- Threat Intelligence
- May 23, 2025
What Cyber Leaders Need to Know About RansomHub’s Collapse and the Ransomware Cartel Model
A Turning Point in the Ransomware-as-a-Service Ecosystem
In late March 2025, the ransomware group RansomHub abruptly ceased operations. Its leak site and victim negotiation portals went offline without warning. Within days, a competing group, DragonForce, publicly claimed RansomHub had migrated to its infrastructure and invited affiliates to join what it described as a “ransomware cartel.”
While the claim remains unverified, the timing and messaging suggest a broader shift in the Ransomware-as-a-Service (RaaS) landscape.
What emerged was not just another group takeover, but a signal that ransomware operations are evolving toward more decentralised, service-centric models.
RansomHub Shutdown: What Happened and Why It Matters
RansomHub had, by early 2025, become one of the most active RaaS groups globally, with frequent attacks across manufacturing, healthcare, and IT sectors.
Known for custom tooling and high-volume activity, it attracted experienced affiliates with generous revenue splits.
On 31 March, its infrastructure went dark. Two days later, DragonForce announced a new affiliate structure offering shared services — including leak sites, negotiation tools, and support — while allowing affiliates to operate under their own names.
This franchise-style “cartel” model reflects a significant change in how ransomware groups structure themselves and scale operations.
Key Risks for Companies from Cartel-Style Ransomware
Ransomware Group Instability Creates Tactical Openings
RansomHub’s silence and the confusion that followed show how vulnerable even established RaaS groups are to disruption.
For a brief time, defenders may benefit from reduced coordination among affiliates or abandoned victim engagements.
Decentralised RaaS Models Increase Complexity
DragonForce’s cartel model allows affiliates to move more freely between brands and campaigns.
This flexibility increases the challenge for attribution, response planning, and negotiation, especially when infrastructure is shared across multiple actors.
Japan is Likely Within Scope of DragonForce Expansion
While RansomHub’s focus was on North America and Europe, DragonForce has begun expanding into Asia and the Middle East.
Japanese organisations, particularly those in manufacturing and logistics, should anticipate being drawn further into scope.
Implications for Japan’s Cyber Resilience and Digital Sovereignty
This evolution comes as Japan’s national cyber strategy enters a new phase, with the Active Cyber Defence bill and other initiatives placing greater emphasis on private–public coordination.
The rise of agile, service-oriented criminal ecosystems presents new challenges for defenders, regulators, and response teams alike.
Organisations that rely on complex supply chains or operate in critical sectors must be prepared for adversaries who are faster-moving, better resourced, and less centralised.
A strong understanding of how these structures operate is key to effective defence.
What Organisations Can Do Now
- Review exposure to third-party risk and critical supply chains
- Rehearse incident response scenarios that include ransomware group collapse or affiliate defection
- Monitor dark web trends to detect early shifts in attacker infrastructure or targeting patterns
Why Cyber Strategy Must Evolve with the Adversary
RansomHub’s collapse and DragonForce’s opportunistic rise reflect more than a leadership transition.
They mark a shift in how cybercriminal operations are structured and scaled. Understanding these changes is essential to anticipating future risk.
At Nihon Cyber Defence, we monitor underground activity, affiliate migration, and emerging attack models not only to support technical response, but to inform strategic decision-making.
Strengthening Japan’s digital sovereignty requires this dual perspective both operational and forward-looking. Contact Us.
Chief Technology Officer (CTO)
After military and JPCERT/CC experience, Nawa joined Nihon Cyber Defence in 2018, specializing in CSIRT and threat intelligence advisory.
Cyber Maturity Assessment
Nihon Cyber Defence (NCD) offers comprehensive Cyber Maturity Assessments designed to evaluate an organisations current cyber security capabilities, identify areas for improvement, and develop a strategic roadmap to enhance overall security posture.
Cyber Security Framework (NIST)
National Institute of Standards and Technology
Cyber Assessment Framework (CAF)
National Cyber Security Centre
Explore more of the NCD suite: Cyber Security Consultancy, Protective Services, Network Monitoring & Security Operations, SIEM, Incident Management
