In their latest analysis, the team at Acronis Threat Research Unit, as reported by Industrial Cyber, reveal that the ransomware group DragonForce has re-emerged as a formidable cartel aligned with the initial-access broker Scattered Spider.
What’s especially alarming is how DragonForce has adopted the leaked code base from Conti, leveraged affiliate recruitment, and industrialised its operations to target enterprise victims globally—including retail, airlines, insurance, and managed-service providers. Industrial Cyber
Here’s why this matters for business owners, and what your next security move must be.
Cartel-style ransomware operations
DragonForce’s transformation into a ransomware cartel means affiliates can plug into its infrastructure, customise payloads and conduct attacks under a shared brand. This lowers barriers for attackers and increases volume of attacks.
Broader access chains & initial access brokers
The alignment with Scattered Spider means attackers are not only focused on the exploit/encrypt phases—they’re aggressively pursuing initial access via phishing, social engineering, MFA fatigue, SIM-swaps and remote-monitoring tools.
Code reuse and sophistication
By leveraging leaked Conti source code, DragonForce preserves highly effective routines while refining encryption, obfuscation and advance techniques (e.g., vulnerable-driver attacks).
Diverse victim base across industries
Note: their targets are not restricted to one sector. Retail, MSPs, airlines, insurance firms are now in the cross-hairs. If you’re in business, you are at risk.
What this means is that the traditional “detect & respond” defensive posture is becoming inadequate. It’s no longer enough to hope you will see the attack early, investigate, respond, patch. These groups move fast, exploit initial access, escalate privileges, move laterally, exfiltrate, and encrypt — all perhaps before alerts fire.
If your operations include connected infrastructure, multiple endpoints, remote-access tools, or outsource services (MSPs), you have a larger attack surface.
When attackers bypass MFA, install RMM tools, and gain persistent access, even air-gapped or segmented systems may be at risk via driver exploitation or colluding third-parties.
The cost of a successful ransomware incident nowadays isn’t only downtime and ransom payment—it’s reputational damage, supply-chain fallout, regulatory scrutiny, and long-term loss of trust.
Because threat actors are now operating like enterprise service providers themselves, the volume, variety and speed of attacks is accelerating.
In short: threat complexity + business exposure = urgent need for a different defensive strategy.
What if you didn’t just try to detect the threats, but kept them in a safe bubble—isolated from your critical assets—until you were certain they were benign? That’s the model for the endpoint protection solution AppGuard.
Here’s how AppGuard shifts the paradigm:
Instead of waiting for something suspicious to trigger detection rules, AppGuard isolates suspicious code execution, containers unknown or untrusted processes, and prevents lateral spread before encryption or exfiltration can occur.
This approach blocks zero-day vulnerabilities, repurposed malware, driver-based attacks and advanced persistent threats—not by chasing signatures but by enforcing runtime isolation.
With a proven ten-year track record in high-security environments (and now available for broader commercial adoption), AppGuard offers a resilient alternative to legacy antivirus/EDR which rely heavily on “detect & respond.”
For business owners especially in manufacturing, supply-chain, healthcare sectors (which have been prime targets), isolation and containment are not optional—they’re essential.
Given what we’re seeing—cartel-style ransomware operators, initial access brokers, affiliate networks—the advantage goes to those who make it hard for the attacker to spread, rather than simply hoping to catch them mid-attack.
The window for detection is shrinking. The longer you wait, the more likely an attacker will escalate before you even know it.
Investing in containment capability now means you reduce risk of catastrophic disruptions, regulatory fines, long-term downtime or loss of competitive advantage.
As someone who has always valued networking and referrals (as you do in building community via your platform Nolodex), you know the power of proactive strategy. Treat your cybersecurity posture similarly—with strategic foresight rather than reactive measures.
The threats are no longer theoretical. The article clearly signals that groups like DragonForce are sizing up new targets, streamlining their affiliate programmes, and expanding their toolkit. You want to be ahead of them, not chasing.
Conduct a rapid assessment of your endpoint risk: number of untrusted processes, remote-access tools, driver-based attack surfaces, and MFA exposures.
Review your existing protection stack: Are you relying primarily on detection and alerting? Do you have mechanisms to isolate suspicious execution before lateral spread?
Engage a vendor who offers containment-first capability. Enter AppGuard, which integrates with your ecosystem but shifts the defensive posture.
Plan for roll-out: Identify critical endpoints, test isolation behaviours, train your team on containment alerts and escalation procedures.
Network with peers: use your referral-oriented mindset to collaborate with other business owners, share best practices, and ensure your ecosystem (vendors, MSPs, partners) are aligned on containment strategies.
The article from Industrial Cyber makes it abundantly clear: ransomware operations such as DragonForce, empowered by affiliate networks and initial-access brokers like Scattered Spider, are escalating. These are not lone actors who operate in isolation—they are organised, industrialised, and rapidly evolving. If your business continues to rely on “detect & respond” as the primary line of defense, you are playing catch-up.
Instead adopt a smarter strategy: “isolation & containment” via AppGuard—to limit attacker mobility, block lateral spread, neutralise unknown code execution and give your team time to analyse rather than scramble.
By adopting this mindset and capability today, you position your business not only to survive the next attack wave, but to thrive with confidence.
If you are a business owner who takes cybersecurity seriously, now is the time to act. Reach out to us at CHIPS and let’s talk about how AppGuard can become your frontline defence. Let’s shift your strategy from “detect & respond” to “isolation & containment” and stop threats like DragonForce before they stop you.
Like this article? Please share it with others!