Now the Victim Will Be Punished Not Only by a Virus, But Also by the Law
Despite the efforts of international law enforcement agencies to dismantle major extortion schemes, cybercriminals continue to demonstrate remarkable adaptability and resilience. In 2025, Secureworks Counter Threat Unit (CTU) observed the emergence of two updated operating models within the DragonForce and Anubis groups, each attempting to attract new partners and increase the profitability of their operations.
DragonForce, originally operating under the Ransomware-as-a-Service (RaaS) model, announced in March 2025 its transformation into a so-called "cartel" with a distributed model. This means that now each partner can create their own "brand" while accessing ready-made infrastructure, including administrative and client panels, file storage systems, encryption and negotiation tools, as well as a site for publishing leaks in the dark web.
Importantly, DragonForce no longer requires participants to use only its malicious code — they can use their own tools without losing access to the infrastructure. This flexibility broadens the pool of potential partners, allowing both technically inexperienced participants and more skilled ones who prefer autonomy to join. However, the shared infrastructure could backfire — the compromise of one participant may expose data about others.
Anubis chose an alternative approach. The group began promoting its offer on shadow forums in February 2025, emphasizing flexibility in its extortion methods. They provide three options: traditional encryption with an 80% ransom, a "clean" extortion method without encryption (60%), and monetization of already obtained access to victims' systems (50%).
Particular attention is given to their tactic of pressure in the data leak model. After compromising information, Anubis publishes an investigation into the victim's activities on a secured Tor site and provides a link to the negotiations. If the company refuses to pay, the publication becomes publicly accessible. Additionally, the attackers may post the victims' names on social media and threaten to notify the company's clients. The announcement specifically highlights the intention to report compromises to regulatory authorities. This practice is rare but was already used in November 2023, when ALPHV complained to the SEC about one of their victims.
The third option, "monetizing access," allows those who already have access to extract as much value as possible from the situation by providing a detailed analysis of confidential information, which can be used as leverage.
Anubis intentionally limits the geography of its attacks. Countries from the post-Soviet space, as well as BRICS member states, are off-limits. The group also excludes attacks on government, educational, and non-profit institutions, but makes no mention of the healthcare sector, which makes medical organizations potentially attractive targets.
The intensification of competition among extortionists is accompanied by attempts to maximize profits in new ways. Research indicates a decline in the percentage of companies paying ransoms. This is confirmed by the growing number of victims listed on leak sites — those who refused to pay. In response, cybercriminals are increasingly resorting to pressure tactics and changing their approaches, including public campaigns and extortion via regulators.
Secureworks emphasizes that payments do not guarantee the restoration of access to data or the prevention of leaks. Instead, experts recommend that organizations focus on proactive measures: regularly update vulnerable systems, use phishing-resistant multi-factor authentication, create and test backups, monitor network and endpoint activity, and have an incident response plan in place.
