Ransomware Gangs Evolve with New Affiliate Models to Lure Cybercriminals

The ransomware landscape continues to evolve rapidly, and recent research from Secureworks reveals that threat actors are taking a more corporate-like approach to cybercrime. Two ransomware groups, DragonForce and Anubis, are now offering expanded affiliate programs that mimic legitimate business structures—complete with service offerings, branding flexibility, and support systems.

These developments mark a troubling trend in the world of ransomware-as-a-service (RaaS), a model that has already made it alarmingly easy for less skilled attackers to launch devastating ransomware campaigns.

DragonForce Transforms Into a Cybercrime Cartel

DragonForce, a RaaS operation that first surfaced in August 2023, recently rebranded itself as a "cartel" in a move that highlights its shift toward a more decentralized structure. According to Secureworks' Counter Threat Unit (CTU), the group is now offering a unique affiliate model that lets cybercriminals create their own ransomware brands.

Rather than requiring affiliates to use its ransomware, DragonForce provides access to its infrastructure—including admin and client panels, encryption tools, ransom negotiation systems, data storage solutions, a Tor-based leak site, and customer support. This flexibility appeals to attackers with their own malware but who need help with logistics, infrastructure, or victim interaction.

While this model may attract a broader range of cybercriminals, it introduces risks as well. If one affiliate is compromised, others connected to the shared infrastructure could also be exposed, potentially unraveling entire networks of coordinated attacks.

Anubis Offers Three Flavors of Ransomware Partnerships

Anubis, another RaaS operator, is also breaking the mold by introducing three distinct affiliate models. Each provides a different path for criminals looking to monetize attacks:

1. A classic RaaS setup, with affiliates keeping 80% of ransom payments.
2. A "data ransom" model where detailed victim analyses are posted on a password-protected site to pressure victims into paying.
3. An “access monetization” model that helps affiliates extort previously compromised victims, offering 50% of ransom proceeds.

The data ransom method stands out for its resemblance to a form of criminal content marketing. Anubis operators publish an "investigative article" about the victim’s stolen data, then share it with the victim privately, warning that failure to pay will result in the information going public. They’ve even used a social media presence to increase pressure and threaten disclosure to customers and regulatory bodies.

Ransomware Operators Now Operate Like Businesses

These affiliate models show that modern ransomware groups are increasingly running their operations like legitimate companies. From offering technical support to allowing brand customization, the strategies are designed to appeal to a broader range of would-be attackers. In fact, DragonForce’s offering closely resembles a managed service provider—minus the legality.

According to Rafe Pilling, Director of Threat Intelligence at Secureworks, defenders should begin viewing ransomware gangs as business entities. These threat actors adapt quickly, chasing revenue and reacting to changes in the cybercrime ecosystem, including law enforcement crackdowns and declining ransom payments.

How Organizations Can Stay Protected

With the barrier to entry for ransomware attacks dropping even lower, organizations must take proactive steps to strengthen their defenses. Secureworks’ CTU recommends the following security measures:

• Regularly patch internet-facing systems
• Implement phishing-resistant multifactor authentication
• Maintain secure, offline backups of critical data
• Monitor endpoints and networks for unusual behavior
• Develop and test a detailed incident response plan

The rising sophistication of ransomware gangs and their affiliate models represents a growing threat to global cybersecurity. Understanding how these operations work—and preparing for them as one would prepare for a savvy corporate competitor—may be the key to staying one step ahead.