LockBit, Qilin, and DragonForce: New Alliance Among Ransomware Groups

Three of the most well-known ransomware groups (DragonForce, LockBit, and Qilin) have joined forces in a new strategic alliance, underscoring the ever-evolving landscape of cyber threats.

This collaboration has a clear goal: to carry out more effective and coordinated attacks by combining technical resources, ideological motivations, and financial objectives. At TecnetOne, we explain what this alliance means, why it should concern you, and how it could impact businesses, governments, and everyday users around the world.

Why Does the Alliance Between LockBit, Qilin, and DragonForce Mark a Turning Point?

This alliance between LockBit, Qilin, and DragonForce was announced shortly after LockBit’s return to the scene, and all signs point to an effort to share techniques, resources, and infrastructure to strengthen each group’s operational capabilities. In simple terms: working together allows them to launch faster, more powerful, and harder-to-stop attacks.

Moreover, this move may be part of LockBit’s attempt to rebuild its reputation among affiliates after the major blow it suffered when it was dismantled last year. If this collaboration solidifies, we’ll likely see a surge in attacks targeting critical infrastructure, as well as an expansion of their targets to sectors that were previously not on their radar.

As for Qilin, its involvement comes as no surprise. It has become one of the most active ransomware groups of the year, with over 200 documented attacks in the third quarter of 2025 alone. Many of its operations have focused on North American organizations, cementing its position as one of the most aggressive players at the moment.

This development also coincides with the launch of LockBit 5.0, a more advanced version of its ransomware compatible with Windows, Linux, and ESXi systems. The new variant was introduced on September 3, 2025, in a well-known darknet forum, just as LockBit was celebrating the sixth anniversary of its affiliate program.

In early 2024, LockBit suffered a major blow following an international operation known as “Cronos,” which led to the seizure of its infrastructure and the arrest of several of its members. It was a significant setback for one of the most active ransomware groups in the world.

At the peak of its activity, LockBit was behind more than 2,500 attacks worldwide and is believed to have received over $500 million in ransom payments—a figure that clearly demonstrates the level of impact it once had.

Now, with its return, many experts believe that if LockBit manages to regain the trust of its affiliates, it could once again position itself as one of the top threats in the ransomware ecosystem. This time, driven not only by financial interests but also by a likely desire for revenge against the law enforcement agencies that dismantled it.

Weekly Frequency of R&D Incidents During the Third Quarter of 2025

Read more: Should You Pay Ransom After a Cyberattack? What You Need to Know

Ransomware Shows No Signs of Slowing: New Alliances, More Actors, and Global Attacks

The return of LockBit and its alliance with Qilin and DragonForce isn’t happening in a vacuum. As this trio gains strength, another actor threatens to shake up the landscape: Scattered Spider. This group, known for its aggressive extortion tactics, appears to be on the verge of launching its own ransomware-as-a-service (RaaS) program, called ShinySp1d3r. If confirmed, it would be the first RaaS offering developed by an English-speaking collective—marking a new chapter in the evolution of cybercrime.

At the same time, the growth of criminal infrastructure online is being closely monitored. Currently, 81 active data leak sites are being tracked, up from 51 at the beginning of 2024—a significant increase in just a few months.

Among the victims, companies in the professional, scientific, and technical services sector lead the statistics, with over 375 organizations affected so far this year. Other frequently targeted sectors include:

1. Manufacturing

2. Construction

3. Healthcare

4. Finance and Insurance

5. Retail

6. Education

7. Hospitality and Food Services

8. Entertainment

9. Information Technology

10. Real Estate

A notable trend in 2025 is the rise in attacks in countries like Egypt, Thailand, and Colombia. This suggests that ransomware groups are seeking new regions to operate with less law enforcement pressure, moving away from traditional hotspots like Western Europe and the United States.

Nevertheless, the vast majority of victims are still located in the U.S., Germany, the U.K., Canada, and Italy, where attackers continue to find targets with high digital exposure and economic value.

Ransomware and Digital Extortion by the Numbers

During the third quarter of 2025, at least 1,429 ransomware and digital extortion (R&DE) incidents were reported. Although this represents a slight decrease compared to the first quarter (1,961 incidents), the level of activity remains extremely high.

Five groups were responsible for nearly half (47%) of all global R&DE attacks during the second and third quarters of 2025:

1. Qilin

2. Akira

3. INC Ransom

4. Play

5. SafePay

Read more: ransomware en mexico

Why Does North America Remain the Primary Target?

Attacks continue to disproportionately target companies based in North America—and this is no coincidence. Beyond the financial appeal, geopolitical and ideological motivations play a key role. Many of these groups strongly oppose Western political and social narratives and use ransomware as a means of pressure and retaliation.

Additionally, North America’s advanced technology landscape makes it more exposed. Sectors with high adoption of cloud services, IoT devices, and complex digital infrastructures offer a broader attack surface and more lucrative opportunities for cybercriminals.

Conclusion

Ransomware isn’t just here to stay—it’s becoming more sophisticated and harder to stop. Cybercriminal groups no longer operate alone: they now share tools, strategies, and infrastructure to launch more coordinated and effective attacks.

On top of that, the threat map is shifting: attacks are spreading to new countries and sectors, while data leak sites continue to rise. All signs point to a criminal ecosystem that’s not just growing, but also diversifying.

For businesses (big or small) the message is clear: investing in cybersecurity isn’t a luxury; it’s a critical necessity. And it’s not just about prevention.

Being prepared to respond when something goes wrong is equally important. That’s why having a well-defined incident response plan is more crucial than ever. Knowing what to do in the first few hours after an attack can make the difference between a quick recovery and a crisis that paralyzes your business.

Having clear protocols, trained teams, and an active recovery strategy can help you:

1. Minimize damage

2. Reduce downtime

3. Protect your reputation

4. Avoid costly mistakes under pressure

In short, it’s not enough to lock the door—you need to know what to do if someone breaks in. Digital resilience starts with preparation.