Ransomware is a powerful tool used by weak people to extract make-believe money, primarily used for dark web drug buys and Ponzi schemes, from organizations that haven’t implemented proper security and backup protocols in the year 2025. It comes as no surprise, then, that drama between several “gangs” who rely on this involuntary encryption tool is reportedly set to make things even worse for potential victims.
The Financial Times today reported that DragonForce, “a group of largely Russian speaking cyber criminals behind a spate of high-profile attacks this year,” has “begun a turf war with its rivals” that “could bring more hacks and further fallout for corporate victims.” Why? Apparently, it’s because a group called RansomHub “widened the services it offered and expanded its reach to attract more affiliate partners.”
The experts who spoke to the Times about this spat are concerned that DragonForce and RansomHub will attempt to extort the same organizations to “one-up” each other. These so-called double extortions can make it even more difficult for ransomware victims to recover from an incident — especially if they simply cannot afford to pay more than one cybercriminal to regain access to their own information. (Hopefully.)
Google Threat Intelligence Group head of cybercrime analysis Genevieve Stark told the Times that “instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims.” That’s a somewhat curious take, however, given the relative instability of this “ecosystem” regardless of whether or not two of its members are engaging in a virtual scuffle over their illicit dealings.
Sophos noted in 2022 that the closure of the BlackMatter ransomware group hardly mattered: “Ransomware-as-a-service is simply the service. Affiliates who buy the service and do the actual hacking simply seek out new networks to affiliate with and continue with their crime sprees unabated. Meanwhile, the operators, or original creators, of the ransomware that ‘closed,’ will likely re-emerge under a new name.”
Disputes between ransomware gangs have also historically led to in-fighting rather than worse outcomes for potential victims. The Financial Times said that DragonForce took down RansomHub’s dark web site, for example, and the Conti ransomware group imploded after Russia invaded Ukraine in 2022 because it had members from both countries and they simply couldn’t cooperate after the war began that February.
Perhaps the most well-known counterpoint is the double extortion of UnitedHealth Group. In that case, a ransomware affiliate called Notchy turned to RansomHub to continue extorting UHG subsidiary Change Healthcare even after it paid a $22 million ransom that was reportedly stolen by BlackCat / ALPHV as part of an exit scam. So organizations have been caught up in thief-on-thief drama before.
Here’s to hoping any organizations DragonForce and RansomHub want to put through a similar ordeal respond like Welthungerhilfe, a German nonprofit that has refused to pay a ransom. Let the cybercriminals have their turf wars; the most important thing is that organizations refuse to play a part in the conflict themselves by giving these groups the funds they need to continue their shenanigans.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
