Turf War Between Ransomware Gangs Puts Businesses at Greater Risk
The cyber criminal world isn’t just attacking companies. It’s turning on itself.
DragonForce, the hacking group linked to recent cyber attacks on UK retailers including Marks & Spencer, Harrods, and the Co-Op, is now locked in a turf war with rival group RansomHub. This growing conflict between two of the biggest ransomware operations has security experts warning of increased threats, more attacks, and even multiple extortion attempts on the same companies.
Two Gangs, One Market
DragonForce and RansomHub are part of the ransomware-as-a-service (RaaS) model. This means they provide tools and infrastructure to other hackers (known as affiliates) who use them to break into companies and demand ransoms.
One of the groups linked to DragonForce, Scattered Spider, is believed to be behind both the M&S breach and a recent hack targeting Australian airline Qantas.
The RaaS market is highly competitive. Affiliates can jump between providers, and each gang wants to offer more powerful tools, better support, and a wider reach to win business. That competition is now turning hostile.
What Triggered the Fallout?
Tensions between the groups flared up in March 2025, when DragonForce rebranded itself as a “cartel.” This move expanded their services and was clearly aimed at attracting more affiliates.
Around the same time, RansomHub’s dark web site was mysteriously taken down and replaced by a message that read: “R.I.P 3/3/25.” According to cyber security firm Sophos, this was likely a hostile takeover by DragonForce. In retaliation, someone associated with RansomHub defaced DragonForce’s site and called them “traitors.”
Experts believe DragonForce has also gone after other gangs’ infrastructure, including sites linked to groups like BlackLock and Mamona.
Why This Matters to Businesses
This isn’t just drama between criminals. The fallout has real-world consequences for companies.
According to Toby Lewis, Global Head of Threat Analysis at Darktrace, there is “no honour among thieves.” He explains that rival gangs may now try to hit the same target just to prove they’re more powerful. That means companies already recovering from a ransomware attack could be hit again, this time by a competing group.
Genevieve Stark, Head of Cyber Crime Analysis at Google’s Threat Intelligence Group, warns that this kind of instability can increase the number of attacks and make recovery much harder for victims.
It’s Happened Before
This isn’t the first time rivalry between hacking groups has affected victims.
In 2023, UnitedHealth Group in the US was the target of double extortion. A hacker affiliate group called Notchy claimed their original ransomware partner had stolen the first ransom payment of 22 million dollars and faked their own disappearance. Notchy then approached RansomHub to demand a second ransom from the same victim.
While follow-up extortion attempts like this are still rare, security experts say they are becoming more common as gang rivalries grow and trust breaks down within these groups.
The Bigger Picture
Cyber crime is booming. According to Cybersecurity Ventures, the global cost of cyber attacks is expected to reach 10 trillion dollars by 2025. That is up from 3 trillion dollars just ten years ago.
Since being identified in August 2023, DragonForce has claimed 82 victims, according to Group-IB. RansomHub, which also rose to prominence in 2023, listed around 500 victims on its dark web site in 2024 alone.
With gangs fighting over affiliates and territory, the risks for businesses are higher than ever. It is no longer just about defending against one attacker. Companies could now face multiple threats from different groups, sometimes even at the same time.
Expert Advice
Rafe Pilling, Director of Threat Intelligence at Sophos, put it plainly:
“Cyber criminals are a ruthless bunch and a betrayal between partners can result in a situation where the victim gets extorted twice.”
Jake Moore, Global Cyber Security Adviser at ESET, added:
“Remember this is a wild west, lawless environment where normal competition rules simply do not apply.”
What Companies Should Do
- Stay vigilant. Just because you’ve been attacked once doesn’t mean you’re safe from more.
- Harden defences. Regular patching, endpoint protection, and employee awareness are more vital than ever.
- Prepare for the unexpected. Have a solid incident response plan and review it often.
When cyber gangs fight, it is businesses that end up in the crossfire.
