In recent months, US policy changes have drawn global attention, with some likely to impact Russia’s role in cybersecurity threats. While ransomware activity has declined following the US’s involvement in the Russia-Ukraine peace process, this drop may not be down to politics alone—highly active ransomware groups have disbanded or shifted tactics during this time.
Since 2022, the Ukraine war has shown how geopolitics can shape attacker tactics, but cyber threats don’t always follow political developments. The unexpected rise of the “DragonForce” ransomware group demonstrates how threats shift irrespective of politics.
In this report, we explore the possible consequences of the recent changes and forecast what might be next for Russia-linked cyber activity. Here’s what we’ll cover:
How US policy shifts are influencing cyber threats.
The ripple effects of recent policy changes on cybercrime.
Recent activity from the DragonForce group and actionable strategies to mitigate the threat it poses.
Potential future developments in Russian cyber operations.
Key Points
US policy changes, like global tariffs, reduced cybersecurity oversight, and improved relations with Russia, are likely to impact the cyber threat landscape.
While ransomware activity declined following recent political changes, a 50% surge in “DragonForce” ransomware activity shows that, for some cybercriminals, politics is not a deterrent.
Combat DragonForce by patching vulnerabilities, improving social engineering education, and blocking unauthorized remote monitoring and management (RMM) tools.
We expect an uptick in supply-chain attacks, insider threats, and ransomware attacks on Europe and Canada because of these policy changes. However, the espionage threat from Russia-linked advanced persistent threat (APT) groups will likely remain unchanged.
Key Policy Shifts That Could Reshape Cybercrime
Trump’s second term as US President, which began in January 2025, has brought a series of significant policy changes. Notable shifts include the introduction of global tariffs, changes to how the US approaches its cybersecurity, and initiatives to strengthen relations with Russia while pursuing peace efforts in Ukraine. These moves have not only captured media attention but are also likely to affect the cyber threat landscape.
Introduction of Global Tariffs
On April 2, 2025, a 10% baseline tariff was applied to all nations that import goods into the US. For certain countries, higher tariffs were imposed, leading to tensions with key US allies like Canada and a trade conflict with China. Tariffs between the US and China have now exceeded 100%.
Changes to CISA
The US administration has announced reforms to the Cybersecurity and Infrastructure Security Agency (CISA). As a result, the Agency is undergoing restructuring: Budget reductions are under consideration and responsibilities for tackling cybercrime are shifting from federal agencies to state and local authorities. Recent leadership changes at CISA and investigations into former officials have sparked discussions about the potential risks of politicizing cybersecurity efforts.
Peace Talks with Ukraine
In foreign policy, the US has distanced itself from the North Atlantic Treaty Organization (NATO) and focused its efforts on resolving peace in Ukraine as part of its broader strategy to strengthen ties with Russia. In mid-April, the US proposed a seven-point peace plan, which Ukraine rejected in favor of a ceasefire.
Unveiling the Impact: Political Change and Cybercrime
The above three policy changes could affect cyber targeting of the US in three ways. First, economic pressures often lead to offensive cyber activity—North Korean state-backed cryptocurrency theft is a perfect example of this. Second, if cybercriminals perceive the US to have weakened cybersecurity oversight, they are likely to take advantage. Finally, if the Russia-Ukraine war came to an end, it’s realistically possible there would be a significant shift in tactics.
That said, Russia-linked cyber threat actors can be unpredictable. Few saw their pivot to destructive malware coming—a striking departure from their usual slow and stealthy tactics—highlighting the need for deeper analysis. To assess whether Russia’s victimology would really change following Trump’s re-election, we examined ransomware data-leak site postings—one of the few places where Russia-linked cyber threat groups advertise their attacks (see Figure 1).
Figure 1: Ransomware data-leak-site posts of US-based victims per week (not including “Clop”), cross-referenced with key US administration changes
Initially, the number of named ransomware victims grew. However, after Trump's involvement in the Russia-Ukraine war peace process, weekly figures began to decrease, hinting at a possible correlation.
