LockBit, Qilin & DragonForce Join Forces in Ransomware ‘Cartel’
Summary
Three major ransomware and extortion groups — LockBit, Qilin and DragonForce — have announced a coalition-style collaboration, inviting other cybercriminal partners to join. Security researchers (ReliaQuest) warn the move could enable sharing of techniques, infrastructure and affiliates, potentially strengthening attack capabilities. The coalition follows LockBit’s release of LockBit 5.0 and its stated intent to target critical infrastructure, and comes after LockBit suffered significant disruptions from law enforcement in the previous year.
Key Points
- DragonForce publicly announced a “coalition” with LockBit and Qilin and invited other affiliates to join.
- ReliaQuest research suggests the collaboration could enable resource, tactic and infrastructure sharing among the groups.
- The cartel could restore LockBit’s underground reputation after last year’s law-enforcement disruptions and sanctions.
- There is concern the coalition may revive or expand double-extortion and other high-impact tactics used in prior partnerships.
- Security guidance remains unchanged: patch public-facing systems, limit RDP access, use device-based certificates and maintain robust endpoint defences.
Content Summary
The article summarises a new collaboration between LockBit, Qilin and DragonForce, contextualising it with LockBit’s prior takedown and recent launch of LockBit 5.0. Analysts say the partnership could lend credibility to LockBit and facilitate sharing that makes each group’s operations more resilient and effective. However, experts also note legal and business risks for smaller groups — for example, sanctions on LockBit could deter US victims from paying ransoms if money is routed to a sanctioned actor. Practical defensive recommendations from ReliaQuest are reiterated for organisations at risk.
Context and Relevance
This development sits within an ongoing trend of more organised, collaborative behaviours among ransomware-as-a-service (RaaS) operators — previously seen when LockBit allied with Maze, which helped normalise double extortion. For security teams, the coalition could mean faster dissemination of novel techniques and increased pressure on victims. For defenders and CISOs, it amplifies the need to prioritise patching, tighten remote access controls and review incident response plans. For legal and compliance teams, the potential intersection with sanctions makes ransom payment decisions riskier.
Why should I read this?
Short version: this could change the bad-guys’ playbook. If you’re responsible for cyber defences, risk or incident plans, it’s worth a quick read so you know whether to tighten patching, restrict remote access or recheck ransom-payment policies. We’ve done the heavy lifting — this tells you what actually matters and what actions to think about now.