Gang Wars: Breaking Trust Among Cyber Criminals

By John Fokker and Jambul Tologonov · August 5, 2025

Introduction

In the final, unforgettable scene of the film Reservoir Dogs, a group of criminals — once united by a common goal — stand in a Mexican standoff, guns drawn, hearts pounding. Suspicion has shattered loyalty. One betrayal too many, and the trust holding them together collapses. Within seconds, they turn on each other.

This isn’t just Hollywood. It’s what the ransomware underground looks like today.

Over the past few years, the Ransomware-as-a-Service (RaaS) model rose to dominance, structured like criminal empires, complete with brands, affiliate programs, and professional operations. What once looked like organized crime, now more closely resembles a paranoid, fractured ecosystem where loyalty is temporary and betrayal is expected.

Today, we’re watching the RaaS model unravel.

External intervention by law enforcement has shifted tactics from not only arresting individuals to undermining the very foundation of cybercriminal collaboration: trust. The result? A growing storm of infighting, exposure, and fragmentation. Affiliate crews jump ship. Admins double-cross each other. And group rivalry is creating public disputes that expose just how fragile the ecosystem has become.

It is not often that we witness disputes between ransomware groups. The current ransomware landscape has gotten so competitive that ransomware operators are trying their best to retain and recruit affiliates and partners into their programs to keep operations afloat and generate profit for the ransomware owners.

What are we seeing now?

Today, the ransomware ecosystem has become so fractured that it is difficult to determine which affiliates belong to specific RaaS programs, let alone which RaaS gangs are cooperating and/or friendly with each other. Affiliates are easily moving their targets from one RaaS program to another, betraying the trust within ransomware gangs. They chase easy and fast money, therefore, internal or operational issues within a RaaS program only reduce their chances of successful payment from victim organizations.

Consequently, affiliates have become more agile, often operating as “lone wolves” who will not hesitate to pursue their targets with a competitor RaaS gang if necessary. This becomes very clear when we look at the frequency of the different groups posting their victims on their online leak site in January 2024 versus May 2025, with the latter being much more scattered with new groups appearing weekly.

It’s common today for affiliates to wear two or more hats and keep access to multiple competing ransomware gangs. There are many reasons for this.

Recent law enforcement actions against ransomware groups like LockBit, Phobos, and potentially other syndicates have made ransomware affiliates more careful and resilient. These law enforcement operations had a proven impact on trust in the underground ransomware economy. If one RaaS group goes down, affiliates need to quickly recuperate, transfer their targets to another reputable ransomware group to continue victim negotiation, and ultimately secure their ransom payment.

Furthermore, exit scams by ransomware groups like ALPHV have led affiliates to realize that they cannot trust ransomware operators and should rely on themselves, always having a backup plan. Considering the proliferation of RaaS groups with short lifespans, and the constant emergence of new spinoffs and rebrands every couple of months, it's evident that this represents a natural evolution for the ransomware affiliate model. They are becoming independent penetration testers and access and data owners, and will do everything in their power to increase their chances of financial gain.

Another consideration is the current diversity within the ransomware landscape, as every newcomer RaaS operator attempts to differentiate themselves in some way. Qilin RaaS, for instance, offers legal advice to affiliates during ransom negotiation; others focus solely on data-extortion schemes like World leaks RaaS; while some create a ransomware cartel like DragonForce, inviting other RaaS groups to join under their umbrella brand. Nova RaaS recently offered lifetime affiliate access to their RaaS program for as little as $800 USD. These are just examples of creative ways operators stand out and incentivize affiliates to join them.

The instability of the current RaaS model is also causing significant problems for ransomware victims. They face an increased risk of extortion by multiple RaaS groups, as threat actors are proving unreliable and failing to uphold their agreements.

In this blog, we will cover some of the recent feuds and clashes observed by the Trellix Advanced Research Center in underground forums. We’ll describe how far ransomware gangs go in this competitive, fast-evolving ransomware ecosystem and how we’ve seen affiliates being loyal to only themselves and not the ransomware syndicates they work for.

