the operator sits at the center. Affiliates deploy the operator's malware, under the operator's brand, using the operator's leak site and negotiation infrastructure. The brand is the product. When the brand collapses — as LockBit's did — the affiliates scatter.
The cartel model inverts that structure. The operator moves to the background. Affiliates are encouraged to create their own brands, run their own campaigns, and choose their own targets. The cartel provides what it calls white-label infrastructure: ransomware builders, encryption and decryption tooling, leak site hosting on .onion domains, negotiation panels, victim management dashboards, file storage, and support services. Affiliates plug into this backend while appearing to victims, researchers, and law enforcement as completely independent operations.
DragonForce's March 19, 2025 announcement described the cartel as a coalition where affiliates could "branch out from the DragonForce brand to build their own, while still using the group's tools and resources." The advertised feature set read like a SaaS product catalog: management and customer panels, encryption and ransom negotiation tooling, a file storage system, a Tor-based leak site with its own .onion domain, and ongoing technical support.
The revenue split matched that ambition. DragonForce claimed to retain only 20% of ransom payments, leaving 80% to affiliates — more favorable than many traditional RaaS operations. For a displaced LockBit or RansomHub affiliate sitting on active victim access, the incentive structure was obvious.
The 80/20 split DragonForce advertised is not just generous — it is a market signal. When payment rates across the ecosystem hit historic lows of 25–27%, operators have to compete harder for the affiliates who can actually close deals. The cartel model is partly a response to affiliates having more leverage than ever before.
DragonForce: From RaaS to Cartel
DragonForce's evolution is worth tracing carefully because it illustrates how quickly a ransomware group can restructure when conditions favor it.
The group first appeared in August 2023 as a conventional RaaS outfit. Its initial technical variants derived from the leaked LockBit 3.0 codebase — a common shortcut after LockBit's builder leaked publicly — with ContiV3-based variants following in 2024. By March 2025, the group had claimed 136 victims on its leak site, a figure that looks modest against what came next.
The cartel announcement was followed almost immediately by an opportunistic campaign to absorb the affiliates stranded by RansomHub's collapse in April. DragonForce published a statement on its leak site claiming RansomHub had "decided to move to our infrastructure" — a characterization that RansomHub's remaining spokesperson, known as koley, aggressively disputed, calling the move a hostile takeover and accusing DragonForce of collaborating with Russian law enforcement.
The conflict produced one of the more dramatic episodes in ransomware ecosystem history. DragonForce defaced the RansomHub leak site, displaying a "RansomHub R.I.P. 03/03/2025" message. Koley retaliated by defacing the DragonForce site, forcing a temporary suspension of new affiliate recruitment. By summer, DragonForce had resumed operations and was posting victims at a rate that represented a 212.5% spike compared to earlier months.
"What sets DragonForce apart is also its strategic emphasis on branding and visibility." — Check Point Research, Q2 2025 Ransomware Report
The group's aggression extended beyond RansomHub. DragonForce carried out targeted attacks on the leak sites of BlackLock and Mamona, affixing its own branding. It integrated its logo into the RAMP forum's visual identity — a forum-level endorsement that signaled dominance within the underground recruitment marketplace. In September 2025, it announced a "coalition" with Qilin and LockBit on underground forums, though researchers noted these alliances appeared more symbolic than operationally verified.
By mid-2025, Check Point Research tracked over 250 published victims on the DragonForce leak site. The addition of a "data audit" service in late 2025 extended the offering further: affiliates with datasets over 300 GB from companies with annual revenues above $15 million could submit stolen data for professional analysis, receiving a customized extortion letter highlighting the commercially sensitive material within it. The cartel had effectively built an extortion consulting arm.
The Broader Ecosystem: Fragmentation Meets Centralization
DragonForce did not invent the structural problem it was responding to — it identified it and built a product around it. Across 2025, the ransomware ecosystem was simultaneously fragmenting and trying to reconsolidate, producing an environment that was harder than ever to track.
