As victims refuse to pay and legacy groups implode, ruthless competition is reshaping the RaaS underground.
More competitors are fighting over a shrinking pool of ransomware revenue. The result is a violent restructuring playing out in real time across dark web forums. Legacy operations that dominated recent years are tearing themselves apart from within. New entrants are rushing to fill the gap with business models borrowed from legitimate tech startups, complete with integrated marketplaces, tiered pricing, and aggressive affiliate recruitment. Forum posts collected by Flare over the past several months reveal exactly how this shakeout is unfolding, from the wreckage of the old guard to the rise of self-described “ransomware cartels.”
The Giants Fall: How Black Basta and LockBit’s Collapses Reshaped Ransomware
Two of the most dominant ransomware-as-a-service operations of the past several years both suffered catastrophic, self-inflicted wounds within months of each other. Black Basta fractured first. A post on the Rehub forum detailed the implosion, discussing the leak of the group’s internal Matrix chat logs.
According to the forum post, the anonymous leaker first uploaded the chat logs to MEGA before they were removed, then reposted them to a dedicated Telegram channel. The post claims that some Black Basta operators had been collecting ransoms and never providing working decryptors, effectively scamming their own victims. That internal rot, combined with the geopolitical blunder of targeting Russian financial institutions, reportedly fractured the group beyond repair. For defenders, the Black Basta implosion is a reminder that internal trust failures can be as destructive as law enforcement action. When affiliates cannot trust their own operators to deliver decryptors, the entire franchise model breaks down.
LockBit’s downfall was even more public. After surviving a major law enforcement disruption, the group limped along until unknown attackers breached its infrastructure and defaced its affiliate panels.
The resulting database dump appeared on BreachForums. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contained a SQL file from LockBit’s affiliate panel database that included twenty tables, notably a “btc_addresses” table with 59,975 unique bitcoin addresses and a “chats” table containing over 4,400 victim negotiation messages.
That single database exposed the operational backbone of what had been the world’s most prolific ransomware operation: affiliate details, public encryption keys, and months of victim negotiations laid bare for anyone to download. For defenders, this kind of leak is a goldmine, offering direct insight into negotiation tactics, affiliate structures, and the financial plumbing of a major RaaS operation.
These collapses occurred against a backdrop of cratering economics. A detailed analysis posted on a dark web forum aggregated data from multiple industry sources, documenting the freefall: total traced payments dropped significantly year-over-year, with a growing majority of victims now refusing to pay outright (View on Flare). The post attributed the shift to improved backups, faster recovery times, and growing distrust of attackers who fail to delete stolen data even after receiving payment. When even the criminals are circulating analysis about how badly the revenue model is broken, the trend is unmistakable.
The old guard was wounded. The revenue model was breaking. What came next was not a retreat but a land grab.
The Cartel Rises: DragonForce and the New Franchise Model
With the two biggest names in ransomware either dead or crippled, the gap attracted operators whose ambitions went far beyond simply launching another affiliate program. DragonForce posted its recruitment pitch to a top-tier Russian-language forum, and the language was deliberate. Not “group.” Not “program.” Cartel.
Cross-platform encryption binaries as small as 90-100KB, anti-DDoS protection, petabytes of storage, and 24/7 server monitoring. DragonForce even offers free call services and Kerberos/NTLM decryption as value-adds. The 80/20 split undercuts the traditional 70/30 model that most RaaS programs have used for years. In a market where affiliates are suddenly free agents, that ten-point difference is a direct play to poach talent from collapsing competitors.
A follow-up post announced “DragonForce Suppliers,” a built-in marketplace connecting access brokers directly with affiliate teams through the DragonForce panel. Written in both Russian and English, the proposition was blunt: “Whether you purchase accesses outright or take them on commission, you get a ‘golden button’ and a continuous stream of top-quality material” (View on Flare). For access suppliers, the platform offers direct interaction with “leading teams” and the ability to sell or consign network access under DragonForce’s oversight.
“DragonForce is not just an affiliate program, it is a full-chain platform with no analogue in the criminal underground.” That self-assessment may be grandiose, but the structural innovation is real. Integrating the access broker marketplace directly into the affiliate panel eliminates the friction of separate forum negotiations. It compresses the time between initial access acquisition and ransomware deployment. And it positions DragonForce as the central clearinghouse for the entire attack chain. This is vertical integration applied to cybercrime, a fundamentally different model than anything LockBit or Black Basta operated. For security teams, the implication is clear: the window between an access broker listing and active ransomware deployment is shrinking, possibly to hours.
