Ransomware Ecosystem Updates: DragonForce, The Gentlemen, Gunra, and Reynolds BYOVD Evasion
Multiple reports detailed emerging and evolving ransomware operations and the tactics they use to scale. DragonForce has positioned itself as a “cartel”-style Ransomware-as-a-Service (RaaS) operation, using dark web forums (e.g., BreachForums, RAMP, Exploit) for recruitment and promotion, and advertising capabilities such as a payload builder (“RansomBay”) and victim-pressure services (including harassment calls). Separate profiling described The Gentlemen as an emerging double-extortion ransomware group first clearly observed in active campaigns in 2025, with a Go-based locker supporting Windows, Linux, and ESXi, and an operator-controlled execution model that requires a password parameter.
Additional research reported Gunra as a RaaS operation with a newly launched affiliate program advertised on dark web forums in January 2026; researchers claimed access to affiliate-panel credentials and obtained a live sample for technical analysis, describing configurable attack parameters, selective encryption, and path exclusions to preserve system operability for payment. Separately, analysis of the Reynolds ransomware family highlighted built-in BYOVD defense evasion, bundling a vulnerable NsecSoft NSecKrnl driver within the ransomware payload to disable EDR—an approach that reduces the need for a separate pre-ransomware EDR-killer stage and reflects continued innovation in endpoint security bypass techniques.
Timeline
Feb 12, 2026
SOCRadar profiles The Gentlemen's operations and victim pattern
SOCRadar published a profile in February 2026 describing The Gentlemen's campaigns across at least 17 countries and multiple sectors, with victim claims continuing into January 2026. The profile also summarized the group's attack chain, tooling, and recommended mitigations.
Feb 12, 2026
S2W reports DragonForce's scale and updated ransomware features
By February 2026, S2W reported that DragonForce had targeted 363 companies between December 2023 and January 2026. The reporting also described updated Windows ransomware metadata, ChaCha8-based configuration decryption, and a beta feature for extension-based encryption rules.
Feb 11, 2026
CloudSEK infiltrates Gunra's affiliate program and obtains sample
After engaging via the Tox contact in the Gunra advertisement, CloudSEK researchers said they infiltrated the program, obtained a PDF guide, gained access to the RaaS management panel, and retrieved a live ransomware sample. This enabled a technical analysis of the locker's encryption, exclusions, ransom note, and execution behavior.
Jan 1, 2026
Gunra affiliate program is advertised on Ramp Forum
In January 2026, Gunra's affiliate program was advertised on the Ramp Forum. The advertisement promoted cross-platform targeting across Windows, Linux, ESXi, and NAS systems on both x86 and ARM architectures.
Dec 1, 2025
DragonForce posts peak monthly victim volume
DragonForce's activity peaked in December 2025, when 35 victims were posted in a single month. This reflected a major escalation within a campaign that reportedly hit 363 companies from late 2023 through January 2026.
Sep 1, 2025
The Gentlemen advertises a RaaS affiliate program
In September 2025, a dark web post advertised The Gentlemen's ransomware-as-a-service program. The post described a 90% affiliate payout, centralized operator-controlled infrastructure, and support for Windows, Linux, and ESXi targets.
Aug 1, 2025
The Gentlemen starts active ransomware campaigns
The Gentlemen was first observed conducting active ransomware campaigns in August 2025. The group quickly showed a mature double-extortion model and cross-platform targeting.
May 1, 2025
Gunra ransomware activity is first observed
Researchers first observed Gunra ransomware activity in May 2025, marking the emergence of the operation before its later affiliate recruitment push. This is the earliest reported activity tied to the Gunra group in the references.
Dec 1, 2023
DragonForce ransomware activity begins
DragonForce began operating as a ransomware-as-a-service operation in December 2023. It later promoted itself on dark web forums and developed a broader affiliate-driven model.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Ransomware Ecosystem Fragmentation and the Emergence of DragonForce
Threat intelligence reporting describes **DragonForce** as a rapidly evolving ransomware operation that brands itself as a “cartel” and runs an affiliate service called *Ransombay*, offering customizable payload options and reportedly advertising an **80% revenue split** to attract pentesters and initial access brokers. Researchers assess DragonForce’s tooling as heavily derived from **LockBit 3.0** and **Conti**, and report signs of consolidation behavior, including infrastructure/code overlap with groups such as **BlackLock**, **RansomHub**, and **LockBit**; one cited incident involved DragonForce abusing a rival’s misconfiguration and a **Local File Inclusion (LFI)** weakness to obtain information including credentials, followed by defacement of the rival’s leak site. Separate industry reporting indicates ransomware victimization continued to rise sharply in 2025, with GuidePoint Security tracking a **58% year-over-year increase** and **7,515 claimed victims** across leak sites, alongside a more **fragmented** landscape (124 named groups, up 46% from 2024). The same reporting highlights concentration of victimization in the **United States (55%)** and heavy targeting of **manufacturing**, with healthcare also significantly impacted (500+ victims) and **Qilin** described as the most prolific RaaS group in 2025 with disproportionate healthcare targeting—context that aligns with the broader trend of many smaller, high-volume groups rather than a few dominant actors.
1 months ago
DragonForce Ransomware Expands RaaS Operations With Dual-Extortion and a “Cartel” Affiliate Model
**DragonForce**, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has been linked to a growing set of intrusions targeting “critical business” environments across multiple industries, with a focus on **manufacturing, business services, technology, and construction**. Reporting attributes the group with **dual-extortion** tactics—stealing data prior to encryption and then threatening publication on a **data leak site (DLS)** to increase pressure on victims. Researchers also describe DragonForce as operationally adaptable, including changes in how it hosts and organizes leaked victim data. LevelBlue analysis cited in reporting indicates DragonForce has evolved its business approach beyond a typical affiliate program into a **“cartel” model**, allowing member groups to operate under their own brands while leveraging shared DragonForce infrastructure and services. Described offerings to affiliates include large-scale storage, continuous server monitoring, support services around file analysis/decryption, and assistance with test attacks; LevelBlue also highlighted an “**Company Data Audit**” service intended to help affiliates value stolen data and shape negotiation pressure (including prepared communications such as scripts and executive-facing letters). The group’s tooling is described as **multi-platform**, with the ability to target **Windows, Linux, ESXi, BSD, and NAS** systems and to use different encryption modes (e.g., full, header, partial), increasing potential impact across enterprise and virtualized environments.
1 months ago
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
1 months ago