By Q3 2025, Check Point Research recorded 85 active ransomware and extortion groups — a record high. The ten most active groups accounted for just 56% of all data leak site postings, down from 71% in Q1. What was once a concentrated market dominated by a few large-scale RaaS operations had splintered into dozens of smaller, often short-lived crews operating with recycled codebases and no particular loyalty to any platform.
| Group | 2025 Status | Model | Notable Development |
|---|---|---|---|
| LockBit | Disrupted → returned (v5.0) | RaaS | Returned September 2025 with cross-platform payloads for Windows, Linux, ESXi |
| RansomHub | Collapsed April 2025 | RaaS | Affiliates migrated to Qilin and DragonForce; exit scam claims circulated on RAMP |
| Qilin | Top actor Q2–Q3 2025 | RaaS (85% split) | Absorbed RansomHub affiliates; nearly doubled monthly victim volume |
| DragonForce | Cartel model (Mar 2025) | White-label cartel | Pioneered affiliate brand autonomy; 250+ victims by mid-year |
| Akira | Active throughout 2025 | RaaS | ~$244M in claimed proceeds as of late September 2025 |
| 8Base / BianLian / Cactus | Dark or splintered | RaaS | Law enforcement pressure; affiliates scattered into smaller independent crews |
Google's Mandiant reported that REDBIKE was the most prominent ransomware seen in its 2025 incident response investigations, appearing in nearly 30% of cases. Qilin became the dominant group by victim count in Q2 and Q3 after absorbing displaced RansomHub affiliates, nearly doubling its monthly activity. LockBit, widely declared dead after Operation Cronos, returned in September 2025 as LockBit 5.0 with new cross-platform payloads and enhanced defense evasion using XChaCha20 and Curve25519 encryption routines.
None of these groups disappeared when pressure was applied. Affiliates simply migrated. Codebases were forked and reused. New brands appeared weekly. The structural reality is that affiliates now operate more like lone wolves — retaining control of victim network access themselves, working with whichever platform offers the best combination of reliability, split, and brand recognition, and switching platforms the moment they sense an exit scam or law enforcement pressure building.
Recorded Future tracked 7,200 publicly reported ransomware attacks in 2025 — a 47% increase over 2024's 4,900. That volume increase came alongside a decline in total revenue, confirming more attacks are producing less money per attack. The cartel model is partly a response to this economics problem: if each individual attack is less profitable, you need more affiliates running more attacks simultaneously.
What Anubis Added to the Mix
DragonForce was not the only group innovating in affiliate structures in 2025. Secureworks' Counter Threat Unit documented a parallel evolution at Anubis, which announced its own affiliate model on underground forums in late February 2025.
Where DragonForce focused on brand autonomy and white-label infrastructure, Anubis introduced a three-tier affiliate offering that unbundled the traditional ransomware attack into separate monetizable components. Affiliates could choose from a conventional RaaS track with 80% revenue share; a "data ransom" track that skipped encryption entirely and instead published detailed investigative articles about the victim's stolen data to a password-protected Tor site; or an "accesses monetization" track focused on maximizing ransom leverage through data analysis.
The data ransom option included an escalation path not widely deployed before: if the victim declined to pay, Anubis threatened to file formal regulatory complaints with the UK Information Commissioner's Office and equivalent data protection authorities — essentially weaponizing compliance obligations against the victim. This built on a precedent set in November 2023, when ALPHV/BlackCat reported a victim's breach to the SEC after they refused to pay.
Both models point in the same direction: ransomware is moving toward extortion architectures that do not require encryption at all, and that treat regulatory exposure as a lever.
Why Attribution Broke Down
For years, the primary method defenders and law enforcement used to track ransomware was brand attribution. Identify the malware family, match it to a known RaaS operation, build an IOC set and TTP profile around that group. That approach is no longer adequate.