From Elite to Amateur: The Full Spectrum of New RaaS Recruitment
DragonForce is not the only new player. Operators across the entire skill spectrum have rushed in, and the contrast between the top and bottom of the market has never been starker.
On the sophisticated end, The Gentlemen launched their RaaS program on a top-tier Russian forum with a pitch calibrated to attract experienced pentesters. Their headline number: 90% of ransom payments go to the affiliate.
Technical specifications in the post reveal a mature operation: a Go-based cross-platform locker supporting Windows, Linux, NAS, and BSD with XChaCha20 + Curve25519 hybrid cryptography, unique ephemeral keys per file, and multiple encryption speed modes (from 9% of file content down to 1% for “ultrafast” operations). The locker has been “proven in real cases,” the post claims, and “data recovery agencies are powerless.” Their OPSEC philosophy is notable too. By keeping infrastructure minimal (just a data leak site and Tox messaging), The Gentlemen reduce the attack surface that law enforcement can target. That is a lesson clearly learned from LockBit’s infrastructure breach.
A 90/10 split is aggressive enough to raise questions about sustainability. If The Gentlemen retain only 10% of each ransom, they need either high volume or supplementary revenue streams to maintain infrastructure. But in a market flooded with displaced affiliates, the economics of affiliate acquisition may temporarily outweigh the economics of per-deal margin.
“A new ransomware group called ‘The Gentlemen’ has emerged. They’ve set up their own DLS site on Tor, and their security level seems medium-high,” wrote one user on the Pitch forum, asking whether the group targets large companies or smaller firms (View on Flare). Immediate community discussion around a brand-new group reflects the intense competition for affiliate talent in a fragmented market.
At the opposite end sits ShadowByt3$, recruiting on Cracked, a clearnet forum. ShadowByt3$ charges a $250 entry fee in Monero or Bitcoin for affiliates who don’t already have corporate access. The ransomware is Windows-only, coded in Golang, and the group communicates via a public Telegram channel. “If you don’t have access to a company then you have to pay $250 in monero or bitcoin to our wallet,” the post states, adding that affiliates get 30 days to “upload a leak and has to be a real company if invalid you get banned and deleted” (View on Flare). The 70/30 split favoring the affiliate is standard, but the operational security is almost nonexistent: a clearnet leak site URL, a public Telegram backup channel, and ransomware screenshots hosted on MEGA.
XChaCha20 cryptography on one end. A $250 entry fee and a public Telegram channel on the other. Both emerged in the same window, competing for the same pool of would-be affiliates. Defenders must now track threats ranging from sophisticated operations to script-kiddie opportunism, all simultaneously.
Killing the Killers: The EDR Evasion Arms Race Fueling the Underground
More groups competing means more pressure to innovate, and the most dangerous innovation is not in the ransomware itself. It is in the tools that clear the path for deployment. A parallel market for EDR evasion has matured into a standalone industry, and it is the force multiplier that makes fragmentation genuinely dangerous.
“59 security products can be killed with one tool, including the expensive ones. It uses a legit Microsoft-signed driver from 2006 that still works. Microsoft’s driver blocklist is opt-in. Most companies haven’t enabled it,” explained a post on the OneHack forum describing EDRKillShifter (View on Flare). The tool reportedly disguises itself as a firmware update, loads the vulnerable but trusted kernel driver, and terminates any security process it encounters. Eighteen years after the driver was signed, the certificate remains valid. A single opt-in configuration change could neutralize this entire attack class, yet most organizations still haven’t flipped the switch. That asymmetry captures the challenge defenders face.
On Exploit, a separate listing advertises NtKiller, described as a kernel-level EDR killer with rootkit capabilities and a silent UAC bypass that works on all UAC levels. The listing claims it targets Windows Defender, ESET, Kaspersky, Trend Micro, CrowdStrike, and custom solutions on request (View on Flare). At accessible price points, even a low-budget operation like ShadowByt3$ could afford to equip its affiliates with tools designed to defeat enterprise security stacks.
