Quick Takeaways
- Three major ransomware groups—DragonForce, Qilin, and LockBit—formed an alliance in September 2025 to counter increased law enforcement pressure and fragmentation in the ransomware ecosystem.
- Ransomware attacks rose by 61% in 2025, but the share of attacks by top groups declined from 54.8% in 2024 to 53.1%, indicating diversification across more groups.
- Victims are increasingly refusing to pay ransoms, with median payments dropping 65% in Q3 2025, forcing ransomware groups to adapt their operational strategies.
- While Qilin is highly active and growing post-alliance, LockBit’s inactivity suggests the coalition may be more symbolic, with some groups seeking reputation preservation rather than operational integration.
What’s the Problem?
In September 2025, three major ransomware groups—DragonForce, Qilin, and LockBit—formed an alliance, signaling an alarming shift in the cybercrime landscape. This decision was announced on a Russian underground forum, where the groups declared their unity in response to intensified law enforcement crackdowns that had successfully dismantled key infrastructures and issued international arrest warrants against operators. Experts from Yarix analyzed the situation, noting that recent data showed ransomware attacks had increased by 61% compared to the previous year, yet the dominance of top groups was waning, with their combined share dropping from 54.8% to 53.1%. This fragmentation indicates that ransomware operators are spreading out rather than consolidating, as victims increasingly refuse to pay, forcing criminals to adapt their tactics. Notably, Qilin displayed a significant rise in activity following the alliance announcement, suggesting that even if the merger is largely symbolic—especially considering LockBit’s inactivity—the alliance could still boost recruitment and visibility within the cybercriminal community. Meanwhile, LockBit’s silence hints at ongoing recovery struggles after recent law enforcement disruptions, leaving questions about the alliance’s true operational effectiveness.
This development has profound implications for cybersecurity and law enforcement efforts. The alliance is reported by Yarix, a cybersecurity research firm, which underscores the growing sophistication and boldness of cybercriminal groups. The increased attack frequency, combined with reduced ransom payments—dropping 65% in Q3 2025—reflects a hardened criminal ecosystem that is seeking new ways to operate amid mounting pressure. Ultimately, the alliance’s purpose appears to be more strategic than operational, possibly serving as a branding move to maintain relevance and attract new talent, even as law enforcement continues to challenge their infrastructure and tactics.
Risks Involved
The recent uncovering of an alliance between Qilin, DragonForce, and LockBit highlights a growing threat that any business can face. Because these groups work together to target organizations with sophisticated cyberattacks, your business could become a prime target. If these cybercriminals gain access, they can steal sensitive data, disrupt operations, and cause financial loss. Moreover, the reputation damage from a breach can be long-lasting, affecting customer trust and future growth. Consequently, understanding this alliance and strengthening your cybersecurity defenses becomes critical. Without proactive measures, your business remains vulnerable, and the risks escalate quickly, potentially leading to severe consequences.
Possible Actions
Understanding the rapid pace at which cyber threats evolve is crucial, especially when emerging research reveals alliances between advanced threat groups like Qilin, DragonForce, and LockBit. Timely remediation in this context isn’t just a best practice—it’s a vital component in minimizing potential damage, preventing further breaches, and maintaining organizational resilience within the cybersecurity framework outlined by NIST CSF. Swift action ensures vulnerabilities are addressed before malicious actors can exploit them, safeguarding sensitive data and maintaining trust.
Assessment & Detection
- Conduct thorough threat intelligence analysis to identify the extent of infiltrations
- Deploy advanced monitoring tools to detect malicious activities swiftly
- Initiate incident detection protocols following best practices
Containment
- Isolate affected systems from the network promptly
- Disable compromised accounts and services
- Limit lateral movement of threat actors within the network
Eradication
- Remove malicious files, malware, and unauthorized access points
- Apply patches and updates to vulnerable systems
- Revoke and rotate compromised credentials
Recovery
- Restore systems from secure backups
- Verify system integrity before reconnecting to the network
- Monitor for residual or recurring threats
Post-Incident Actions
- Conduct a comprehensive forensic analysis
- Review and update security policies and procedures
- Strengthen defenses based on lessons learned, including enhanced threat hunting and employee training
Advance Your Cyber Knowledge
Discover cutting-edge developments in Emerging Tech and industry Insights.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
