DragonForce Claims to Be Taking Over RansomHub Ransomware Infrastructure

The DragonForce ransomware group claims to be taking over the infrastructure of RansomHub, the biggest ransomware group in the last year, Cyble threat intelligence researchers reported in an advisory to clients today. Cyble said the moniker behind the operators of DragonForce announced a new “project” on RAMP forum and subsequently posted the same information on their onion-based data leak site (DLS). DragonForce said the group is launching fresh infrastructure – with two new onion links secured by CAPTCHA, similar to DragonForce's native tor site approach – but displayed the logo of RansomHub ransomware. While it’s unclear if DragonForce acquired RansomHub or simply compromised it, the official RansomHub onion site has been offline since March 31, fueling speculation of a possible takeover, Cyble said. DragonForce and RansomHub: New Relationship Unclear DragonForce’s post on RAMP read: “Hi. Don’t worry RansomHub will be up soon, they just decided to move to our infrastructure! We are Reliable partners. “A good example of how “projects” work, a new option from the DragonForce Ransomware Cartel!” A postscript read (image below): “RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks” DragonForce made a similar claim on the group’s Tor-based Data Leak Site (DLS) - and previewed a new onion site bearing the RansomHub logo (image below). [caption id="attachment_101814" align="aligncenter" width="927"] Preview of new onion site posted by DragonForce on RAMP forum and bearing the RansomHub Logo[/caption] DragonForce Ransomware Emerges As a Significant Player While it is unclear what the nature of the new arrangement is between the two groups, the announcement follows a March 18 announcement by DragonForce of a major expansion of its ransomware-as-a-service (RaaS) operation, Cyble said. The group introduced a franchise-like model allowing affiliates to launch their own ransomware brands under the DragonForce Ransomware Cartel. Affiliates receive full backend support, including admin/client panels, data hosting, and 24/7 infrastructure with anti-DDoS protection, providing autonomy while maintaining centralized control. DragonForce also rolled out technical upgrades across its ransomware lockers for ESXi, NAS, BSD, and Windows systems. Enhancements include encryption status tracking, detached execution, persistent UI messaging, and improved recovery mechanisms. The encryption engine was further hardened with two-pass header protection and BearSSL AES-CTR implementation using external entropy sources, “signaling DragonForce's ambition to scale its operations with a more professionalized and affiliate-friendly infrastructure,” Cyble said. RansomHub Future Uncertain While it’s not clear what happened between the two ransomware groups, RansomHub put together an impressive run, besting all competitors since February 2024 (image below). RansomHub’s staying power at the top has been driven by multiple factors, in Cyble’s analysis, including perceptions of greater transparency than predecessor groups, predictable payouts, and well-packaged attack playbooks for affiliates. It remains to be seen what form RansomHub and DragonForce will take on next. We will continue to follow this breaking story and update it as new information becomes available.