Affiliate notchy versus ALPHV and RansomHub

In March 2024, ALPHV RaaS affiliate notchy publicly claimed their pentesting team had been scammed by the ALPHV ransomware operator, despite a long-standing collaboration. According to notchy, the victim organization, a US healthcare provider, paid a $22 million USD ransom. However, notchy and their team were not compensated, and their affiliate accounts were suspended. The actor, notchy, claimed to still possess 4TB of sensitive data belonging to the victim and its partners.

Actor koley, the operator of RansomHub RaaS, which launched its ransomware program in February 2024, advised notchy to retain the victim data. One month later in April 2024, the healthcare provider was added to the RansomHub data leak blog with a description identical to notchy's post on the RAMP underground forum, suggesting that notchy potentially joined RansomHub RaaS, as shown in Figure 4.

RansomHub operator koley stated if ALPHV RaaS operator ransom had “dignity of a man” they would return the money to notchy and that many affiliates will leave ALPHV as the result of the operator’s actions, as shown in Figure 5.

In April 2024, koley stated the ALPHV-scammed affiliates were actively joining the RansomHub RaaS program.

ALPHV RaaS attempted to resolve the dispute with notchy, requesting patience. However, ALPHV ransomware operator ransom ultimately absconded with the funds, orchestrating an exit scam from their affiliate program. They further disseminated a fabricated FBI takedown notice on their TOR website, falsely claiming their gang's dissolution due to law enforcement intervention.

Translation of Figure 6:

Fast forward one year to April 2025. RansomHub RaaS, which was one of the most active ransomware programs of the last year, announced they were attacked and betrayed by certain affiliates within their gang. They called notchy disloyal, saying they brought notchy in after the ALPHV scam, made them money, and in return notchy left RansomHub right before they were attacked, as shown in Figure 7.

The migration of high-profile affiliates such as notchy from ALPHV RaaS to RansomHub and their subsequent departure from RansomHub prior to them being attacked exemplifies a current trend we are observing in ransomware development. In this lone wolf model, affiliates retain control over victim network access and data.

Should a RaaS operator encounter issues, affiliates readily transition to an alternative RaaS group, indicating a lack of enduring loyalty or commitment to the ransomware brand. Affiliates continue to target victims, extract ransoms, and remit their share to the gang as long as the RaaS operates under mutually beneficial terms. If they face any issues with law enforcement or from competitors causing operational downtime, the affiliates are more than ready to take their targets to a competing RaaS.

Trellix also observed speculation in underground forums where certain threat actors claim RansomHub is a successor to ALPHV ransomware, though we have found no evidence to support the assertion, as shown in Figure 8.

Translation of Figure 8:

DragonForce versus Blacklock

Another interesting case is DragonForce RaaS attacking Blacklock (aka Eldorado and Mamona R.I.P.) ransomware gang. In March, 2025 the Blacklock ransomware operator $$$ attempted to rebrand Blacklock ransomware to Mamona R.I.P. RaaS. However, the rebranded ransomware group was almost immediately hacked by the DragonForce gang, as shown in Figure 9.

DragonForce RaaS defaced the Mamona R.I.P. and Eldorado ransomware TOR sites with the text “DragonForce - work without paranoia” and published the content of /etc/passwd and .env files obtained from the hacked systems, as well as the sample chat dump between the Mamona R.I.P. support and a target (potential victim organization), as shown in Figure 10.

What is interesting is that $$$ did not accuse DragonForce gang of attacking Blacklock and instead simply acknowledged their infrastructural mistakes, advising it could have been worse and as soon as they get up from their knees, they will inform the underground community on their restored ransomware blog.

In April 2025, their Mamona R.I.P. blog reverted back to Blacklock RaaS. The Mamona rebrand was a failure and had it not had a fateful extension “R.I.P” next to its name, perhaps it would not have had such a short lifespan.

The operator $$$, however, has not stopped with spinoffs and rebranding attempts. In June 2025 they introduced another RaaS called Global ransomware. Trellix Advanced Research Center is continuing to monitor the development of Global ransomware which $$$ claims has an integrated AI-assisted chat — another way to differentiate a RaaS from its rivals.

This was not the only attack from DragonForce RaaS on its competitor infrastructure.

