In-depth: Has DragonForce conquered RansomHub - here's what we know so far

However, on April 1, the ransomware operation went offline without explanation, causing its affiliates to move elsewhere.

Now, the DragonForce ransomware group, which is known of late for its cyber attacks on a trio of major UK retailers (M&S, Co-op and Harrods), has announced that RansomHub will be returning, but not in the way it was previously known.

“Hi. Don't worry[.] RansomHub will be up soon, they just decided to move to our infrastructure! We are reliable partners,” the group wrote on the news page of its dark web leak site.

“RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks,” it added.

VIEW ALL

DragonForce suggests that RansomHub has joined its new partner program, which invites other hacking groups to use DragonForce ransomware-as-a-service (RaaS) just as an affiliate would, but with their own operations, branding and identity. Instead, they would just be using the DragonForce infrastructure.

“Today I would like to introduce you to our new direction, we are starting to work in a new way, according to a new principle,” DragonForce announced on March 18.

“You no longer have to work under our brand, now you can create your own brand under the auspices of a time-tested partner! We, The DragonForce Ransomware Cartel, present you "projects" now you create yourself.”

However, with RansomHub’s success, experts are unclear as to how or why the group became a partner of DragonForce, sparking a number of theories.

Here are the facts: At the beginning of April, closely following RansomHub’s unexplained outage, DragonForce said that RansomHub should join its operation before listing the threat group on its dark web leak site a day later. However, the next day, it removed the listing once again.

It was after this that DragonForce announced that RansomHub will be back using its infrastructure and asked it to consider its offer.

The group also linked to RansomHub’s leak and client pages, both of which display “RansomHub - R.I.P (03.03.2025).

On April 23, a RansomHub spokesperson using the moniker ‘koley’ announced that they had suffered a cyber attack from a state sponsored actor and a traitor was exposed. Then, on April 25, koley posted screenshots of DragonForce’s dark web leak site being down, displaying the message “Technical Works. We’ll be up soon, thank you for your patience.”

koley mocked the group, saying “guess you have traitors.”

The above has sparked a number of theories as to what caused RansomHub to go offline and why DragonForce has announced this new partnership, despite no word from RansomHub.

Theory 1: Hostile Takeover

Some have theorised that this was a hostile takeover, and that the listing suggests that DragonForce took RansomHub by force.

This would not be a new method for DragonForce, which on March 18 launched a cyber attack on the Mamona RIP ransomware leak site. It also took over the BlackLock RaaS operation the same month.

RansomHub would also be an ideal target, having become arguably the most notorious ransomware group in 2024.

The group took over the Change Healthcare cyber attack after ALPHV’s exit scam, collected many of ALPHV and LockBit’s affiliates and despite only first appearing publicly in February 2024, had over 210 victims by August, just six months later.

So is this a hostile takeover? It’s hard to say. RansomHub has yet to address the incident and has remained silent.

Additionally, researchers at GuidePoint Security say that DragonForce may have just been using RansomHub’s outage as an opportunity for them to stand out and make the issue at hand more confusing.

“This incident can bring to light the notion that there really is ‘no honor among thieves,” said GuidePoint Security Principal Threat Intelligence Consultant Justin Timothy speaking with SC Media.

Additionally, while unclear if they are connected, messages in February 2024, around the time RansomHub began RaaS operations, show a user by the name of ‘dragonforce’ denying that they ever attacked RansomHub. This likely refers to another incident, but demonstrates a rocky relationship between the two.

A user called ‘whitesnake’ wrote “I [believe] dragonforce try [sic] to be the big fish in the market by attacking others. But this is wrong as he hurt many member[s] who was [sic] making money with ransomhub.”

The user named dragonforce responded saying “You mistakenly think so, we did not attack RansomHub, these are the fantasies of journalists.” However there seems to be no sign of any media reports regarding a 2024 DragonForce attack on RansomHub.

Theory 2: RansomHub facing internal conflict

A number of publications have suggested that RansomHub is suffering from some in-fighting, affecting operations.

GuidePoint researchers detected possible internal issues at RansomHub after a number of issues with the group's infrastructure.

“Our earliest indication that issues may be emerging within RansomHub appeared during the morning of April 1st, 2025, when several of RansomHub’s client chat portals – which are used for ransomware negotiations – inexplicably went offline,” reads a GuidePoint report.

“Several of our intelligence-sharing partners also observed and reported similar infrastructure issues. Further discussion and collection led us to assess that RansomHub’s administrators were weathering internal conflict with an unknown number of affiliates.”

The report adds that “frustrated RansomHub affiliates” were moving their communications with victims to other platforms, such as the chat platforms of other hacking groups which may have been RaaS services they previously used.

Once again, it’s not unlikely that DragonForce has lied about RansomHub being hacked or joining DragonForce in any form as threat actors consistently prove that there is no honour among thieves.

Theory 3: RansomHub performs an exit scam

Speaking of exit scams, some have theorised that RansomHub has scammed its affiliates by going dark and taking their cuts with them.

Messages on a dark web forum suggest that the owner of RansomHub halted contact with the groups affiliates and then transferred the groups operations to DragonForce, which according to one dark web forum user, may be run by the same team of people.

“After cheating the affiliates he is transfer [sic] the operation to DragonForce, which is the same team. He is [a] scammer,” said forum user ‘lateralmovement’ on January 29.

lateralmovement also said that DragonForce is now ignoring messages about RansomHub’s status unless accused of being on the “same team” as RansomHub.

Adding to the theory that this may be the same group and an exit scam may have occur are a number of messages on the same forum from four years ago, long before RansomHub was a publicly known RaaS.

On November 1, 2021, a user appearing to be LockBit responded to a message another user had asked koley regarding why they never speak about RansomHub.

“Dragonforce twink ransomhub, one owner,” wrote LockBit.

The user ‘dragonforce’ responded, saying “You shouldn’t say that, it’s a misconception.”

Theory 4: RansomHub joined DragonForce willingly

It is entirely possible that RansomHub did join forces with DragonForce. As mentioned, RansomHub’s operations seem to now be controlled by DragonForce, and the new service DragonForce offers would allow the group to resurface while keeping its own name and brand, something the threat group says will happen.

However, without any confirmation from RansomHub, it seems we need to take DragonForce’s words with a grain of salt.

Conclusion

This threat actor drama is a puzzle missing half of its pieces and as a result, there is no real obvious conclusion as to what's happened. What it does demonstrate is a major shift in the ransomware operator and RaaS landscape.

Not only has the position of top ransomware group potentially changed, but DragonForce’s new offering is exactly that - new. It's a shift from the standard RaaS affiliate model.

It's apparent that there is a strange, malicious but perhaps somewhat cooperative relationship between DragonForce and RansomHub, but it's a hard one to pin down.

In fact, a number of these theories could be true simultaneously. If the same team runs both operations, but in-fighting did indeed occur, it absolutely could have led to a hostile takeover from one side over the other.

But again, until RansomHub discloses what happens, the truth is a mystery. And even then, can RansomHub be trusted? As this incident and many others have proven, there is no honour among thieves, and it is absolutely possible that RansomHub will lie to save face regarding what really happened.

Only conclusion I can make is that analysts and researchers should keep an eye on the happenings of these two ransomware operations, as this feuding between threat actors may lead to a change in the cybercrime landscape and how RaaS operations work.