But is this decline really tied to a political event? Here are our theories on what might have happened.
Cybercriminals Uncertain About Their Next Moves
On one hand, as the US administration focuses its attention on cyber threats from China and Iran, some Russian threat actors likely see an improving relationship between the US and Russia as a good thing. It could push them to focus less on US targets and more on European nations instead.
On the other hand, there’s still plenty of concern. The fear of significant penalties imposed by the US administration if caught—and the possibility of extradition—has likely made some cybercriminals think twice about targeting the US, at least for now. But let’s be clear: Any let-up based on this theory will only be temporary, meaning businesses must stay on high alert to ransomware threats.
Major Ransomware Groups Brought to a Halt
In mid-February 2025, the “8Base” ransomware group was hit by law enforcement activity, and the group hasn’t posted any new victims on its data-leak site since. About a week later, chat logs exposing the inner workings of the “Black Basta” group were published online, causing chaos within the group. But Black Basta’s data-leak site activity actually slowed even before this—in January 2025, just after the group shifted to using Microsoft Teams to gain initial access, perhaps in search of higher profits.
Fewer ransomware groups naturally eases the pressure on businesses, at least in the short term. And the disappearance of two such prominent groups lowers data-leak site figures even further. However, as new ransomware groups attempt to fill the void and attack more organizations in a bid to assert their dominance, defenders need to remain vigilant.
The Growing Pressure to Pay Ransoms
Ransomware operators use data-leak sites as a tool to pressure victims into paying ransoms. Usually, only businesses that refuse to pay up find themselves on the operator’s data-leak site.
Of course, this decrease in data-leak site postings could simply be down to more victims choosing to pay ransoms during this period. But it may partly stem from the uncertainty surrounding the recent changes in US cybersecurity policies. With companies unsure about the future direction of government support for cybersecurity, some likely opted to pay up and resolve ransomware attacks discreetly. A reasonable approach for some, as businesses listed on data-leak sites face negative publicity, strained relationships with partners, and potential regulatory repercussions.
Clop Copycats Miss the Mark
In the week beginning February 23, 2025, the “Clop” ransomware group began posting details of organizations it compromised through exploiting a vulnerability in Cleo software. Clop’s supply-chain attack technique has been highly effective, impacting hundreds of organizations in a single campaign. Their success has even likely inspired other—less capable—groups to hop on the bandwagon. However, it’s also likely these groups struggled with exploiting vulnerabilities instead of relying on their usual simpler, opportunistic attacks. As such, these copycat attempts likely fell flat, contributing to the overall decline in data-leak site postings.
Ransomware will remain a major global threat, and Clop’s Cleo campaign is a stark reminder of how devastating a single attack can be. It also highlights the risks of supply-chain attacks and the critical importance for businesses to thoroughly vet their vendors.
DragonForce Seeks Domination
For many ransomware groups, new policies won’t be a major concern. The ransomware landscape moves quickly, and some groups will likely see this period of political uncertainty as an opportunity to strike. Enter DragonForce—a ransomware-as-a-service (RaaS) group capitalizing on the shape-shifting nature of the current ransomware scene.
If you haven’t heard of DragonForce yet, it’s time to pay attention. Active since December 2023, this Russian- and English-speaking group had a surge in activity in April 2025, more than doubling its activity compared to previous months. Until that point, DragonForce had listed only 104 victims in total on its data-leak site—50% of them US-based and 52% belonging to either the manufacturing; professional, scientific, and technical services (PSTS); or construction industries.
The group’s April activity reached its peak when its ransomware was used in major attacks on the networks of prominent UK retailers, likely in collaboration with the notorious threat group “Scattered Spider.” We previously reported on a partnership between Scattered Spider and another Russian-speaking ransomware group, “RansomHub.” To dig deeper into how these groups might all be working together, we turned to the ransomware-focused cybercriminal forum, RAMP—and it certainly delivered.
Posts made on the forum by the user “dragonforce” revealed that the group first advertised its RaaS model in June 2024. However, judging by its data-leak site activity, initial interest appeared low. If at first you don’t succeed, try again—especially at a time of uncertainty.