DragonForce versus RansomHub

In March 2025 DragonForce RaaS announced they are now The DragonForce Ransomware Cartel. They stated it is time for change, therefore they are introducing a new direction and a new working model where affiliates can create their own brand without needing to operate under the DragonForce name. By doing so, DragonForce hoped to attract those lone wolves to join their cartel, create a brand of their own, and work to turn their targets into victims without associating with the DragonForce brand.

In April 2025, DragonForce insinuated that RansomHub RaaS, though inactive, moved temporarily to DragonForce infrastructure and that RansomHub was a reliable ransomware partner. They made a demo of RansomHub's TOR pages under DragonForce Ransomware Cartel and offered RansomHub to consider their suggestion to move permanently under DragonForce’s cartel umbrella, as shown in Figure 11.

In late April 2025 and after some period of inactivity on the RAMP forum, RansomHub operator koley posted they had identified traitors within the gang and would be revealing the real identities of some. Additionally, they asked their affiliates to transfer one BTC to a dedicated cryptocurrency address to demonstrate their loyalty and commitment to RansomHub, as shown in Figure 13.

Furthermore, koley mentioned they know DragonForce has contacts within the Federal Security Services (FSB) of Russian, just as RansomHub, saying, “you ran into troubles, this is a war.”

RansomHub operator koley further expressed outrage at DragonForce, accusing them of attacking Mamona RaaS and now RansomHub, referring to the DragonForce statement on Blacklock ransomware’s blog suggesting they “work without paranoia.” koley vehemently denied any affiliation with DragonForce's cartel, dismissing it as “fed honey” (law enforcement honeypot) and highlighting DragonForce's untrustworthiness, especially after their false denial of attacking RansomHub.

In a furious outburst, koley called dragonforce a coward and alleged that DragonForce leverages “feds to steal and shut others,” possibly referring to the FSB cooperation. RansomHub, in contrast, admitted to contacting “feds for traitors” only. The operator koley concluded with a grim warning to DragonForce: no more talks, next time we talk will be over your grave, see you in hell.

A few days later, koley suggested that DragonForce's TOR sites were down due to internal traitors within the gang. koley further alleged that RansomHub had hacked the DragonForce website in retaliation and insinuated that they had successfully infiltrated and attacked the DragonForce gang from within the RaaS, as shown in Figure 16.

DragonForce reported they quickly restored their TOR infrastructure and they are currently transferring data. They contrasted their situation with RansomHub, whom they claim are forced to expose their partners and cooperate with authorities. DragonForce clarified that any attacks targeting critical infrastructure, hospitals, or CIS countries using their ransomware lockers are provocations by unscrupulous partners. Consequently, DragonForce stated they will strengthen their affiliate rules and limit access issuance to new affiliates.

Subsequently, in late June 2025, DragonForce posted their new affiliates rules, where they stated new affiliates either need to be referred by existing members of DragonForce or provide a deposit of $10,000 USD, as shown in Figure 18.

RansomHub, however, appears to have ceased operations, with their last victims posted on TOR sites in April 2025. Similarly, the RAMP threat actor koley has been inactive since April 2025 since declaring war on the DragonForce gang.

It is interesting to note that in early April 2025, an actor named Rjun claimed on the XSS underground forum that the Russian Internal Affairs Ministry thwarted RansomHub's attempted resurgence. This law enforcement intervention was attributed either to an alleged attack on critical infrastructure within CIS countries or a potential internal leak within RansomHub that compromised vital information:

Translation of Figure 19:

The Trellix Advanced Research Center could not validate the above claim as we suspect Rjun is a rival ransomware operator themselves. However, it is evident that ransomware gangs are intensely competitive, readily setting up rivals, damaging their reputation, and ultimately causing the shutdown of RaaS programs. Additionally, certain ransomware operators appear willing to cooperate with local law enforcement. This cooperation may involve seeking protection and approval for their illicit activities, or providing information about affiliates deemed rivals or traitors.

We are observing conflicts between RaaS programs lead to ransomware gangs restricting access to new affiliates and/or scrutinizing the loyalty of current ones. They fear traitors and competitors who seek to provoke them by infiltrating their RaaS and violating rules (e.g., attacking CIS entities) to undermine them or harm their reputation.

