Threat Actor Index: Knowledge is Power

DragonForce has emerged as one of the more active Selective Ransomware-as-a-Service operations of 2024-2025, evolving from hacktivist origins to a revolutionary cartel platform model that represents a paradigm shift in the threat landscape.
Operating as both a Selective RaaS and Infrastructure Service Provider, the group maintains a dual-variant architecture using both LockBit 3.0 and Conti V3 builders, while offering unprecedented affiliate incentives through their 80/20 revenue split and white-label infrastructure services.

Emerging in June 2021 as a closed operation before transitioning to RaaS by early 2023, the threat actor achieved Halcyon Frontrunners status and third-place global ranking by Q2 2025. Distinguished by kernel-level EDR disablement using the ABYSSWORKER driver via BYOVD techniques and FBI-documented triple extortion demanding additional payment for the "true decryptor," the operation targets healthcare, education, manufacturing, and government sectors. Operating without law enforcement disruption for over four years, attack volume nearly doubled in early 2025 while zero-day exploitation capabilities and continuous technical advancement position the group among the most persistent threats currently active.

SafePay ransomware emerged in September-October 2024 as an independent ransomware operation that rapidly ascended to become the most active group globally by May 2025. The group employs double extortion tactics, leveraging modified LockBit source code while maintaining aggressive operational tempo with consistent 24-hour encryption timelines.

Scattered Spider emerged in May 2022 as an evolution of "The Community" network, representing one of the most elite English-speaking threat organizations currently operating. The group combines social engineering capabilities with cloud exploitation expertise, showing off operational adaptability and resilience against law enforcement disruption.

Operating through a decentralized franchise model rather than traditional hierarchical structures, the group keeps up strategic partnerships with ransomware groups including RansomHub, and possible ties to Cicada 3301 . Scattered Spider also deploys multiple ransomware variants including DragonForce, Qilin, and Akira.