The DragonForce ransomware group claims to be taking over the infrastructure of RansomHub, the largest ransomware group in the last year, Cyble threat intelligence researchers reported in an advisory to clients today.
Cyble said the moniker behind the operators of DragonForce announced a new “project” on the RAMP forum and subsequently posted the same information on their onion-based data leak site (DLS). DragonForce said the group is launching fresh infrastructure – with two new onion links secured by CAPTCHA, similar to DragonForce’s native tor site approach – but displaying the logo of the RansomHub ransomware group.
While it’s unclear if DragonForce acquired RansomHub or simply compromised it, the official RansomHub onion site has been offline since March 31, fueling speculation of a possible takeover, Cyble said.
DragonForce and RansomHub: New Relationship Unclear
DragonForce’s post on RAMP read:
“Hi. Don’t worry RansomHub will be up soon, they just decided to move to our infrastructure! We are Reliable partners.
“A good example of how “projects” work, a new option from the DragonForce Ransomware Cartel!”
A postscript read (image below): “RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks”
DragonForce made a similar claim on the group’s Tor-based Data Leak Site (DLS) – and previewed a new onion site bearing the RansomHub logo (image below).
DragonForce Ransomware Emerges As a Significant Player
While it is unclear what the nature of the new arrangement is between the two groups, the announcement follows a March 18 announcement by DragonForce of a major expansion of its ransomware-as-a-service (RaaS) operation, Cyble said.
The group introduced a franchise-like model allowing affiliates to launch their own ransomware brands under the DragonForce Ransomware Cartel. Affiliates receive full backend support, including admin/client panels, data hosting, and 24/7 infrastructure with anti-DDoS protection, providing autonomy while maintaining centralized control.
DragonForce also rolled out technical upgrades across its ransomware lockers for ESXi, NAS, BSD, and Windows systems. Enhancements include encryption status tracking, detached execution, persistent UI messaging, and improved recovery mechanisms. The encryption engine was further hardened with two-pass header protection and BearSSL AES-CTR implementation using external entropy sources, “signaling DragonForce’s ambition to scale its operations with a more professionalized and affiliate-friendly infrastructure,” Cyble said.
RansomHub Future Uncertain
While it’s not clear what happened between the two ransomware groups, RansomHub put together an impressive run, besting all competitors since February 2024 (image below).
RansomHub’s staying power at the top has been driven by multiple factors, in Cyble’s analysis, including perceptions of greater transparency than predecessor groups, predictable payouts, and well-packaged attack playbooks for affiliates.
It remains to be seen what form RansomHub and DragonForce will take on next. We will continue to follow this breaking story and update it as new information becomes available.