The cartel model severs the link between brand and infrastructure. An attack that appears to be from "Brand X" may be using DragonForce backend services, LockBit-derived encryption code, initial access purchased from a broker unaffiliated with either group, and exfiltration through infrastructure shared with five other active campaigns. None of the traditional indicators reliably trace back to a single operator.
This is compounded by the recycled codebase problem. After LockBit's builder leaked publicly and Conti's source code was dumped in 2022, dozens of groups began building new "brands" on top of modified versions of those codebases. Matching malware code to a known family now frequently returns a false positive — the malware looks like LockBit because it was built from the same leaked builder, not because the group running it has any operational connection to LockBit.
Bitdefender's 2026 threat predictions noted what they called the "Death of Attribution" — the observation that when a threat actor and someone in a completely different location both prompt an AI model to write a specific function, the resulting code looks identical. Human coding fingerprints, which researchers relied on for years to identify specific operators, are disappearing as AI-assisted malware development becomes standard. Attribution at the code level becomes progressively less reliable.
"Tracking brands is no longer enough. Analysts must monitor affiliate mobility, infrastructure overlap, and economic incentives — the underlying forces that sustain ransomware even as its faces fragment." — The Hacker News, November 2025
This also affects law enforcement strategy. Operations like Cronos were effective partly because LockBit was centralized enough to present a coherent infrastructure target. A cartel-model operation with dozens of independently branded affiliates sharing a backend presents a fundamentally different problem. Seizing the backend damages all affiliates simultaneously — but the affiliates remain at large, capable of migrating to a new backend within days.
The Payment Rate Collapse and What Operators Did About It
The cartel model arrived in the same quarter that ransom payment rates hit their lowest recorded level. According to Coveware, the global payment rate dropped to 25–27% in early 2025, down from figures above 40% in prior years. By Q4 2025, mass data-extortion campaigns specifically were seeing payment rates around 20%.
Multiple factors drove this decline: organizations investing in immutable backup infrastructure, incident response retainers, and network segmentation that reduced the operational impact of encryption; growing distrust in attacker promises, with victims finding that paying did not guarantee data deletion or working decryption keys; and policy pressure from governments increasingly discouraging or restricting payments to sanctioned groups.
Ransomware operators responded with several structural adaptations. Qilin began offering affiliates tools to prepare regulatory complaints against victims, contact customers and employees directly, and flood corporate communication channels — multi-pronged pressure that goes well beyond the traditional "pay or we leak" ultimatum. DragonForce introduced its data audit service to increase the leverage value of exfiltrated data for affiliates who might not know which files are genuinely damaging to a specific target.
Recorded Future documented a notable rise in insider recruitment attempts throughout 2025, with ransomware groups increasingly approaching corporate employees as a way to gain initial access without technical exploitation. In one high-profile case, a group attempted to recruit a BBC reporter. Private reporting suggested insider recruitment grew substantially across the year, with workforce reductions at major companies providing a larger pool of potential targets for social engineering.
Recorded Future predicted that 2026 would mark the first year new ransomware actors operating outside Russia outnumber those emerging within it — not a decline in Russian-based operations, but a reflection of how broadly the RaaS and cartel models have been adopted globally. The cartel's white-label infrastructure removes the technical barrier to entry that previously limited serious ransomware to groups with significant development capability.
What Defenders Need to Change
The cartel model has direct operational implications for defenders. Several assumptions that guided incident response and threat intelligence work for years now need updating.
Stop tracking by brand alone
A threat intelligence program that primarily tracks ransomware groups by brand name is now operating with a significant blind spot. The brand an affiliate uses in a given campaign may have no operational continuity with the same brand used six months ago, may share infrastructure with groups operating under five other names, and may be replaced entirely if the affiliate migrates platforms mid-campaign. Focus on TTPs, infrastructure indicators, and affiliate behavior patterns — not group names.
Assume the encryption phase is not the starting point
The cartel and data-extortion models increasingly decouple data theft from encryption. By the time ransomware is deployed and files are encrypted — the point at which traditional detection fires — the attacker may have been in the network for weeks and the most valuable data may already be off-premises. Detection needs to move earlier: initial access vectors, unusual authentication activity, lateral movement patterns, and large-scale internal data access before any encryption event occurs.