DragonForce Unveils Cartel Model
Rumors emerged that DragonForce was targeting other RaaS operations in an apparent takeover bid. RansomHub representative “koley” accused DragonForce of interference, stating: “you attack mimona [sic, likely mamona] blacklock and us.” However, user dragonforce claimed: “RansomHub will be up soon, they just decided to move to our infrastructure! We are reliable partners.”
By March 2025, dragonforce unveiled its ransomware “cartel” model (see Figure 2). This model provides affiliates with access to a fully developed, reliable system that’s backed by 24/7 support to manage their operations. Affiliates can maintain their own identity under the cartel while benefiting from DragonForce’s established RaaS offering.
Figure 2: User dragonforce posts on RAMP about the new DragonForce RaaS “cartel” model
To demonstrate the effectiveness of its cartel model, dragonforce announced its takeover of the “RansomBay” RaaS operation and tried to entice affiliates with promises of million-dollar earnings (see Figure 3). Like Pokémon, DragonForce seems intent on “collecting them all,” likely to rival the ransomware market dominance once held by “LockBit.” Or perhaps the group is spreading its own disinformation campaign to boost its reputation by capitalizing on the downfall of significant ransomware players. Only time will tell.
Figure 3: User dragonforce posts on RAMP to announce the DragonForce RaaS’s collaboration with RansomBay
A ransomware cartel model poses a unique threat to businesses, because it fosters collaboration among cybercriminal groups. This teamwork makes attacks more coordinated, sophisticated, and far-reaching. While DragonForce ransomware previously targeted specific sectors, it’s now highly likely that no business is safe from its attacks.
By pooling resources and sharing tools, so-called cartels amplify the frequency and severity of ransomware campaigns. This drives up ransom demands and facilitates the rapid evolution of attack techniques, making it harder for traditional cybersecurity defenses to keep up. The result? Significant financial losses, reputational damage, and potentially even data loss.
Step up your Defenses Against DragonForce
How ReliaQuest Helps You
ReliaQuest GreyMatter harnesses cutting-edge agentic AI to protect organizations from ransomware and other cyber threats. By automating security alerts and accelerating detection, containment, investigation, and response, GreyMatter drastically reduces the mean time to contain (MTTC) threats. This enables businesses to quickly mitigate malicious activity and strengthen their defenses against the ever-evolving ransomware landscape.
Threat Intelligence: We proactively track and analyze the latest tactics, techniques, and procedures (TTPs) employed by DragonForce and other prominent ransomware groups. This ongoing research ensures that our threat feeds are continuously updated with the most recent and relevant IOCs.
Threat Hunting: We perform retroactive threat hunts within an organization’s environment using newly identified IOCs for DragonForce that may not yet be added to our threat feeds. However, given our ongoing tracking of key ransomware groups, it’s more likely that high-fidelity IOCs are already integrated into our feeds, ensuring critical alerts are fired via detection rules.
Your Action Plan
To defend against DragonForce, focus on these three key strategies:
Strengthen social engineering awareness by training employees to spot and respond to phishing attempts, as DragonForce typically uses this technique to gain initial access. Affiliates also use tactics like impersonating help-desk staff through Microsoft Teams calls, making employee vigilance a critical defense.
Block unauthorized remote monitoring and management (RMM) tools to ensure there’s only a single authorized business solution. DragonForce often uses these tools for privilege escalation and persistence.
Disable RDP on non-essential systems and patch known vulnerabilities to prevent credential stuffing attacks, a common tactic DragonForce uses to gain initial access to services.
Red Storm Rising: The Future of Russian Cyber Threats
The US administration’s recent policy changes have been wide-ranging, but three stand out as the most likely to impact cyber threats: global tariffs, changing cybersecurity approaches, and plans to strengthen relations with Russia. After the US became involved in peace talks around the Russia-Ukraine war, ransomware activity declined. While this drop could be explained by the policy changes, there are also potential factors that are unrelated. For bold cybercriminals, uncertainty isn’t a deterrent—it’s an opportunity. DragonForce’s recent power play is proof of that. Below, we break down how these three most impactful policy changes are likely to shape the future of the cyber threat landscape and what businesses should prepare for next.