Furthermore, ransomware gangs are growing increasingly vigilant, carefully checking their infrastructure and software before rollout. This is a direct response to competitors known for pentesting the ransomware gangs infrastructure and publicly exposing weaknesses, which deters potential new affiliates from joining.

Qilin versus LockBit

In mid-April 2025, Qilin ransomware operator Haise posted on the RAMP forum they are looking for new affiliates to join their RaaS. LockBit replied saying they don't like the gang’s name which to them sounds like “Culin” or “Cunnilin” and they would not work with a RaaS with such a name.

Haise’s immediate response was to say people do not want to work with a ransomware group which is constantly scamming its affiliates. Haise referred to a scam in January 2024 when LockBit-related monikers were banned from XSS and Exploit forums due to not paying $4 million USD to LockBit affiliate michon for providing corporate access to the victim’s network.

This was controversial and LockBit refused to pay their affiliate. However, RAMP administrators decided to not ban LockBit on the forum, contrary to other two reputable underground forums. Haise’s accusation of LockBit running a scam RaaS flared LockBit up and they demanded Haise provide proof of the scam and create a complaint on the RAMP forum instead of the “bullshit” they say about LockBit gang.

The underground forum fight continued by LockBit stating, “Cunnilini will soon die out, don't ask why, relay this admin panel with auto-registration to your affiliates and don’t enter it yourself, 5 minutes and you are ready to start working.” Haise refrained from creating a black (a complaint on the forum), stating they “don’t see the point to ban anyone. Many affiliates are coming to Qilin and telling us about problems with LockBit and how LockBit scammed them.”

Translation of Figure 20:

Translation of Figure 21:

Furthermore, when LockBit’s admin panel got leaked, Haise eagerly jumped into analyzing the leak and was among the first to share their findings in the RAMP general chat box, as shown in Figure 22.

Translation of Figure 22:

It's remarkable how ransomware rivals not only clash but are also willing to help out with examining the competitors' infrastructure when leaks occur. They are even willing to assist security researchers in analyzing leaked data to uncover potential issues, inefficiencies, and weaknesses that could undermine ransomware groups and possibly lead to the closure of RaaS operations.

When RaaS operations shut down, often due to exit scams or law enforcement intervention, their ransomware affiliates frequently seek out reputable competitors. A prime example is the alleged law enforcement intervention against RansomHub RaaS, which led many of their affiliates to approach LockBit. LockBit even temporarily set aside their LockBit 5.0 update to handle the influx of requests and quickly capitalize on new opportunities. Similarly, in the ongoing Qilin and LockBit dispute, LockBit publicly asserted Qilin's imminent closure, urging Qilin affiliates to join LockBit RaaS if they “want a Lamborghini.”

Qilin and LockBit are two of the most active ransomware groups currently operating. The Trellix Advanced Research Center is closely monitoring these RaaS groups and interested to observe how their ongoing feud unfolds in the future.

Conclusion

We used to fight families. Now we’re facing franchises and freelancers. But one thing hasn’t changed: when trust breaks down, empires fall.The ongoing disputes within the ransomware underground we have highlighted in this blog are more than just isolated incidents; they are symptomatic of fundamental cracks in the historic RaaS model.

What was once a seemingly cohesive, if illicit, ecosystem is now splintering under the weight of internal distrust and external pressure. The pervasive uncertainty, amplified by successful law enforcement interventions, has eroded the very foundation of cybercriminal collaboration: trust.

This crumbling trust model directly fuels increasing public feuds, betrayals, and retaliatory attacks. As loyalty becomes a liability and self-preservation the primary driver, the consequences extend beyond mere infighting. A significant reduction in trust within the underground inevitably stifles innovation and hampers the collaborative efforts that have historically enabled the rapid evolution and expansion of ransomware operations. In this fragmented landscape, the future of the RaaS model looks increasingly bleak.

In the escalating conflicts among ransomware gangs, survival hinges on innovation, resilience, and adaptability. Only those who can assure their affiliates of “work without paranoia” will endure as trust in RaaS programs continues to erode.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/