“`html
In spite of considerable interruptions by global law enforcement initiatives against prominent ransomware operations, cybercriminal factions persist in showcasing exceptional flexibility in 2025.
Two significant ransomware undertakings, DragonForce and Anubis, have launched novel affiliate frameworks intended to broaden their influence and enhance profitability in the continuously changing cybercrime arena.
.webp)
DragonForce, which surfaced in August 2023 as a conventional ransomware-as-a-service (RaaS) initiative, commenced advertising on clandestine forums in February 2024.
.png%0D%0A)
By March 2025, their victim tally had escalated to 136 organizations featured on their leak platform.
The collective has recently rebranded itself as a “cartel” and proclaimed a transition to a decentralized model that empowers affiliates to establish their own bespoke “brands” while utilizing DragonForce’s infrastructure.
Secureworks Counter Threat Unit (CTU) analysts discovered that Anubis, another rising threat, initially showed up on underground forums in late February 2025 with a divergent strategy for affiliate recruitment.
In contrast to conventional ransomware initiatives fixated solely on encryption, Anubis presents three unique extortion alternatives with varying profit-sharing schemes, greatly broadening their attack methodology and potential victim repercussions.
.webp)
The ransomware ecosystem continues to pose substantial dangers to entities across various sectors.
These emerging affiliate frameworks illustrate how threat actors modify their business strategies to sustain profitability as victims become increasingly resistant to settling ransoms, potentially resulting in more intricate and relentless attack campaigns.
Anubis’s Three-Tiered Extortion Strategy
Anubis sets itself apart with three distinct operational modes crafted to attract different categories of affiliates.
The initial mode adheres to the traditional RaaS framework characterized by file encryption, granting affiliates 80% of ransom proceeds.
The second alternative, labeled “data ransom,” concentrates exclusively on data theft without encryption, yielding 60% of payments for affiliates.
The third and most inventive method, “accesses monetization,” aids threat actors in eliciting ransoms from compromised victims, providing affiliates with 50% of the funds secured.
The “data ransom” strategy involves publishing comprehensive “investigative articles” about victims’ confidential data on password-protected Tor sites.
Victims gain access to review these articles and negotiate payments. If victims decline to comply, Anubis amplifies pressure through multiple channels, including naming victims via X (formerly Twitter) and alerting customers.
Most importantly, Anubis threatens to inform non-compliant victims to regulatory bodies including the UK Information Commissioner’s Office, U.S. Department of Health and Human Services, and the European Data Protection Board.
This tactic of regulatory reporting, while not completely unprecedented, marks a notable escalation in extortion methodologies.
In November 2023, the GOLD BLAZER threat group informed the U.S. Securities and Exchange Commission of an ALPHV (BlackCat) breach after a victim refused payment, highlighting the increasing sophistication of coercion tactics within the ransomware ecosystem.
“`