Cybercriminal Powerhouse: The Strategic Alliance of Qilin, DragonForce, and LockBit
In a significant development within the cybercriminal landscape, three formidable ransomware groups—Qilin, DragonForce, and LockBit—have formed a strategic alliance, signaling a new era of collaboration among threat actors. This coalition, announced by DragonForce on a Russian underground forum on September 15, 2025, represents a calculated response to intensified global law enforcement efforts that have disrupted major ransomware operations in recent years.
Formation of the Alliance
The announcement of this alliance comes at a time when the ransomware ecosystem is under unprecedented pressure. International law enforcement agencies have successfully dismantled infrastructures of prominent ransomware groups, identified key administrators, and issued international arrest warrants. These actions have led to a more fragmented and less cohesive cybercriminal environment, complicating the recruitment of both novice and experienced operators.
In their forum post, DragonForce explicitly stated that the coalition was established to address the challenges posed by the evolving ransomware landscape. This strategic move aims to consolidate resources, share intelligence, and enhance operational capabilities to withstand the increasing scrutiny and intervention from law enforcement agencies worldwide.
Ransomware Landscape: A Statistical Overview
Recent data underscores the shifting dynamics within the ransomware domain. Between January and November 2025, ransomware claims surged by 61% compared to the same period in 2024. However, this apparent growth belies a deeper crisis within the ransomware community. The dominance of top ransomware groups has slightly diminished, with their share of total attacks decreasing from 54.8% in 2024 to 53.1% in 2025. This trend indicates a dispersion of criminal activities across a broader array of groups rather than consolidation under a few dominant players.
Analysts from Yarix have been monitoring these developments, assessing the potential risks and credibility associated with the newly formed alliance. Their research reveals a notable decline in ransom payments by victim organizations. The median ransom payment plummeted by 65% in the third quarter of 2025 compared to the previous quarter, settling at approximately $140,000. Moreover, only 23% of victims opted to pay ransoms during this period. This significant reduction reflects improved organizational preparedness, enhanced backup strategies, and a growing reluctance to capitulate to cyber extortion demands.
Operational Shifts and Group Activities
An examination of Data Leak Site (DLS) activities provides insight into the operational trajectories of the three allied groups:
– Qilin: Emerging as the most active ransomware group in 2025, Qilin accounted for 13.07% of all claims between January and November. The group’s activity exhibited consistent growth throughout the year, peaking in October 2025 at 3.25% of monthly claims. This surge closely followed the alliance announcement, suggesting that the coalition may have bolstered Qilin’s recruitment efforts and operational momentum.
– DragonForce: Demonstrating steady but gradual growth, DragonForce ascended from ninth place in August to eighth by October 2025. The group maintained operational continuity throughout the year, with claims ranging from 0.08% to 0.45% monthly. This steady activity indicates a measured approach to expansion and consolidation within the cybercriminal ecosystem.
– LockBit: In contrast, LockBit exhibited a starkly different trajectory. Historically one of the most prolific ransomware collectives, LockBit published no claims from June through November 2025. This prolonged inactivity suggests that the group has not fully recovered from Operation Cronos, a major law enforcement initiative that disrupted its infrastructure in February 2024.
Implications of the Alliance
The formation of this alliance among Qilin, DragonForce, and LockBit carries profound implications for the cybersecurity landscape:
1. Enhanced Operational Capabilities: By pooling resources and expertise, the alliance can develop more sophisticated attack vectors, evade detection mechanisms more effectively, and execute coordinated campaigns with greater impact.
2. Resilience Against Law Enforcement: The coalition provides a support network that can help member groups recover from disruptions, share intelligence on law enforcement tactics, and adapt strategies to mitigate risks.
3. Market Domination: The alliance positions itself to dominate the ransomware market by leveraging combined reputations, expanding affiliate networks, and offering more attractive profit-sharing models to recruit top-tier cybercriminal talent.
4. Increased Threat to Organizations: For businesses and institutions, this alliance signifies a heightened threat level. The collaboration could lead to more frequent, sophisticated, and damaging ransomware attacks, necessitating enhanced cybersecurity measures and incident response strategies.
Conclusion
The strategic alliance between Qilin, DragonForce, and LockBit marks a pivotal moment in the evolution of cybercriminal operations. As these groups unite to fortify their positions against mounting law enforcement pressures, the cybersecurity community must brace for a potential escalation in ransomware activities. Organizations are urged to bolster their defenses, stay informed about emerging threats, and foster a culture of cybersecurity awareness to mitigate the risks posed by this formidable coalition.
