In a significant development within the cyber threat landscape, three major ransomware groups—DragonForce, LockBit, and Qilin—have announced a strategic alliance aimed at enhancing their operational capabilities. This collaboration underscores the evolving tactics of financially motivated cybercriminals seeking to conduct more effective ransomware attacks.
Strategic Collaboration to Enhance Operations
According to a report by cybersecurity firm ReliaQuest, the alliance is expected to facilitate the sharing of techniques, resources, and infrastructure among the groups. This synergy is anticipated to bolster each group’s operational effectiveness, potentially leading to a surge in attacks on critical infrastructure and sectors previously considered low risk.
LockBit’s Resurgence and New Capabilities
LockBit’s participation in this alliance marks a notable comeback following a significant law enforcement operation in early 2024, known as Operation Cronos, which resulted in the seizure of its infrastructure and the arrest of several members. At its peak, LockBit had targeted over 2,500 victims worldwide, amassing more than $500 million in ransom payments. The group’s resurgence is further highlighted by the introduction of LockBit 5.0, a new iteration capable of targeting Windows, Linux, and ESXi systems. This latest version was first advertised on September 3, 2025, on the RAMP darknet forum, coinciding with the sixth anniversary of its affiliate program.
Qilin’s Ascendancy in the Ransomware Landscape
Qilin has emerged as a dominant force in the ransomware ecosystem, claiming over 200 victims in the third quarter of 2025 alone. The group’s activities have been particularly concentrated in North America, with a significant uptick in operations beginning in the fourth quarter of 2024. This rapid escalation underscores Qilin’s aggressive expansion and its strategic focus on lucrative targets.
DragonForce’s Role and Recent Activities
DragonForce’s involvement in the alliance adds another layer of complexity to the ransomware landscape. The group has been active in exploiting vulnerabilities to deploy ransomware across various endpoints. For instance, in May 2025, DragonForce exploited flaws in SimpleHelp, a remote support software, to distribute ransomware, demonstrating their technical prowess and adaptability.
Implications for the Cybersecurity Community
The formation of this alliance signals a potential increase in the sophistication and frequency of ransomware attacks. By pooling their resources and expertise, these groups are likely to enhance their capabilities, posing a greater threat to organizations worldwide. This development necessitates a proactive and collaborative approach from the cybersecurity community to mitigate the risks associated with such coordinated cybercriminal activities.
Emerging Trends and Broader Impacts
The alliance coincides with other notable developments in the cyber threat landscape. For example, the threat actor known as Scattered Spider is reportedly preparing to launch its own ransomware-as-a-service (RaaS) program called ShinySp1d3r, marking the first such service by an English-speaking extortion crew. Additionally, there has been a significant increase in the number of data leak sites, rising from 51 in early 2024 to 81, indicating a broader expansion of ransomware activities.
Conclusion
The strategic alliance between LockBit, Qilin, and DragonForce represents a significant shift in the ransomware ecosystem, highlighting the evolving tactics and collaborations among cybercriminal groups. This development underscores the need for heightened vigilance and robust cybersecurity measures to protect against the increasing threat posed by such coordinated ransomware operations.
