Artboard 1 copy 11

Nihon Cyber Defence

Menu
get in touch
/ Threat Intelligence / By

What Cyber Leaders Need to Know About RansomHub’s Collapse and the Ransomware Cartel Model

A Turning Point in the Ransomware-as-a-Service Ecosystem

As ransomware groups evolve into decentralised cartels, situational awareness and coordinated response are critical for Japan’s digital resilience.

In late March 2025, the ransomware group RansomHub abruptly ceased operations. Its leak site and victim negotiation portals went offline without warning. Within days, a competing group, DragonForce, publicly claimed RansomHub had migrated to its infrastructure and invited affiliates to join what it described as a “ransomware cartel.”

While the claim remains unverified, the timing and messaging suggest a broader shift in the Ransomware-as-a-Service (RaaS) landscape.

What emerged was not just another group takeover, but a signal that ransomware operations are evolving toward more decentralised, service-centric models.

RansomHub Shutdown: What Happened and Why It Matters

RansomHub had, by early 2025, become one of the most active RaaS groups globally, with frequent attacks across manufacturing, healthcare, and IT sectors.

Known for custom tooling and high-volume activity, it attracted experienced affiliates with generous revenue splits.

On 31 March, its infrastructure went dark. Two days later, DragonForce announced a new affiliate structure offering shared services — including leak sites, negotiation tools, and support — while allowing affiliates to operate under their own names.

This franchise-style “cartel” model reflects a significant change in how ransomware groups structure themselves and scale operations.

Key Risks for Companies from Cartel-Style Ransomware

Ransomware Group Instability Creates Tactical Openings

RansomHub’s silence and the confusion that followed show how vulnerable even established RaaS groups are to disruption.

For a brief time, defenders may benefit from reduced coordination among affiliates or abandoned victim engagements.

Decentralised RaaS Models Increase Complexity

DragonForce’s cartel model allows affiliates to move more freely between brands and campaigns.

This flexibility increases the challenge for attribution, response planning, and negotiation, especially when infrastructure is shared across multiple actors.

Japan is Likely Within Scope of DragonForce Expansion

While RansomHub’s focus was on North America and Europe, DragonForce has begun expanding into Asia and the Middle East.

Japanese organisations, particularly those in manufacturing and logistics, should anticipate being drawn further into scope.

Implications for Japan’s Cyber Resilience and Digital Sovereignty

This evolution comes as Japan’s national cyber strategy enters a new phase, with the Active Cyber Defence bill and other initiatives placing greater emphasis on private–public coordination.

The rise of agile, service-oriented criminal ecosystems presents new challenges for defenders, regulators, and response teams alike.

Organisations that rely on complex supply chains or operate in critical sectors must be prepared for adversaries who are faster-moving, better resourced, and less centralised.

A strong understanding of how these structures operate is key to effective defence.

What Organisations Can Do Now

  1. Review exposure to third-party risk and critical supply chains
  2. Rehearse incident response scenarios that include ransomware group collapse or affiliate defection
  3. Monitor dark web trends to detect early shifts in attacker infrastructure or targeting patterns

Why Cyber Strategy Must Evolve with the Adversary

RansomHub’s collapse and DragonForce’s opportunistic rise reflect more than a leadership transition. 

They mark a shift in how cybercriminal operations are structured and scaled. Understanding these changes is essential to anticipating future risk.

At Nihon Cyber Defence, we monitor underground activity, affiliate migration, and emerging attack models not only to support technical response, but to inform strategic decision-making. 

Strengthening Japan’s digital sovereignty requires this dual perspective both operational and forward-looking. Contact Us.

toshio-nawa
Toshio Nawa

Chief Technology Officer (CTO)

After military and JPCERT/CC experience, Nawa joined Nihon Cyber Defence in 2018, specializing in CSIRT and threat intelligence advisory.

Edit Template

Cyber Maturity Assessment

Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.

Cyber Security Framework (NIST)

National Institute of Standards and Technology

NIST Framework Graphic

Cyber Assessment Framework (CAF)

National Cyber Security Centre

CAF Framework Graphic

Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management

Edit Template

More from NCD​

UK CyberFirst Lessons: Transforming Japan’s Cyber Security Education

Lessons from the UK CyberFirst Program for Japan

March 24, 2025 Cyber Security Leadership
Japan can bridge its cybersecurity talent gap by leveraging public-private partnerships, corporate sponsorships, and government-backed education programs, inspired by CyberFirst...
Read More
Building the Next Generation of Cybersecurity Experts

Educational Strategies and Initiatives to Address the Cyber security Talent Gap

March 17, 2025 Cyber Security Leadership
Learn how education programs and strategic initiatives are addressing Japan’s cybersecurity workforce gap...
Read More
AI-driven warfare and cybersecurity protection for nations and critical infrastructure

The Rise of AI-Driven Warfare

March 12, 2025 Critical Infrastructure Security
Explore how AI is transforming the battlefield, from autonomous drones to cyberwarfare tactics. Understand key trends shaping the future of global defense...
Read More
Leadership & Cyber Resilience | Vol. II

Leadership & Cyber Resilience | Vol. II

March 7, 2025 Cyber Security Leadership
North Korean hackers from Lazarus stole $1.4B in crypto from Bybit, exploiting cold wallet security flaws. Learn how the attack happened & what it means...
Read More
Japan’s Growing Cyber Security Talent Gap and Its Impacts

Japan’s Growing Cyber Security Talent Gap and Its Impacts

February 20, 2025 Cyber Security Leadership
Japan faces a cyber security talent shortage of 110,000 experts. Explore the challenges, impacts, and solutions to bridge this critical skills gap...
Read More
Preparing for Active Cyber Defense (ACD)

Preparing for Active Cyber Defense (ACD)

January 31, 2025 Risk Management
Japan’s Active Cyber Defense (ACD) policy is set to transform cyber security, requiring critical infrastructure operators to comply with new reporting mandates. Ret. Adm. Akira Ichida explores the...
Read More
NCD and Fivecast Partnership

Nihon Cyber Defence and Fivecast Partner to Enhance Cyber Threat Intelligence for Japan

January 17, 2025 Press Release
The collaboration combines Fivecast’s advanced AI-powered OSINT technology with NCD’s expertise in cyber threat intelligence and Japanese cyber security needs, delivering actionable intelligence...
Read More
Navigating Cyber Incident Response 

Navigating Cyber Incident Response 

January 12, 2025 Risk Management
Unprepared cyber incident response can lead to prolonged damage. Learn practical strategies to strengthen resilience, improve decision-making speed, and build a proactive response framework in this...
Read More
Safeguarding Japan’s Critical Infrastructure 

Safeguarding Japan’s Critical Infrastructure 

January 6, 2025 Critical Infrastructure Security
Japan's energy and food security depend on resilient supply chains, but cyber threats to critical infrastructure are rising. Discover strategies to safeguard OT systems and protect vital industries in...
Read More
Edit Template
NCDLogoWhite@1x_1

Cyber Future Today

Company

Services

Associated sites

Social Link

Linkedin