A new ransomware operation built on Conti’s leaked source code has surfaced with cartel-like ambitions in the cybercrime ecosystem.
The DragonForce group, which retains Conti’s core encryption behavior and network-spreading capabilities, has begun conducting coordinated attacks and recruiting affiliates using a shared platform.
Recently, DragonForce has shifted from a standard ransomware-as-a-service model to a self-styled cartel structure that encourages affiliates to create branded variants. This evolution has been highlighted by recent samples showing groups like Devman deploying ransomware compiled with DragonForce’s builder.
According to Acronis Threat Research Unit (TRU) researchers, DragonForce uses the same ChaCha20 and RSA encryption combination found in Conti, generating a unique key per file and appending a 10-byte metadata block that encodes encryption mode, percentage and size.
Operators have continued active campaigns, threatening to delete decryptors and leak data on September 2 and September 22.
Technical Characteristics
DragonForce encrypts both local storage and network shares via SMB (Server Message Block). Acronis has documented unchanged Conti-style routines alongside a hidden configuration system that replaces visible command-line parameters.
The ransomware supports several encryption modes:
-
Full mode (0x24)
-
Partial (0x25)
-
Header-only (0x26)
Growing Affiliate Network
Devman’s emergence illustrates DragonForce’s recruitment model. The group initially deployed a Mamona-based variant before shifting to a DragonForce-built strain with near-identical ransom note formatting.
The timing suggests Devman first tested branding under Mamona, a project linked to operators behind Eldorado and BlackLock, then moved into the DragonForce ecosystem to leverage its tooling and infrastructure.
DragonForce has also aligned with Scattered Spider, a group known for initial access operations tied to BlackCat, Ransomhub and Qilin. This partnership drew scrutiny following an incident impacting UK retailer Marks & Spencer, which researchers attribute to cooperative DragonForce–Scattered Spider activity shortly after DragonForce rebranded as a “cartel.”
Read more on ransomware cartels: Ransom Cartel Linked to Russia-Based REvil Ransomware Group
Aggressive Tactics and Defense
The group has pursued aggressive dominance tactics, defacing BlackLock’s leak site and attempting a takeover of Ransomhub’s servers. This pressure may have forced some Ransomhub affiliates to migrate to rivals such as Qilin and DragonForce.
“By rebranding itself as a ‘cartel,’ DragonForce aimed to strengthen its influence and alliances in the ransomware landscape, proving its dominance by defacing or taking control of rival groups’ infrastructure,” Acronis said.
To defend against ransomware threats, security experts advise organizations to implement robust backup practices, restrict lateral movement through network segmentation and monitor for unusual access to shared resources.
In addition, consistent patching, endpoint protection and user awareness training remain core layers of defense against financially motivated actors seeking to exploit gaps in enterprise environments.
