How the DragonForce–Scattered Spider Cartel Is Redefining Ransomware Collaboration
A new breed of cybercriminal collaboration is rewriting the rules of ransomware. The alliance between DragonForce and Scattered Spider isn’t just a merger of two notorious groups—it’s the blueprint for a cartel-style operation that’s shaking up the global threat landscape. By combining DragonForce’s ransomware-as-a-service (RaaS) infrastructure with Scattered Spider’s elite social engineering and initial access skills, this partnership has created a cybercrime ecosystem that’s both agile and ruthlessly efficient. Their cartel model, which rewards affiliates with up to 80% of attack profits, has rapidly attracted a diverse network of collaborators, from seasoned hackers to ambitious newcomers (BleepingComputer).
This isn’t just theory—real-world incidents like the 2025 Marks & Spencer breach highlight the cartel’s reach and sophistication. Their operations leverage everything from compromised LockBit and Conti ransomware code to advanced social engineering tactics like MFA fatigue and SIM swapping. The result? Multi-stage attacks that can bypass even the most robust defenses, blending technical innovation with business-like professionalism. As organizations scramble to keep up, the DragonForce-Scattered Spider cartel stands as a stark reminder that cybercrime is evolving faster than ever (BleepingComputer).
How DragonForce and Scattered Spider Joined Forces: The Cartel Model Explained
Evolution from Independent Actors to Strategic Collaboration
The partnership between DragonForce and Scattered Spider marks a significant shift in the operational dynamics of the cybercriminal landscape. Historically, ransomware groups and initial access brokers operated in silos, often competing for resources and notoriety. However, the emergence of a cartel-style model—exemplified by the DragonForce-Scattered Spider alliance—demonstrates a move toward cooperative, highly specialized threat actor ecosystems. This alliance leverages the unique strengths of each group: DragonForce’s robust ransomware-as-a-service (RaaS) infrastructure and Scattered Spider’s elite social engineering and initial access capabilities (BleepingComputer).
DragonForce, originally a standalone ransomware group, began its operations with tools derived from the compromised LockBit 3.0 builder and later transitioned to a modified version of the Conti v3 source code. The group’s evolution into a cartel was catalyzed by its 2025 rebranding, which saw it adopt a more inclusive and partnership-driven approach. This transformation was not merely cosmetic; it reflected a fundamental change in operational strategy, focusing on broadening its reach through strategic alliances and affiliate recruitment.
Scattered Spider, on the other hand, had established itself as a formidable initial access broker, specializing in advanced reconnaissance and social engineering. The group’s expertise in bypassing multifactor authentication and deploying remote monitoring and management (RMM) tools made it an ideal partner for ransomware operations seeking reliable entry points into high-value targets. The synergy between DragonForce’s ransomware deployment capabilities and Scattered Spider’s access operations created a formidable threat, elevating the efficiency and scale of attacks.
The Cartel Model: Structure, Recruitment, and Revenue Sharing
The cartel model adopted by DragonForce represents a departure from the traditional hierarchical structure of ransomware groups. Instead of a single entity controlling all aspects of an attack, the cartel operates as a decentralized network of specialized affiliates. This model is characterized by operational flexibility, broad partnerships, and a focus on maximizing profits through collaboration (BleepingComputer).
A key feature of this model is the generous revenue-sharing scheme. DragonForce offers affiliates up to 80% of the profits from successful ransomware attacks, significantly lowering the barrier to entry for new and inexperienced cybercriminals. This incentive structure has proven effective in attracting a diverse range of collaborators, from seasoned threat actors to opportunistic newcomers. The result is a rapidly expanding network capable of executing complex, multi-stage attacks with unprecedented speed and scale.
Recruitment is facilitated through underground cybercrime forums and encrypted communication channels. DragonForce actively seeks out individuals and groups with complementary skill sets, such as initial access brokers, malware developers, and data exfiltration specialists. By providing customizable encryptors and a robust infrastructure, the cartel ensures that affiliates can tailor their operations to specific targets and maximize the impact of each campaign.
The decentralized nature of the cartel model also enhances operational security. By distributing tasks among multiple independent actors, the group reduces the risk of detection and disruption by law enforcement. Each affiliate operates semi-autonomously, following broad guidelines set by the cartel leadership but retaining the flexibility to innovate and adapt to changing circumstances.
Operational Integration: Division of Labor and Attack Lifecycle
The partnership between DragonForce and Scattered Spider is underpinned by a clear division of labor, with each group focusing on its core competencies. Scattered Spider is responsible for the initial phases of the attack, including reconnaissance, credential harvesting, and establishing persistence within target networks. The group employs a range of tactics, from open-source intelligence gathering to sophisticated social engineering techniques such as MFA fatigue and SIM swapping (BleepingComputer).
