Full Report
The DragonForce and Anubis groups are attempting to entice hackers to come and work with them by adopting affiliate models that would increase the volume of incidents their services can be used in.
Analysis Summary
# Threat Actor: DragonForce & Anubis (Ransomware-as-a-Service Operations)
## Attribution & Identity
The research focuses on two evolving Ransomware-as-a-Service (RaaS) operations: **DragonForce** and **Anubis**. These entities are modernizing their business models to attract affiliates following disruptions in the wider ransomware ecosystem (e.g., the LockBit takedown).
* **DragonForce:** Launched in August 2023. Recently rebranded as a "cartel," shifting to a distributed model allowing affiliates to create their own "brands" while using DragonForce's established infrastructure.
* **Anubis:** Researchers began tracking this group in December [Year unspecified, implied recent].
## Activity Summary
Both ransomware operations are focused on adapting affiliate models to increase their market share and profit volume by enticing new hackers.
* **DragonForce ("Cartel" Model):** Provides infrastructure and operational management tooling to affiliates, allowing affiliates the flexibility to deploy their own chosen encryptors rather than being forced to use DragonForce's proprietary malware.
* **Anubis Monetization Schemes:** Offers affiliates three distinct payment structures:
1. Traditional encryption attacks (80% affiliate split).
2. Data extortion attacks (60% affiliate split).
3. Simple access monetization (50% affiliate split).
* **Extortion Tactics (Anubis):** Threatens to:
* Publish stolen data.
* Name victims publicly on social media.
* **Novel Tactic:** Threatens to submit formal breach notifications/reports to various regulatory bodies themselves (similar to what AlphV/BlackCat reportedly did with the SEC).
## Tactics, Techniques & Procedures
The primary focus described is on business model and monetization TTPs:
* Adoption of flexible affiliate models to broaden the base of potential operators.
* Leveraging shared infrastructure among affiliates, which increases operational risk but enhances flexibility.
* Using data exfiltration and public shaming tactics (naming victims on social media).
* **Specific Malicious TTP (Potential):** Threatening regulatory reporting for extortion pressure.
* *Note: Specific technical TTPs like initial access vectors or specific malware signatures beyond being RaaS platforms are not detailed, except for the flexibility in encryptor choice for DragonForce affiliates.*
## Targeting
* **Sectors:** Broad targeting implied across businesses, as the goal is to increase the volume of incidents.
* **Geography:** Not explicitly defined, but the context implies international targeting, given the reference to U.S. Securities and Exchange Commission (SEC) regulatory threats.
* **Victims:** Undisclosed victims ("victim details" are shared internally among DragonForce affiliates).
## Tools & Infrastructure
* **Malware families used:** DragonForce encryptor (though affiliates may use their own) and Anubis ransomware/extortion structure.
* **Infrastructure:** DragonForce offers its established infrastructure and operation management tooling to its affiliates.
* **URLs/IPs:** None specified; no defanging required.
## Implications
The emergence of these new, flexible operating models (especially the DragonForce "cartel" structure and Anubis's abuse of regulatory notice threats) indicates that ransomware operations are rapidly innovating in response to law enforcement disruptions. This decentralization and flexibility could allow threat actors to increase their financial gains and potentially become more resilient to traditional takedown efforts. The willingness of Anubis to threaten regulatory reporting marks a potentially escalatory trend in extortion tactics.
## Mitigations
* Defense must adapt to counter evolving affiliate models and decentralized operations.
* Focus security defenses against the specific known extortion tactics (data publicization, regulatory threat abuse).
* Understand that affiliates may use custom or previously unseen encryptors if using facilities like DragonForce's infrastructure.