In Depth Analysis of the Alleged Qilin, DragonForce and LockBit Alliance
Summary:
On September 15, 2025, a Russian underground forum post by the user "dragonforce" announced the formal creation of an alliance between DragonForce, Qilin, and LockBit. The message presented this coalition as a strategic necessity to navigate a "challenging" ransomware criminal ecosystem, presumably alluding to the increasingly aggressive international law enforcement disruptions, such as Operation Cronos (LockBit). Despite the high-profile branding of this ransomware cartel, threat intelligence data suggests a stark divergence between the operational health of its member groups. While Qilin has ascended to become the most active group in 2025, accounting for over 13% of total claims and briefly overtaking Akira in volume, the LockBit brand appears to be in a state of decline. LockBit has published no new victims since May 2025, and its attempt to regain community trust via a LockBit 5.0 release was met with skepticism; notably, the XSS forum community voted against unbanning the "LockBitSupp" account approximately a week before the alliance was announced.
Beyond the alliance, the 2025 ransomware ecosystem is defined by extreme fragmentation rather than consolidation. While total ransomware claims rose approximately 61% year-over-year (comparing Jan-Nov 2025 to 2024), the market share of the top 10 groups actually decreased, indicating a proliferation of smaller groups in the absence of a dominant actor. This fragmentation is paired with a critical decline in financial viability: the median ransom payment dropped 65% in Q3 2025 from Q2 to approximately $140,000, and the percentage of victims who opted to pay hit another all-time low of 23%, reflecting a steady decrease. In response to these diminishing returns and the high visibility of encryption-based attacks, the most notorious actors appear to be pivoting toward only data exfiltration extortion, according to the Yarix CTI team. However, notably, their findings indicate LockBit’s return is too insignificant to materially affect their trends or assessments.
Security Officer Comments:
The Qilin/DragonForce/LockBit alliance should be interpreted by the community primarily as a reputational revitalization maneuver rather than a genuine operational merger. The lack of a “central power” in the ransomware landscape for the better part of the year appears to have led the remnants of LockBit to this partnership as a symbiotic attempt to boost the new coalition’s individual brand relevance, and LockBit’s release of the “new” 5.0 malware version serves as another potential attempt to signal their return. The Qilin and DragonForce association serves both groups as a powerful recruitment tool that likely aims to take advantage of the announcement’s marketing effect. The spike in Qilin’s activity in October 2025, following the announcement, suggests there was an influx of affiliates drawn by the triumvirate’s branding, even if the underlying infrastructure remains separate.
Groups like Hunters International (rebranded as World Leaks in 2025) and Cl0p (Oracle EBS vulnerabilities) have demonstrated the broader trend being adopted: that focusing on exfiltration and foregoing encryption contributes to the reduction of groups’ exposure surface in a significant way and avoids the technical hurdles of a stealthy encryption of data, a trend likely to dominate 2026. Threat actors appear to be deprioritizing system encryption in favor of high-volume exfiltration via CVE exploitation to increase dwell time within victim environments, which is further exemplified by the PoC exploit for Oracle EBS vulnerabilities that was leaked by Scattered Lapsus Hunters on Telegram and Qilin’s joint operation with Moonstone Sleet against a South Korean MSP. DragonForce has been linked to Scattered Spider following the wave of April 2025 attacks that primarily hit the UK retail sector and continues to act as an IAB for DragonForce actors in the second half of 2025, emphasizing the interconnectedness of the cybercriminal ecosystem. Defenders should plan to adjust for this shift in ransomware group extortion models accordingly as we transition into 2026.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://labs.yarix.com/2025/12/in-depth-analysis-of-the-alleged-qilin-dragonforce-and-lockbit-alliance/
On September 15, 2025, a Russian underground forum post by the user "dragonforce" announced the formal creation of an alliance between DragonForce, Qilin, and LockBit. The message presented this coalition as a strategic necessity to navigate a "challenging" ransomware criminal ecosystem, presumably alluding to the increasingly aggressive international law enforcement disruptions, such as Operation Cronos (LockBit). Despite the high-profile branding of this ransomware cartel, threat intelligence data suggests a stark divergence between the operational health of its member groups. While Qilin has ascended to become the most active group in 2025, accounting for over 13% of total claims and briefly overtaking Akira in volume, the LockBit brand appears to be in a state of decline. LockBit has published no new victims since May 2025, and its attempt to regain community trust via a LockBit 5.0 release was met with skepticism; notably, the XSS forum community voted against unbanning the "LockBitSupp" account approximately a week before the alliance was announced.
Beyond the alliance, the 2025 ransomware ecosystem is defined by extreme fragmentation rather than consolidation. While total ransomware claims rose approximately 61% year-over-year (comparing Jan-Nov 2025 to 2024), the market share of the top 10 groups actually decreased, indicating a proliferation of smaller groups in the absence of a dominant actor. This fragmentation is paired with a critical decline in financial viability: the median ransom payment dropped 65% in Q3 2025 from Q2 to approximately $140,000, and the percentage of victims who opted to pay hit another all-time low of 23%, reflecting a steady decrease. In response to these diminishing returns and the high visibility of encryption-based attacks, the most notorious actors appear to be pivoting toward only data exfiltration extortion, according to the Yarix CTI team. However, notably, their findings indicate LockBit’s return is too insignificant to materially affect their trends or assessments.
Security Officer Comments:
The Qilin/DragonForce/LockBit alliance should be interpreted by the community primarily as a reputational revitalization maneuver rather than a genuine operational merger. The lack of a “central power” in the ransomware landscape for the better part of the year appears to have led the remnants of LockBit to this partnership as a symbiotic attempt to boost the new coalition’s individual brand relevance, and LockBit’s release of the “new” 5.0 malware version serves as another potential attempt to signal their return. The Qilin and DragonForce association serves both groups as a powerful recruitment tool that likely aims to take advantage of the announcement’s marketing effect. The spike in Qilin’s activity in October 2025, following the announcement, suggests there was an influx of affiliates drawn by the triumvirate’s branding, even if the underlying infrastructure remains separate.
Groups like Hunters International (rebranded as World Leaks in 2025) and Cl0p (Oracle EBS vulnerabilities) have demonstrated the broader trend being adopted: that focusing on exfiltration and foregoing encryption contributes to the reduction of groups’ exposure surface in a significant way and avoids the technical hurdles of a stealthy encryption of data, a trend likely to dominate 2026. Threat actors appear to be deprioritizing system encryption in favor of high-volume exfiltration via CVE exploitation to increase dwell time within victim environments, which is further exemplified by the PoC exploit for Oracle EBS vulnerabilities that was leaked by Scattered Lapsus Hunters on Telegram and Qilin’s joint operation with Moonstone Sleet against a South Korean MSP. DragonForce has been linked to Scattered Spider following the wave of April 2025 attacks that primarily hit the UK retail sector and continues to act as an IAB for DragonForce actors in the second half of 2025, emphasizing the interconnectedness of the cybercriminal ecosystem. Defenders should plan to adjust for this shift in ransomware group extortion models accordingly as we transition into 2026.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://labs.yarix.com/2025/12/in-depth-analysis-of-the-alleged-qilin-dragonforce-and-lockbit-alliance/