Once initial access is secured, Scattered Spider deploys RMM tools and tunneling services to maintain persistence and facilitate lateral movement. Tools such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop are commonly used to establish remote control over compromised systems. The group also targets critical assets, including SharePoint servers, credential repositories, backup infrastructure, and VPN configuration files.
At this stage, the baton is passed to DragonForce, which orchestrates the deployment of ransomware across the compromised environment. The group’s latest variants are capable of targeting Windows, Linux, and ESXi systems, ensuring maximum disruption and increasing the likelihood of ransom payment. DragonForce’s encryption tools have evolved over time, addressing vulnerabilities identified in earlier versions and incorporating techniques to disable security software and evade detection.
The final phase of the attack involves data exfiltration and ransom negotiation. Scattered Spider compiles stolen data using extract, transform, and load (ETL) tools, centralizing it in attacker-controlled storage services such as MEGA or Amazon S3. DragonForce then publishes details of compromised entities on its leak site, applying additional pressure on victims to pay the ransom.
Technological Advancements and Adaptation Strategies
The DragonForce-Scattered Spider cartel has demonstrated a remarkable ability to adapt and innovate in response to evolving defensive measures. One of the most notable advancements is the integration of susceptible drivers—such as truesight.sys and rentdrv2.sys—into the ransomware payload. These drivers are exploited to deactivate security programs, terminate protected processes, and address encryption vulnerabilities that were previously exploited by defenders (BleepingComputer).
The cartel’s encryption scheme has also undergone significant improvements. Early versions of DragonForce ransomware were found to contain vulnerabilities that allowed for decryption without paying the ransom. In response, the group updated its encryption algorithms, closing these loopholes and increasing the effectiveness of its attacks. The updated scheme was informed by public disclosures, such as a Habr publication referenced on DragonForce’s leak website, illustrating the group’s willingness to learn from both adversaries and the broader cybersecurity community.
In addition to technical enhancements, the cartel has embraced operational best practices borrowed from legitimate business models. For example, DragonForce provides affiliates with comprehensive documentation, support channels, and regular updates to its toolset. This professionalization of cybercrime operations has contributed to the group’s resilience and ability to attract high-caliber talent.
The use of cloud-based infrastructure for data exfiltration and command-and-control further complicates detection and response efforts. By leveraging legitimate services such as AWS Systems Manager Inventory and Amazon S3, the cartel is able to blend in with normal network traffic and evade traditional security controls. This approach not only increases the success rate of attacks but also makes attribution and remediation more challenging for defenders.
Impact on the Threat Landscape and Defensive Implications
The rise of the DragonForce-Scattered Spider cartel has had a profound impact on the global threat landscape. By combining the resources and expertise of multiple specialized actors, the cartel is able to execute highly coordinated and adaptive attacks that outpace traditional defensive measures. The shift toward a cooperative model has also led to an increase in the frequency and severity of ransomware incidents, with high-profile breaches such as the attack on Marks & Spencer highlighting the cartel’s reach and capabilities (BleepingComputer).
The cartel’s focus on exploiting human error—particularly through social engineering and credential compromise—underscores the need for organizations to prioritize user awareness and identity protection. Traditional perimeter defenses are increasingly ineffective against adversaries capable of bypassing multifactor authentication and leveraging legitimate remote access tools. As a result, security teams must adopt a multi-layered approach that combines technical controls with robust user education and incident response planning.
Furthermore, the decentralized and resilient nature of the cartel model presents new challenges for law enforcement and threat intelligence professionals. Disrupting a single affiliate or infrastructure component is unlikely to have a lasting impact on the overall operation. Effective countermeasures will require coordinated efforts across multiple jurisdictions and a focus on dismantling the underlying networks that facilitate collaboration among threat actors.
The DragonForce-Scattered Spider partnership serves as a blueprint for future cybercriminal alliances, signaling a move toward greater specialization, operational efficiency, and scalability. As the cartel model continues to evolve, defenders must remain vigilant and adapt their strategies to counter increasingly sophisticated and persistent adversaries.
Final Thoughts
The DragonForce and Scattered Spider partnership is more than a headline—it’s a signal flare for the future of cybercrime. Their cartel model, marked by decentralized collaboration and generous revenue sharing, has set a new standard for operational efficiency and adaptability. By leveraging cloud infrastructure, exploiting human error, and constantly refining their tools, these groups have made ransomware attacks more scalable and harder to stop (BleepingComputer).
For defenders, the message is clear: traditional security measures are no longer enough. Combating this new wave of cyber threats requires a blend of technical controls, user education, and cross-jurisdictional cooperation. As AI, IoT, and other emerging technologies expand the attack surface, organizations must stay agile and proactive. The DragonForce-Scattered Spider cartel is just the beginning—future alliances will likely be even more sophisticated, making vigilance and adaptation the keys to survival.
References
- Deep dive into DragonForce ransomware and its Scattered Spider connection. (2025). BleepingComputer. https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-ransomware-and-its-scattered-spider-connection/
