Cybercrime is evolving—again. According to a new report from Secureworks, threat actor group DragonForce has introduced a disturbing twist to the Ransomware-as-a-Service (RaaS) model: a distributed affiliate branding approach that decentralizes ransomware operations, increases operational resilience, and accelerates the pace of attacks.
This evolution is a stark warning for business owners: traditional cybersecurity approaches centered on detection and response are no longer enough. It’s time to shift strategies—and fast.
DragonForce is leveraging a model where multiple sub-groups, each under distinct brands, work independently to infiltrate, encrypt, and extort. These affiliates appear to share common infrastructure and tools, but not necessarily tactics or targets. The result is a fragmented and resilient ransomware campaign that’s harder to track, attribute, or disrupt.
Secureworks notes that DragonForce’s affiliates use:
Known vulnerabilities and RDP brute force to gain initial access
Tools like Cobalt Strike and AnyDesk to maintain persistence
Living-off-the-land binaries to evade endpoint detection
Double extortion tactics, combining encryption with data leaks
In other words, these attackers don’t just lock your systems—they make sure the pressure to pay is excruciating.
The DragonForce model exposes a critical truth: most businesses are relying on tools and strategies that are always one step behind. Endpoint Detection and Response (EDR), antivirus, and SIEM systems aim to identify and respond to suspicious behavior—but by the time they do, the attacker may have already deployed malware or exfiltrated sensitive data.
With DragonForce’s affiliates acting quickly and unpredictably, the "detect and respond" paradigm simply can’t keep up. And this isn’t just a large enterprise problem. Small and midsize businesses (SMBs) are particularly vulnerable, often lacking the staff or budget to respond effectively once a breach occurs.
It's time to change the game—by adopting a proactive approach centered on prevention, not detection. That’s where AppGuard comes in.
AppGuard is a proven endpoint protection solution with over 10 years of success—first in government and now available for commercial use. Unlike traditional tools that try to detect malicious behavior, AppGuard isolates and contains applications, stopping malware from executing in the first place—even if it's never been seen before.
With AppGuard:
Applications are prevented from launching unauthorized processes
Malware—even zero-day exploits—can’t detonate, even if it reaches your system
There’s no need for signature updates or continuous monitoring
Endpoint protection works without impacting performance or user experience
This approach neutralizes threats at the point of entry, rendering the tactics used by DragonForce affiliates—living-off-the-land attacks, remote tools, script-based malware—completely ineffective.
DragonForce’s affiliate model is a wake-up call. Ransomware is now decentralized, faster, and harder to stop. Businesses that continue relying on detection-based strategies are playing a losing game.
Instead of chasing shadows, what if you could stop ransomware before it even starts?
At CHIPS, we believe that cybersecurity should be preventative, not reactive. That’s why we advocate for AppGuard—a military-grade solution now ready for businesses of all sizes.
If you're a business owner concerned about ransomware, now is the time to act.
👉 Talk with us at CHIPS about how AppGuard can protect your business by isolating and containing threats—before damage occurs.
Don't wait for an incident. Move from detect and respond to isolation and containment.
Let’s make your business unbreachable.
Like this article? Please share it with others!