A spate of recent ransomware attacks on major UK retailers has revealed an alarming new dimension in cyber risk: infighting between rival criminal syndicates. High street names including Marks & Spencer, Harrods and the Co-op have found themselves entangled in a turf war between two ransomware-as-a-service (RaaS) groups – DragonForce and RansomHub – whose competition for dominance is leading to heightened risk, disruption and potentially multiple extortion attempts against the same business.

A Battle for Criminal Supremacy

Ransomware gangs increasingly operate like commercial enterprises, complete with brand identities, partner programmes and recruitment strategies. DragonForce, having rebranded itself in early 2025 as a ‘cartel’, is pursuing aggressive expansion by poaching affiliates and undermining rival groups. In March, it allegedly hijacked RansomHub’s dark web leak site, a provocative move that has sparked a series of retaliatory attacks.

This internal gang warfare signals a shift in the ransomware ecosystem: from coordinated campaigns to chaotic competition. For legitimate businesses, the consequences are increasingly unpredictable.

Risk of Multiple Extortion Attempts

One of the most concerning outcomes of this rivalry is the growing threat of double extortion—where a company that has already paid a ransom may be targeted again by a rival group using the same stolen data. In 2024, for example, UnitedHealth Group was hit by one gang and later approached by another, claiming access to the same material.

Now, with DragonForce and RansomHub jostling for position, cyber experts warn that victims may face extortion attempts from both – each demanding payment for non-disclosure or to prevent disruption.

Why Retailers Are in the Firing Line

Retail is an attractive sector for ransomware operators. Supply chains are complex, customer data is sensitive, and any operational downtime can quickly escalate into multimillion-pound losses. In the case of M&S, the firm was forced to take its website offline over Easter, reportedly losing £40 million per week and seeing a substantial fall in market value.

Attacks on Harrods and the Co-op followed, prompting heightened alerts from the National Cyber Security Centre and raising questions about sector resilience and crisis readiness.

The Evolving RaaS Business Model

DragonForce and RansomHub exemplify the new face of cybercrime: scalable, decentralised, and disturbingly professional. Like tech start-ups, these groups recruit affiliates, share profits, and compete for market share. DragonForce’s recent “cartel” rebranding is part of a broader push to consolidate influence, offer additional support services, and crowd out smaller rivals such as BlackLock and Mamona.

But this expansion comes at a cost. The growing number of operators and affiliates increases the likelihood of error, leak duplication and affiliate defection, creating further uncertainty for victims and for insurers supporting their recovery.

What This Means for Businesses

For insureds and insurers alike, the message is clear: the threat is no longer just from ransomware, but from the instability within the cybercriminal landscape itself.

Cyber experts recommend a robust and proactive approach to risk management:

• Maintain heightened vigilance following an incident – additional attacks may follow from different actors.

• Invest in layered security, including endpoint protection, patch management and employee awareness training.

• Test incident response and crisis plans, ensuring clear procedures for legal, technical and reputational risk.

• Review cyber insurance policies, paying particular attention to extortion clauses and business interruption triggers. Speak to W Denis about peer reviewing your current limits and reviewing average cyber claims costs across sectors. This can provide useful context and help draw focus during internal discussions.

• Maintain board level control. Directors retain fiduciary responsibility to shareholders to protect the company’s balance sheet and must not delegate cyber insurance purchasing decisions to the IT department or external IT support companies who design and manage IT security. 

Final Thoughts

As ransomware gangs turn on one another in an attempt to dominate the illicit marketplace, legitimate businesses are left to manage the fallout. For insurers, brokers and clients, this highlights the importance of understanding not only the technical threat landscape but the increasingly volatile dynamics of the criminal networks behind it.

At W Denis, we work with clients to assess their cyber exposure, strengthen their risk posture and ensure cover is tailored to today’s rapidly evolving threat environment. For a quotation please contact [email protected] or arrange an appointment via [email protected].