What Happens When Ransomware Gangs Attack Each Other?

Cybersecurity experts are used to seeing ransomware gangs target businesses and governments – but recently, these criminal groups have also been turning on each other. In a twist worthy of a crime drama, ransomware operators are hacking, sabotaging, and scamming their fellow cybercriminals.

This intra-gang warfare has surfaced in several high-profile incidents from 2024–2025, with hard effects that even impact their victims.

In this article, we’ll explore two cases – the Everest gang leak and the DragonForce vs. RansomHub saga – and analyze why ransomware gangs might clash, what it means for victims, and how such conflicts get resolved.

Over the first weekend of April 2025, the Everest gang’s dark web “leak site” was defaced with a taunting message: “Don’t do crime. CRIME IS BAD. xoxo from Prague.”

The typically fearsome ransomware group found themselves hacked, as an unknown actor breached their Tor hidden service, used to publish stolen data, and posted the sarcastic warning in place of their usual leaks.

The Everest ransomware gang, a Russia-linked group active since 2020, is infamous for hacking organizations (even NASA and the Brazilian government) and dumping stolen data to extort payments.

Yet now they were on the receiving end of an attack. It’s unclear who defaced their leak site – no law enforcement agency claimed credit (as would usually happen if police seized a server).

The defacement message didn’t mimic a police notice, which rules out a typical “takedown” banner, and affiliates of Everest aren’t complaining of an exit scam either. Instead, this looks like either a vigilante hacker or a rival criminal sabotaging Everest’s operation.

Some researchers noted Everest’s site ran on a simple WordPress template, speculating a vulnerability might have let the intruder in. If so, Everest learned the hard way that even ransomware gangs need good cybersecurity hygiene.

Another dramatic feud unfolded in April 2025 between two ransomware operations: RansomHub and DragonForce. RansomHub had risen to become one of the most prolific ransomware-as-a-service (RaaS) groups of 2024, especially after big players like LockBit and ALPHV/BlackCat hit roadblocks. But at the start of April, RansomHub was plunged into chaos by apparent internal conflict.

On April 1, an unknown number of RansomHub’s affiliates suddenly lost access to the gang’s communication portals. Negotiations with victims were interrupted, and some frantic affiliates had to scramble to continue ransom talks via alternate channels – even hopping over to other gangs’ platforms to communicate with victims.

Amid the confusion, a rival gang called DragonForce seized the opportunity to make a bold claim. On a dark web forum (RAMP), DragonForce announced that RansomHub had “decided to move to our infrastructure” and that they were now “reliable partners,” even previewing a new leak site bearing RansomHub’s logo.

In other words, DragonForce boasted that it was taking over RansomHub’s operations. They even extended a public “offer” to RansomHub’s members, inviting them to join the DragonForce Ransomware Cartel. Notably, RansomHub’s official onion site went offline on March 31 – lending some weight to DragonForce’s story that they absorbed or compromised RansomHub’s infrastructure.

So, did DragonForce truly hack and acquire RansomHub? It’s honestly quite complicated. Cyber intelligence analysts at GuidePoint Security noted that DragonForce could be simply muddying the waters to market itself amid RansomHub’s turmoil. (Criminals aren’t above a bit of bluffing, after all.)

However, this would not be DragonForce’s first hostile takeover: just a month prior, DragonForce did take over another struggling RaaS outfit called BlackLock after BlackLock’s data leak site was compromised by security researchers. In that case, DragonForce swooped in to absorb BlackLock’s assets once law enforcement pressure took BlackLock down. That precedent makes the RansomHub claim more plausible.

So, what drives these criminals to attack their own kind? In one word: greed. Most ransomware outfits operate on a profit-sharing model between the core gang and its affiliates. Whenever big money is involved, disputes are never far behind.

One common flashpoint is the division of ransom payments. For example, the ALPHV/BlackCat gang infamously pulled an “exit scam” on its affiliates in 2024 – after a huge $22 million ransom was paid by a victim (Optum/Change Healthcare), the BlackCat bosses forged a fake law enforcement seizure notice on their site and disappeared with the entire $22M, leaving their affiliates empty-handed.

The affiliate who had actually hacked the victim (a hacker known as “notchy”) was furious at being cheated. In retaliation, that affiliate turned to a rival group – the up-and-coming RansomHub – bringing along stolen data from the same victim to extort again.

Sure enough, RansomHub emerged claiming it had 4 terabytes of the victim’s data and demanding payment, effectively double-extorting the victim that had already paid BlackCat.

