Full Report
Here’s a must-read post, especially if you read and repeated claims that DragonForce, Qilin, and LockBit have formed some kind of cartel. Marco A. De Felice writes on SuspectFile: In the recently published “Threat Spotlight: Ransomware and Cyber Extortion in Q3 2025” by ReliaQuest, one particular section drew significant attention: the claim of an alleged “alliance” between three ransomware... Source
Analysis Summary
This article summarizes an analysis of a cybersecurity report rather than detailing a specific, technical security incident. Therefore, the timeline focuses on the *publication and analysis* of the report, and the "impact" relates to the dissemination of potentially unverified information.
# Incident Report: Analysis of Unverified Ransomware Alliance Claim
## Executive Summary
This summary concerns the analysis of claims made in ReliaQuest's Q3 2025 Ransomware Report, specifically the assertion that ransomware groups LockBit, DragonForce, and Qilin formed a cooperative alliance. Subsequent independent analysis by SuspectFile found no verifiable technical indicators or evidence supporting this alleged cartel. The primary impact stems from the rapid, uncritical dissemination of this uncorroborated information across media outlets.
## Incident Details
- Discovery Date: October 16, 2025 (Date of the analysis report)
- Incident Date: Q3 2025 (Period covered by the original ReliaQuest report)
- Affected Organization: ReliaQuest (Source of the initial, controversial claim)
- Sector: Cybersecurity Intelligence/Reporting
- Geography: Global (as the report discusses global threat actors)
## Timeline of Events
### Initial Access
- Date/Time: Q3 2025 (Source report publication window)
- Vector: Publication of the "Threat Spotlight: Ransomware and Cyber Extortion in Q3 2025" report by ReliaQuest.
- Details: The report contained a section claiming an alleged cooperative relationship ("alliance" or "cartel") between LockBit, DragonForce, and Qilin, sharing resources and affiliates.
### Lateral Movement
- Date/Time: Immediately following publication (Oct 2025)
- Vector: Media amplification and uncontrolled reporting.
- Details: The unverified claim rapidly spread across various media outlets, which treated the assertion as established fact without empirical verification or primary source consultation.
### Data Exfiltration/Impact
- Date/Time: Ongoing analysis period
- Vector: Information credibility degradation.
- Details: The primary impact was the lowering of scrutiny in threat reporting, necessitating counter-analysis (by SuspectFile and ZeroFox) to emphasize the lack of technical evidence for the alliance.
### Detection & Response
- Date/Time: Post-publication (October 2025)
- Vector: Independent threat intelligence review.
- Details: ZeroFox urged caution regarding uncorroborated claims. SuspectFile conducted primary research, including receiving a denial from Qilin, to debunk the centralized cartel theory due to a lack of shared code or infrastructure.
## Attack Methodology
*Note: Since this is an analysis of a report flaw, not a direct technical compromise, the methodology sections refer to the critique applied to the intelligence:*
- Initial Access: Dissemination of an unverified intelligence claim.
- Persistence: Media amplification treating speculation as fact.
- Privilege Escalation: Not applicable in a technical sense.
- Defense Evasion: Not applicable in a technical sense.
- Credential Access: Not applicable.
- Discovery: Independent verification efforts by analysts.
- Lateral Movement: Not applicable.
- Collection: Gathering denials and cross-referencing technical indicators.
- Exfiltration: N/A.
- Impact: Erosion of trust in threat reports due to unverified assertions.
## Impact Assessment
- Financial: Not directly applicable (no organizational breach reported).
- Data Breach: N/A.
- Operational: Potential misallocation of defensive resources based on false threat consolidation.
- Reputational: Temporary damage to the perception of the initial reporting organization's methodology, requiring robust defense by independent analysts.
## Indicators of Compromise
- [Network indicators - defanged]: N/A (No specific malware or infrastructure indicators tied to the claimed alliance were validated).
- [File indicators]: N/A.
- [Behavioral indicators]: Reliance on uncorroborated claims as actionable intelligence.
## Response Actions
- [Containment measures]: ZeroFox and SuspectFile actively worked to "contain" the spread of the unverified narrative by requiring empirical backing.
- [Eradication steps]: Publishing critical analysis pointing out the lack of technical forensics supporting the alliance claim.
- [Recovery actions]: Qilin flatly denying the association.
## Lessons Learned
- Key takeaways: Claims of highly coordinated, multi-group ransomware "cartels" must be supported by robust, verifiable technical evidence (e.g., shared code, infrastructure).
- What could have been done better: The original reporting body (ReliaQuest) may have published claims prematurely without sufficient methodological rigor or external validation.
## Recommendations
- Prevention measures for similar incidents: Intelligence consumers and media must prioritize primary source validation, demanding technical forensics over speculative narrative construction when assessing ransomware group relationships.
- All reporting entities should adopt stricter verification protocols before publishing major threat landscape shifts.