Full Report
Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape. The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more effective ransomware attacks, ReliaQuest said in a report shared with The Hacker News. "Announced shortly
Analysis Summary
# Threat Actor: LockBit, Qilin, and DragonForce (Ransomware Alliance)
## Attribution & Identity
This entity represents a strategic ransomware alliance formed between three prominent, financially motivated ransomware groups: **LockBit**, **DragonForce**, and **Qilin**. The collaboration is explicitly an attempt to dominate the ransomware ecosystem and strengthen operational capabilities following high-profile law enforcement actions against LockBit.
## Activity Summary
The three groups announced a new strategic ransomware alliance to facilitate the sharing of techniques, resources, and infrastructure.
* **LockBit:** Recently returned with the launch of **LockBit 5.0**, advertised on September 3, 2025. This version is capable of targeting Windows, Linux, and ESXi systems. The group aims to restore its reputation after its infrastructure was seized and members arrested in a law enforcement operation (Cronos) in early 2024.
* **Qilin:** Reported as the most active ransomware group in recent months, claiming over 200 victims in Q3 2025 alone. Their operational tempo significantly increased in Q4 2024 (at least 46 attacks).
* **Combined Impact:** The alliance is expected to potentially trigger a surge in attacks on critical infrastructure.
## Tactics, Techniques & Procedures
The article primarily discusses strategic coordination rather than specific technical TTPs for the alliance itself, though it references prior group capabilities:
* **Resource Sharing:** Techniques, resources, and infrastructure sharing are central to the alliance.
* **Ransomware Variants:** LockBit 5.0 targets Windows, Linux, and ESXi systems.
* **Operational Tempo Shift:** Increased activity rates, particularly by Qilin, suggesting optimized operations.
## Targeting
* **Sectors:**
* Professional, scientific, and technical services (largest number of victims, >375 entities).
* Manufacturing, construction, healthcare, finance and insurance, retail, accommodation and food services, education, arts and entertainment, information, and real estate.
* Critical infrastructure (expected surge in targeting).
* **Geography:**
* **Disproportionately Targeted (Qilin):** North America-based organizations.
* **Victim Concentration (General):** U.S., Germany, U.K., Canada, and Italy.
* **Expanding Targets:** Egypt, Thailand, and Colombia (to evade law enforcement scrutiny).
* **Victims:** Specific organizations are not named beyond sector aggregates.
## Tools & Infrastructure
* **Malware families used:** LockBit 5.0, Qilin ransomware, DragonForce ransomware.
* **Infrastructure:** Facilitation through shared infrastructure among the three groups.
* **Data Leak Sites:** Currently tracking 81 data leak sites (up from 51 in early 2024).
## Implications
The alliance represents a significant consolidation in the cybercrime threat landscape, making the combination of these three groups a dominant force. If LockBit successfully rebuilds affiliate trust, the threat level from this coalition will significantly increase, driven by financial motives and potential revenge against law enforcement actions.
## Mitigations
* Heightened vigilance against ransomware, especially targeting critical infrastructure.
* Defenses should account for cross-platform capabilities (Windows, Linux, ESXi).
* Monitor for increased activity from all three groups globally, recognizing the expanding geographical focus beyond traditional hotspots.