Another motivator is simple competition and clout. Ransomware is a lucrative criminal industry, and top gangs vie for status (measured by number of victims and ransom haul). If a rival stumbles – due to an arrest, a leak, or internal strife – others will happily poach their talent or even hijack their infrastructure.

We saw this with DragonForce grabbing BlackLock’s resources and possibly doing the same to RansomHub. Eliminating a competitor or absorbing their affiliates can enlarge one gang’s share of the market.  It’s the cybercrime equivalent of hostile takeovers (or maybe gang turf wars). There’s also an element of reputation: being seen as the “big dog” that can muscle out others boosts a gang’s credibility to attract more affiliates.

When ransomware gangs feud, it’s not just a problem for the criminals – it can directly affect their victims. Companies hit by ransomware are already in crisis, trying to restore data or negotiate to avoid leaks. An inter-gang conflict adds a new layer of uncertainty.

For one, active ransom negotiations can collapse overnight. In RansomHub’s case, some victims were left hanging mid-negotiation when affiliates lost access to the gang’s portals. Imagine working out a payment plan with your extortionists, only for them to suddenly say, “Actually, contact us over on this other site – we’ve switched teams.”

It understandably causes confusion and panic. The victim must decide: is this even the same group? Is it a trick? Will the new gang honor the original deal? The lack of consistency undermines whatever scant reliability these criminals might have had.

Worse, victims might face multiple extortion attempts due to these conflicts. The Change Healthcare incident is a cautionary tale: that organization paid one gang a huge ransom, only to have another gang (with an insider’s help) come knocking with the same stolen data. Essentially, the victim paid $22 million and still had their data held hostage by someone else.

On a slightly positive note, infighting can sometimes disrupt the ransomware attack itself. There have been cases where internal disputes led gangs to release decryption keys or fail to follow through on threats. For example, if an affiliate is banned by their ransomware program for breaking rules, the gang might free the victim’s data as a form of damage control (this reportedly happened in some LockBit cases).

Law enforcement and cyber defenders can also leverage gang rivalries – leaked chat logs or toolkits (like in the Conti leaks) provide valuable intelligence to help victims and improve defenses. However, companies cannot rely on criminals’ squabbles to save them. The overall impact of these rivalries for victims is more uncertainty and risk.

When gangs of thieves fall out, how do they settle it? There’s no court or mediator – resolution can range from uneasy truces to total implosions. In some cases, the outcome is rebranding or reorganization. A tarnished gang might disappear and later re-emerge under a new name, shrugging off the bad blood.

For instance, after the Conti gang’s implosion in 2022, a lot of its members quietly moved into spin-off groups like Black Basta, Hive, and others, continuing their activity under different banners. In the wake of internal betrayal or external hack, a ransomware group often goes dark for a while – partly to shake off law enforcement heat, but also to sort out internal leadership.

Other times, conflicts lead to a changing of the guard. RansomHub’s future is uncertain: it might fade away as DragonForce (or others) absorb its people, or it may retaliate and attempt a comeback. We’ve seen cartel-style showdowns in the cybercrime world before.

However, outright retaliatory hacks between rival ransomware gangs are not often publicized – these groups prefer to operate in the shadows, and direct cyberattacks against one another risk drawing even more attention from law enforcement. Instead, they might fight via reputation: doxing each other, leaking rivals’ source code (as happened when Babuk ransomware’s code leaked in 2021, reportedly due to an internal feud).

When negotiations fail, a gang might just split apart. Disgruntled members leave to form new factions (as apparently happened with BlackCat’s affiliates spawning RansomHub). This cycle can repeat, with new groups promising to fix the “mistakes” of the last.

It’s a bit like pirate crews mutinying and forming new crews. Each iteration might have a new name and a marketing pitch on criminal forums, but the core players can be the same. For law enforcement and threat intel teams, tracking these rebrands is honestly a constant cat-and-mouse game.

Ransomware gangs are unstable by nature – changing alliances, sabotaged infrastructure, and internal betrayals are now routine. For victims, that instability brings real-world consequences: broken negotiations, repeat extortion, and greater risk of public data leaks.

These incidents highlight a bigger issue: trusting criminals to follow through on anything, even after a ransom is paid, is a losing game. That’s why a prevention-first approach matters.

BlackFog stops ransomware attacks before data is stolen – by preventing data from ever leaving your devices in the first place.

No exfiltration means no leverage for attackers, no extortion, and no clean-up after the fact. If you’re relying on tools that detect ransomware only after it’s active, it’s time to rethink your strategy.

Learn how BlackFog prevents attacks before they happen.