Ransomware War Ignites: DragonForce & RansomHub Clash Threatens Businesses with Re-Extortion
The hacker collective known as DragonForce, responsible for a series of high-profile cyberattacks targeting British retail giants such as Marks & Spencer, Harrods, and Co-Op, has now ignited an all-out confrontation with the rival cybercrime syndicate RansomHub. This clash between two ransomware-as-a-service (RaaS) factions threatens to escalate the frequency of attacks and amplify risks for businesses—potentially leading to repeated extortion demands.
Throughout 2025, DragonForce has aggressively distributed malicious tools on the dark web and granted access to its attack infrastructure to affiliated threat actors. Among these affiliates is the notorious Scattered Spider group, linked not only to the M&S breach but also to a recent cyberattack on Australian airline Qantas.
Tensions with RansomHub surfaced in March when DragonForce declared itself a “cartel” and broadened its offerings in a bid to lure additional affiliates. Shortly thereafter, RansomHub’s website was taken offline, replaced by a cryptic message reading “R.I.P 3/3/25”—an act many analysts interpret as a deliberate takedown by DragonForce. In retaliation, a RansomHub member defaced DragonForce’s platform with a profane message, branding the group as traitors.
According to analysts, DragonForce may be actively poaching affiliates from rival syndicates. Sophos reports suggest the group could also be involved in attacks against competing RaaS operators, including BlackLock and Mamona. This brewing instability within the cyber-extortion underground poses a mounting threat to organizations globally.
While incidents of re-extortion remain rare, they are not unprecedented. In 2024, U.S.-based UnitedHealth Group fell victim to such a scheme when Notchy—an affiliate of RansomHub—demanded a second ransom after their original partner absconded with $22 million without sharing the spoils.
Experts warn that the worst-case scenario in the feud between DragonForce and RansomHub would be both groups targeting the same victim independently. In a lawless landscape where alliances are fragile and betrayal is commonplace, such overlaps could result in companies facing multiple, conflicting ransom demands.
Cybersecurity Ventures estimates that global damages from cybercrime could reach $10 trillion in 2025, up from $3 trillion in 2015. DragonForce has already claimed responsibility for 82 victims this year, while RansomHub reported more than 500 targeted organizations in 2024 alone. As these criminal networks chase higher profits and scramble to dominate the illicit market for “clients,” their tactics grow increasingly volatile and perilous.