Tariffs and the Risk of Cyber Retaliation
As trade tensions increase, it’s likely that nation-state-linked attackers will retaliate through offensive cyber operations. However, these efforts are more likely to originate from countries like China and Iran than Russia. In April, the US administration opted not to impose tariffs on Russia, citing existing sanctions as the reason. As a result, nation-state activity from Russia and targeting the US is expected to remain constant.
Instead, Russian threat actors are likely to exploit the knock-on effects of the tariffs. The tariffs are likely to impact supply chains, forcing CISOs to quickly find new cybersecurity vendors, potentially leading to less thorough vendor assessments. Additionally, as organizations pivot from Chinese hardware makers to domestic ones, US-based vendors may struggle to keep up with the sudden demand. This could result in rushed product development, weakened quality assurance, or shortcuts in security testing—all of which create openings ripe for exploitation by Russia-linked cybercriminals and nation-state actors.
Russia-linked advanced persistent threat (APT) groups excel at conducting supply-chain attacks, making US businesses particularly vulnerable to these breaches and initial access through vulnerability exploitation. To counter these threats, organizations should strengthen supply-chain security, implement robust threat monitoring, and fortify defenses against sophisticated attack vectors.
Budgets Cuts Threaten Cybersecurity
When costs run high, cybersecurity budgets are often the first to face cuts. Tariff-related financial pressures are likely to result in reduced staffing—through layoffs or hiring freezes—and scaled-back investment in critical tools and infrastructure. For Russian cybercriminals, stretched security teams are softer targets.
As such, Russia-linked cybercriminals or nation-state actors are likely to start hunting for insiders in US organizations to gain access to sensitive systems. Disgruntled employees who retain system access—often because of overwhelmed IT teams—are likely to become prime targets. During economic instability and layoffs, the financial incentives offered by cybercriminals could appeal to those facing job loss or burnout.
At the federal level, it’s realistically possible that the proposed 17% budget reduction for CISA in 2026 could further stretch its resources. Uncertainties also remain about the future of the Common Vulnerabilities and Exposures (CVE) Program. What’s more, a shift in responsibility to local forces is likely to leave organizations without the workforce needed to deal with the scale of cybercrime targeting the US.
These factors are likely to leave businesses struggling to effectively tackle growing cyber threats. While US-based organizations will be impacted the most, the effects on CISA and the CVE Program will impact organizations globally. Now more than ever, businesses should be on high alert for insider threats, ensuring systems to identify abnormal behavior patterns and strict “leavers, movers, joiners” policies are in place.
Impact of US-Russia Relations on the Ransomware Landscape
Through peace talks and diplomatic efforts, the US administration has taken steps to strengthen relations with Russia. If these efforts continue positively, it’s likely that US-Russia cooperation on cybercrime—including ransomware—could return to pre-conflict levels. This could include intelligence sharing on ransomware threats that pose significant risks to the US economy. As a result, it’s realistically possible that ransomware groups will target the US less frequently for fear they could be “given up” by the Russian state in a quid pro quo move to protect its APT groups and keep the US sweet.
If ransomware groups shift their focus, organizations in Europe and Canada are likely to bear the brunt. Buoyant insurance markets, high profits, and English-language proficiency make these regions attractive targets. Organizations in these areas should prepare for an influx of ransomware attacks. That said, many ransomware operators simply don’t care for consequences, meaning US businesses must remain proactive in preventing initial access by ransomware actors and initial access brokers (who often sell accesses to ransomware operators).
While US-Russia cooperation is set to influence the ransomware scene, it won’t eliminate the threat of Russia-linked APT groups conducting espionage operations. Unlike financially motivated attacks, Russian espionage campaigns focus on long-term persistent access to acquire strategically valuable information. To defend against these threats, organizations prioritize detecting persistence, securing privileged accounts, and implementing advanced monitoring to protect critical assets.