C2 frameworks bundled with built-in ransomware modules represent the logical endpoint of this commoditization. An aspiring ransomware operator no longer needs to source a locker, a C2 framework, an EDR killer, and lateral movement tools separately. A single package now bundles all of these capabilities, complete with customizable Bitcoin wallet configuration and professional ransom notes. The barrier to entry has collapsed. Someone with a few hundred dollars and a Telegram account can now field capabilities that would have required a dedicated development team two years ago. For defenders, the implication is that EDR alone is no longer a reliable last line of defense. Layered detection, behavioral analytics, and proactive driver blocklist enforcement are now table stakes.
The Hidden Layer: Dual-Use Infrastructure That Outlives Any Brand
Beneath the visible churn of ransomware brands rising and falling sits an infrastructure layer designed to persist regardless of which group is operating on top of it. A post on the Gerki forum detailed how ShadowSyndicate (also known as Infra Storm) operates a network of servers identified through shared SSH fingerprints. Active since mid-2022, the group’s infrastructure has reportedly been linked to multiple major ransomware brands (View on Flare).
“Servers that work as VPN services by day and rob corporations by night.” That headline from the post captures the dual-use model. Researchers traced overlaps with attacks across multiple vulnerability exploitation campaigns. Individual servers matched hosts previously associated with several threat actors and ransomware operations, suggesting a shared infrastructure backbone that transcends any single brand.
This infrastructure-as-a-service model explains why law enforcement takedowns of individual ransomware brands produce only temporary disruptions. When LockBit’s panels were seized, the underlying infrastructure providers could simply redirect their services to the next client. When Black Basta collapsed, the servers kept running. Tracking ransomware brands alone is insufficient.
So what does durable detection look like? Shared SSH fingerprints are one starting point. When multiple ransomware families share the same SSH host key across different IP addresses, that overlap reveals the infrastructure provider underneath. Security teams can hunt for these fingerprints across their network telemetry, correlate them with known bulletproof hosting ranges, and flag connections to servers that appear in multiple threat contexts. Certificate overlaps and hosting pattern analysis offer similar persistence. A ransomware brand can rebrand overnight. An SSH fingerprint tied to a bulletproof hosting provider is far harder to rotate.
Ransomware groups are often tenants on shared criminal infrastructure, not standalone operations. Security teams that focus threat intelligence efforts on the infrastructure layer, rather than the brand layer, will find their detections survive the next rebrand cycle.
What Defenders Need to Do Now
Tracking a handful of dominant ransomware groups and building detections around their specific tooling is no longer sufficient. A fragmented market means more diverse TTPs, faster iteration cycles, and less predictable targeting patterns.
Enable Microsoft’s Vulnerable Driver Blocklist. It remains opt-in, and most organizations have not turned it on. This single configuration change neutralizes the entire class of BYOVD attacks that EDRKillShifter and similar tools depend on. It is the highest-impact, lowest-effort defensive action available right now.
Monitor access broker marketplaces as leading indicators. DragonForce’s Suppliers platform is integrating this market directly into the affiliate workflow, which means the time between access sale and ransomware deployment will compress. Organizations should track mentions of their own domains, IP ranges, and employee credentials across broker channels to catch intrusions before ransomware lands.
Prepare for data-theft-only extortion. As payment rates decline, more operators are skipping encryption entirely and relying solely on the threat of data exposure. This requires different detection strategies: monitoring for unusual data staging and exfiltration patterns, large outbound transfers to cloud storage or Tor, and anomalous access to sensitive file shares becomes as critical as detecting encryption behavior. Traditional ransomware playbooks focused on file modification alerts will miss these attacks entirely.
Hunt for infrastructure, not just brands. Shared SSH fingerprints, certificate reuse, and hosting pattern overlaps offer detection opportunities that persist across rebrand cycles. Build threat intelligence workflows that track these indicators alongside the usual IOCs.
The ransomware economy is not dying. It is restructuring, and the new entrants are building operations designed to survive in a low-margin, high-volume environment. Defenders who understand this shift will be better positioned than those still watching for the next LockBit.
Flare monitors dark web forums, ransomware leak sites, and illicit Telegram channels to provide early warning of new RaaS recruitment, affiliate migration, and infrastructure changes. To learn how Flare can help your team track these threats as they develop, visit flare.io.
