RaaS Groups Are Evolving

Despite several international law enforcement operations cracking down on ransomware operations, cybercriminals still make significant profits despite the risk. Law enforcement operations have forced certain ransomware groups, particularly those in the Ransomware-as-a-Service (RaaS) sphere, to evolve their tactics considerably. Two RaaS groups, in particular, are DragonForce and Anubis.

DragonForce emerged as a traditional RaaS in 2023. By traditional, they followed the typical RaaS model, best described as a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

However, this business model was shifted slightly in 2024, when the operators began advertising the offering on underground forums in February 2024; the number of victims posted to the associated leak site steadily grew to 136 as of March 24, 2025.

This change adopts the popular double extortion tactic, where data is first exfiltrated before encryption to further extort the victim. Along with this technique, ransomware gangs will create a leak site that announces the gang's current victims.

Then, in an underground post on March 19, 2025, DragonForce rebranded itself as a "cartel" and announced its shift to a distributed model that allows affiliates to create their own "brands" within the DragonForce infrastructure.

In this model, DragonForce provides its infrastructure and tools but does not require affiliates to deploy its ransomware. Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services.

As to this new evolution, Secureworks noted,

This approach differentiates DragonForce from other RaaS offerings and may appeal to a range of affiliates. For example, the established infrastructure and accessible tools expand opportunities to threat actors who have limited technical knowledge. Even sophisticated threat actors may appreciate the flexibility that allows them to deploy their own malware without creating and maintaining their own infrastructure. By broadening its affiliate base, DragonForce can increase its potential for financial gain. However, the shared infrastructure does introduce risk to DragonForce and its affiliates. If one affiliate is compromised, other affiliates' operational and victim details could be exposed as well.

Anubis's Change in Tactics

Anubis has looked to change how it entices affiliates to onboard with the "brand" and begin using its ransomware. In late February 2025, a post on an underground forum announced that Anubis is now offering three separate affiliate tiers. Those being:

• RaaS – a traditional approach that involves file encryption and offers affiliates 80% of the ransom
• Data ransom – a data theft-only extortion option in which affiliates receive 60% of the ransom
• Accesses monetization – a service that helps threat actors extort victims they've already compromised and offers affiliates 50% of the ransom

The post went on to describe each tier in more detail. The "data ransom" description was particularly interesting, with the affiliate required to publish a detailed "investigative article" to a password-protected Tor website. The article contains an analysis of the victim's sensitive data. The victim is granted access to that article and is given a link to negotiate payment.

The threat actors threaten to publish the article on the Anubis leak site if the victim does not pay the ransom. The operators increase pressure by publishing victim names via an X (formerly Twitter) account. The threat actors claim they will also notify the victims' customers about the compromise.

Anubis will take this one step further, with threat actors reporting the data breach to the following authorities:

• The UK Information Commissioner's Office (ICO), which focuses on data protection and information rights
• The U.S. Department of Health and Human Services (HHS)
• The European Data Protection Board (EDPB), which ensures consistent application of the General Data Protection Regulation (GDPR)

This escalation strategy is believed to be designed solely to place the victims under more duress to pay the ransom. This escalation strategy has not been widely adopted, but it does have some precedent. In November 2023, the GOLD BLAZER threat group reported an ALPHV, also known as BlackCat, compromise to the U.S. Securities and Exchange Commission (SEC) after a victim failed to pay a ransom.

The "accesses monetization" option focuses on post-compromise activity by helping affiliates extract ransom payments from their victims. Here, the affiliate acts as a broker or negotiator of sorts. Similar to the data theft-only option, the affiliate receives a detailed analysis of the victim's data that they can use to increase pressure during ransom negotiations.

Like many other RaaS operations affiliates, they are forbidden from targeting post-Soviet states that still fall within Russia's sphere of influence. Interestingly, Anubis also excludes the BRICS states from being targeted; these include Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Indonesia, Iran, and the United Arab Emirates.

Anubis explicitly restricts the targeting of educational institutions, government departments, and non-profit organizations, but it does not mention healthcare organizations. This may be due to their access to an abundance of sensitive information and their regulatory compliance requirements, often used to pressure victims to pay up.