According to Infosecurity Magazine, DragonForce has emerged as a new ransomware operation built directly on Conti’s leaked source code, retaining its core encryption behavior and network-spreading capabilities. The group uses the same ChaCha20 and RSA encryption combination found in Conti, generating unique keys per file and appending 10-byte metadata blocks. DragonForce has shifted from standard ransomware-as-a-service to a self-styled cartel structure that encourages affiliates to create branded variants, with recent samples showing groups like Devman deploying ransomware compiled with DragonForce’s builder. The operators have continued active campaigns, threatening to delete decryptors and leak data on September 2 and September 22. DragonForce encrypts both local storage and network shares via SMB and has aligned with Scattered Spider, a group known for initial access operations tied to BlackCat, Ransomhub and Qilin.
Sponsored content — provided for informational and promotional purposes.
The Cartel Playbook
Here’s the thing about DragonForce calling itself a cartel – it’s not just branding. They’re actually behaving like one. They’re defacing rival leak sites, trying to take over competitors’ servers, and creating this ecosystem where affiliates can build their own branded variants. Basically, they’re creating a franchise model for cybercrime. And it’s working – when they put pressure on Ransomhub, some affiliates apparently migrated over to DragonForce and Qilin. That’s exactly what a cartel does: they consolidate power by either absorbing or crushing the competition.
<h2 id="conti-legacy”>Conti’s Dangerous Legacy
Remember when Conti’s source code leaked? Well, we’re seeing the consequences now. DragonForce isn’t just inspired by Conti – they’re using the actual code. Same encryption methods, same network-spreading capabilities, same routines. It’s like Conti got resurrected but with a more ambitious business model. And honestly, this was always the risk when that code leaked. Any competent criminal group could pick it up and start their own operation without having to build everything from scratch. We’re probably going to see more of these Conti-derived groups popping up.
The Partnership Problem
The Scattered Spider connection is particularly concerning. That group specializes in initial access – they’re the ones who break in, then they hand off to ransomware groups like DragonForce to do the encryption and extortion. It’s a division of labor that makes both groups more effective. When you combine Scattered Spider’s access expertise with DragonForce’s mature ransomware platform, you get incidents like the Marks & Spencer attack that researchers are attributing to this partnership. This is becoming the standard playbook: specialized groups working together rather than every group trying to do everything themselves.
Defense in a Cartel World
So what does this mean for defense? The standard advice still applies – backups, network segmentation, patching, endpoint protection. But we need to think differently about the threat landscape. These aren’t isolated criminals anymore; they’re organized networks with shared infrastructure and coordinated tactics. Monitoring for unusual SMB activity becomes crucial since that’s how they spread across networks. And user awareness? More important than ever, because that initial access often comes through phishing or social engineering. The scary part is how professional this has all become. They’re not just criminals – they’re running businesses.
