LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem

Three prominent ransomware groups DragonForce^[1], LockBit^[2], and Qilin^[3] have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape.

The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more effective ransomware attacks, ReliaQuest said^[4] in a report shared with The Hacker News.

“Announced shortly after LockBit’s return, the collaboration is expected to facilitate the sharing of techniques, resources, and infrastructure, strengthening each group’s operational capabilities,” the company noted in its ransomware report for Q3 2025.

“This alliance could help restore LockBit’s reputation among affiliates following last year’s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk.”

The partnership with Qilin is no surprise, given that it has become the most active^[5] ransomware group in recent months^[6], claiming a little over 200 victims in Q3 2025 alone.

“In Q3 2025, Qilin disproportionately targeted North America-based organizations,” ZeroFox said^[7] in its Q3 2025 Ransomware Wrap-Up report. “Qilin’s operational tempo began to increase significantly in Q4 2024, when the collective conducted at least 46 attacks.”

The development coincides with the emergence of LockBit 5.0^[8], which is equipped to target Windows, Linux, and ESXi systems. The latest iteration was first advertised on September 3, 2025, on the RAMP darknet forum on the sixth anniversary of the affiliate program.

LockBit was dealt a massive blow in early 2024^[9] following a law enforcement operation dubbed Cronos that seized its infrastructure^[10] and led to the arrest of some of its members^[11]. At its peak, the group is estimated to have targeted over 2,500 victims worldwide and received more than $500 million in ransom payments.

“If the group manages to rebuild its trust among affiliates, it could reemerge as a dominant ransomware threat, driven by financial motives and by a desire for revenge against law enforcement crackdowns,” ReliaQuest said.

R&DE incidents by week in Q3 2025

The return of LockBit and its alliance comes as the threat actor known as Scattered Spider appears to be gearing up to launch its own ransomware-as-a-service (RaaS) program called ShinySp1d3r^[12], making it the first such service by an English-speaking extortion crew.

ReliaQuest said it’s tracking a total of 81 data leak sites, a significant jump from 51 reported in early 2024. Companies in the professional, scientific, and technical services sector account for the largest number of victims during the time period, surpassing 375.

Manufacturing, construction, healthcare, finance and insurance, retail, accommodation and food services, education, arts and entertainment, information, and real estate are some of the other commonly affected sectors.

Another noteworthy trend is the spike in ransomware attacks targeting countries like Egypt, Thailand, and Colombia, indicating that threat actors are expanding beyond “traditional hotspots” such as Europe and the U.S. to evade law enforcement scrutiny. The vast majority of the victims listed on data leak sites are based in the U.S., Germany, the U.K., Canada, and Italy.

According to data from ZeroFox, there have been a total of at least 1,429 separate ransomware and digital extortion (R&DE) incidents in Q3 2025, down from 1,961 incidents observed in Q1 2025. Qilin, Akira, INC Ransom, Play, and SafePay have been found to be responsible for approximately 47 percent of all global R&DE attacks in Q2 and Q3 2025.

“The disproportionate targeting of North America-based entities can be partly attributed to the geopolitical motivations and ideological beliefs of financially motivated threat collectives fueled by opposition to ‘Western’ political and social narratives,” the company said.

“North America hosts a wide variety of robust industries that comprise substantial and fast-growing digital attack surfaces. The widespread integration of technologies such as cloud networking services and Internet of Things devices contributes to the accessibility of North American assets.”