Rebuild third-party risk assumptions
The 2025 campaign pattern consistently exploited the gap between an organization's own security posture and the posture of its vendors. The cartel model is effective here because affiliates can specialize: one handles initial access via a compromised vendor, another handles ransomware deployment through the victim's internal systems. The intrusion chain crosses organizational boundaries that SOCs were not designed to monitor.
Payment refusal needs infrastructure backup
The decline in payment rates reflects genuine progress in organizational resilience. But refusing to pay is only a viable strategy if the operational recovery infrastructure is in place. Immutable backups, tested restore procedures, documented network segmentation, and pre-established incident response relationships are what make "no" a realistic answer. Organizations that plan to refuse payment without those elements in place are making a bet their recovery capabilities may not support.
Insider threat programs cannot be static
The increase in insider recruitment documented throughout 2025 is not noise. Ransomware operators have identified that technical exploitation of external infrastructure is becoming more expensive as organizations patch faster and deploy more capable endpoint detection. Recruiting an employee with existing access removes the entire initial access problem. Physical security for IT infrastructure, verification procedures for on-site technical work, and anomaly monitoring for employee data access patterns all deserve renewed attention as this vector grows.
The cartel model's primary gift to attackers is resilience. Disruption of a single brand or infrastructure cluster no longer produces the cascading affiliate loss that took down LockBit. Defense needs to match that resilience with layered, behavior-based detection that assumes the attacker is already somewhere in the environment — and asks: where are they, and what are they doing right now?
Where This Goes in 2026
The structural trajectory is fairly clear. Encryption-first attacks will continue losing ground to data extortion-first models where encryption, if it happens at all, is deployed as a final pressure step after exfiltration is complete. The cartel model, or something close to it, will become the dominant operational architecture for large-scale ransomware because it solves the law enforcement resilience problem that traditional centralized RaaS never adequately addressed.
LockBit 5.0's return in September 2025 introduced an interesting counterpoint: the market may partially consolidate again around brands with established credibility and reliable affiliate payout histories. The explosion of short-lived, small-crew operations has eroded victim trust in receiving working decryption keys after payment. Affiliates operating within a credible cartel structure have a stronger claim to reliability than a two-person crew running an independent operation for the first time.
AI integration within ransomware operations moved from experimental to operational in 2025. Groups began using generative AI for phishing content, code obfuscation, victim impersonation during negotiation, and — in the case of at least one RaaS operation — AI-powered negotiation support offered as a cartel service to affiliates. In 2026, the automation of attack chain execution through AI agents is the logical next step: reconnaissance, phishing, initial access, and lateral movement that can be directed with minimal human operator involvement.
The ransomware cartel model is not a temporary aberration. It is the mature form that criminal ransomware infrastructure was always trending toward: industrialized, distributed, and designed from the ground up to survive the disruption of any individual component. Understanding that structure is the first requirement for defending against it.
Key Takeaways
- The cartel model decentralizes brand from infrastructure. Affiliates operate under independent names while sharing a common backend, making law enforcement takedowns less effective and attribution significantly harder.
- Affiliate mobility is now the primary threat vector to track. When a major RaaS platform collapses, capable affiliates migrate within days — not weeks. The threat does not pause; it relocates.
- Encryption is no longer the defining attack phase. Data exfiltration is happening earlier, and extortion pressure increasingly comes from compliance exposure, direct victim notification, and regulatory complaint filing rather than locked files alone.
- Payment rates at 25–27% reflect both better defenses and broken attacker credibility. Smaller, short-lived groups have less incentive to honor ransom agreements. The math of refusing to pay is improving — but only for organizations with tested recovery infrastructure already in place.
- Detection needs to move left in the attack chain. By the time encryption fires, the fight is effectively over. The window to intervene is in the lateral movement and data staging phases that precede ransomware deployment.