Three of the most notorious ransomware-as-a-service operations have formed a criminal cartel aimed at coordinating attacks and sharing resources in what they describe as an increasingly “challenging” ransomware business environment.
DragonForce, Qilin, and LockBit announced the partnership in early September, with DragonForce proposing the collaboration shortly after LockBit reemerged with its LockBit 5.0 ransomware variant, according to a ReliaQuest report.
“Create equal competition conditions, no conflicts and no public insults,” DragonForce wrote in a post on dark web forums, translated from Russian. “ This way we can all increase our income and dictate market conditions. Call it whatever you like – coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies.”
LockBit responded: “I completely agree with you. I don’t wish you anything bad. As people are to me, so I am to people,” according to communications reviewed by cybersecurity firm ReliaQuest.
DragonForce subsequently announced the coalition and invited other ransomware operators to join. “The coalition between Qilin, LockBit, and DragonForce is uniting our efforts as we collaboratively develop our direction,” ReliaQuest said in a report, showing a screengrab from DragonForce’s post.
Law enforcement pressure drives consolidation
The alliance comes as ransomware operators face mounting pressure from law enforcement disruptions. In February 2024, international authorities seized LockBit’s infrastructure, arrested members, and issued a warrant for the group’s alleged leader, significantly eroding affiliates’ trust in the once-dominant operation.
“This alliance could help restore LockBit’s reputation among affiliates following last year’s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk,” Hayden Evans, the ReliaQuest threat researcher, wrote in the report.
Earlier this week, Qilin claimed responsibility for hacking Japan’s Asahi Group.
The partnership is expected to facilitate the sharing of techniques, resources, and infrastructure among the three groups, according to the report. In 2020, LockBit partnered with the Maze ransomware group in a collaboration that introduced double extortion tactics, combining system encryption with data theft, the report noted.
To date, ReliaQuest said it has not observed attacks indicating active collaboration between the three groups, nor has a new combined leak site been established. The groups continue to claim credit for their own attacks individually.
Critical infrastructure declared fair game
As part of LockBit’s return announcement, the group revealed that critical infrastructure sectors previously considered off-limits would now be permissible targets for its affiliates. “It is permissible to attack critical infrastructure such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations,” the group stated, according to the report.
The authorization includes a challenge to law enforcement: “These authorizations remain in effect until an agreement is reached between the FBI and LockBit not to attack certain categories of targets. If you are reading this and these rules have not changed, then the FBI has not yet approached us for this agreement, and they are quite comfortable with the authorizations to attack the above categories of organizations.”
The move marks a significant departure from informal rules that have governed ransomware operations since the May 2021 Colonial Pipeline attack by the DarkSide group, which led to intense law enforcement scrutiny and the group’s eventual shutdown, the report said.
The FBI did not immediately respond to a request for comment.
Parallel alliance among English-speaking criminals
The DragonForce-Qilin-LockBit cartel follows a similar consolidation pattern among primarily English-speaking cybercrime collectives. Scattered Spider, ShinyHunters, and Lapsus$ began collaborating under the name Scattered Lapsus$ Hunters, launching a data-leak site in October that listed 39 companies whose Salesforce environments had allegedly been compromised, according to the report.
In late August, Scattered Spider announced plans to launch its own ransomware-as-a-service offering called ShinySp1d3r RaaS, claiming it would be “the best RaaS to ever live,” the report said.
Record fragmentation despite consolidation
The cartel formations come amid record fragmentation in the broader ransomware ecosystem. The number of active data-leak sites reached an all-time high of 81 in the third quarter of 2025, as smaller groups filled gaps left by disrupted major operations, the report said.
ReliaQuest recommended that organizations restrict remote desktop protocol and VPN access by using device-based certificates to block attackers using stolen credentials, as “ransomware affiliates are increasingly gaining access by simply authenticating to RDP or VPNs,” the report stated.
For critical infrastructure organizations now explicitly targeted by LockBit affiliates, ReliaQuest recommended implementing network segmentation using the Purdue Model, which establishes separate security zones with strict access controls and firewalls between IT and operational technology systems. “This limits ransomware from spreading between networks and reduces the impact of attacks,” the report stated.
No Responses