Auritz Obertson
A clash between criminal ransomware groups could result in victims being extorted twice.
The ransomware group linked to the recent cyberattacks on UK retailers Marks and Spencer, Harrods, and the Co-Op has begun a turf war with its rivals, triggering a battle within the industry that could bring more hacks and further fallout for corporate victims.
DragonForce, a group of largely Russian-speaking cyber criminals behind a spate of high-profile attacks this year, has clashed with one of its biggest competitors RansomHub, according to cybersecurity experts tracking the battle to dominate the booming criminal ransomware sector.
They warn that the conflict between the two groups, which operate in the ransomware-as-a-service (RaaS) market, could increase risks for companies, including the potential of being extorted twice.
Toby Lewis, global head of threat analysis at Darktrace, said there was “no honor among thieves†in the hacking world.
´Most cybercrime groups have an ingrained need for kudos and one-upmanship that could lead them to attempt to 'outcompete' each other by trying to attack and extort the same target,´ he added.
RaaS gangs function by selling the tools and infrastructure needed to access the internal systems of companies and extort them for money. They operate on the dark web where they battle to sell services to those seeking to commit cybercrime, known as “affiliates,†such as Scattered Spider, which has been linked to the M&S attack and last week's hack on Australian airline Qantas.
The relationship between DragonForce and RansomHub soured after the former rebranded itself as a “cartel†in March, which widened the services it offered and expanded its reach to attract more affiliate partners.
In the same month, RansomHub's site was taken down with a marker left stating 'R.I.P 3/3/25', believed to be a hostile takeover by DragonForce, according to cybersecurity group Sophos. In retaliation, a RansomHub member defaced DragonForce's site, labelling them 'traitors'.