With ransomware evolving from a digital nuisance into a sophisticated, multi-billion-dollar criminal enterprise, we’re seeing threat groups adopt strategies straight from the organized crime playbook. To help us understand this alarming shift, we’re speaking with Rupert Marais, our in-house security specialist. With deep expertise in endpoint security and cybercrime strategies, Rupert has been tracking the emergence of a new, more menacing business model in the ransomware world. Today, we’ll explore how groups like DragonForce are building cartel-like structures, professionalizing extortion with corporate-style services, and what this means for businesses. We’ll delve into the strange mix of conflict and collaboration shaping the cybercrime ecosystem, the implications of making powerful ransomware tools easily accessible, and why certain industries are finding themselves squarely in the crosshairs of these highly organized attackers.
The ransomware-as-a-service model is evolving into a cartel structure, offering affiliates services like “Company Data Audits” to value stolen data. How does this intelligence-driven extortion, complete with call scripts and strategic guidance, change the negotiation dynamics for a victimized company?
It fundamentally transforms the entire negotiation from a simple shakedown into a high-stakes, hostile corporate negotiation. What we’re seeing with DragonForce’s “Company Data Audit” is the weaponization of business intelligence. When an attacker can tell you not just what they stole, but precisely why it’s valuable and how its release will cripple your market position, the power dynamic shifts dramatically. Imagine the chilling effect of receiving a professionally prepared risk report, complete with call scripts for your executives, that lays out your company’s doom. We saw a case with a mining company where the attackers used stolen satellite imagery to identify sensitive mineral deposit locations. They didn’t just demand money; they presented a credible threat to the company’s entire future. This isn’t just about data; it’s about leveraging that data with the precision of a legitimate risk assessment firm, making the threat feel calculated, personal, and almost impossible to ignore.
We’ve seen threat groups attempt to deface rivals’ sites while also proposing alliances to “stabilize the market.” What does this mix of aggression and cooperation signal about the maturity of the ransomware ecosystem, and how does it complicate defensive and attribution efforts for security teams?
This behavior signals that the ransomware ecosystem is maturing into a fully-fledged, albeit illicit, market with its own set of rules, power players, and corporate-style maneuvering. It’s like watching the mob in its heyday. On one hand, you have the aggressive, territorial disputes—DragonForce defacing BlackLock’s leak site is a very public power play designed to assert dominance. On the other, you have these backroom proposals for cooperation, like their pitch to major players like LockBit and Qilin. They want to standardize profit sharing, eliminate public conflicts, and basically form a price-fixing cartel. For defenders, this is a nightmare. It blurs the lines of attribution. Is an attack from a lone affiliate, or is it part of a coordinated cartel strategy? When groups share intelligence and tactics, a defense that works against one member today might be rendered useless against the entire cartel tomorrow. This cooperation allows them to pool resources and eliminate inefficiencies, making them a far more formidable and unpredictable opponent.
Newer ransomware operations often use automated sign-up systems with no vetting or deposits, allowing easy access for affiliates. Considering their tools may derive from leaked source code like Conti’s, how does this lower barrier to entry impact the overall threat landscape and attacker sophistication?
It dramatically broadens the threat landscape while creating a dangerous illusion of amateurism. The automated, no-vetting sign-up system is like leaving the keys in a high-performance race car. It allows anyone, regardless of skill, to get behind the wheel of a sophisticated attack tool. Because the ransomware itself is built on proven, leaked source code from a group like Conti, it comes packed with powerful features right out of the box—things like deleting shadow copies, scanning networks for targets via SMB ports, and using multithreading for rapid encryption. So, you might have an unsophisticated actor, a script kiddie even, who now has the capability to execute a highly destructive, enterprise-grade attack. This creates a high volume of unpredictable, chaotic attacks. While the individual affiliate might lack strategic depth, the tool they wield is incredibly potent, making it harder for security teams to profile and predict attacker behavior.
Manufacturing, technology, and construction sectors in the U.S. and Europe appear to be prime targets. Based on your experience, what makes these industries so attractive for data exfiltration and extortion, and what common vulnerabilities are threat actors typically exploiting within them?
These sectors represent a perfect storm of value, vulnerability, and operational dependence. Manufacturing and construction are heavily reliant on just-in-time supply chains and operational technology (OT) systems. Any downtime is catastrophic and costs millions per day, which creates immense pressure to pay a ransom quickly. Furthermore, they hold incredibly valuable intellectual property—blueprints, proprietary industrial processes, and project bids—that is devastating if leaked. The technology sector is a target for obvious reasons: they hold sensitive customer data and their own valuable source code. The common thread is often a sprawling, complex digital infrastructure that has grown over time, mixing modern IT with legacy OT systems that were never designed to be connected to the internet. Attackers exploit weak remote access protocols, unpatched systems, and a lack of network segmentation to move from a compromised IT network into the critical operational core of the business, where they can inflict the most pain.
What is your forecast for the ransomware ecosystem?
I foresee the ecosystem becoming even more commercialized and specialized, operating with the cold efficiency of a legitimate corporation. The cartel model that DragonForce is pioneering is just the beginning. We’re going to see more specialization, with groups focusing on specific verticals—some on initial access, some on data analysis, and others on negotiation. The use of AI to analyze stolen data for maximum leverage will become standard practice, moving beyond simple extortion to what I’d call “strategic corporate sabotage.” Ransom demands will become more precisely calculated based on a victim’s cyber insurance policy, quarterly earnings, and market vulnerabilities. For defenders, this means we can no longer treat this as a purely technical problem. We must adopt a threat intelligence-led approach, understanding the business model of our adversaries just as well as they understand ours. The line between cybercrime and corporate espionage will continue to blur, making the fight more complex and the stakes higher than ever.
