In a dramatic turn in the ransomware landscape, three of the most powerful ransomware-as-a-service (RaaS) groups—LockBit, Qilin, and DragonForce—have entered into a strategic alliance. The newly formed coalition marks a shift toward collaboration at the highest levels of cybercriminal operations, threatening a greater scale and sophistication of attacks.
LockBit, after a period of relative dormancy following law enforcement pressure, made its resurgence in September 2025 with the announcement of LockBit 5.0, its most advanced affiliate offering to date. With this return came an alliance: LockBit has aligned itself with Qilin, already a leading name in global ransomware activity, and DragonForce, which operates under a cartel-style model. The alliance is being framed by participants and analysts alike as a cartel: a coordinated partnership to share resources, tactics, and influence rather than merely a loose collaboration.
As described in a recent report from ReliaQuest, the alliance aims to merge the strengths of all three actors—ranging from infrastructure and affiliate recruitment, to technical operations—to “increase their effectiveness and operational strength.” Because LockBit had once been the leading name in ransomware, its reentry with new capabilities, combined with partnerships with two already strong groups, carries significant implications for global cyber risk
Why This Alliance Matters
Collaborations among ransomware groups are not entirely new—LockBit previously aligned with the Maze group in 2020, introducing double extortion tactics and combining leak site resources. But the scale of this new triad, and its composition, sets it apart.
First, the alliance could help re-establish LockBit’s affiliate base. After law enforcement disruption in 2024, many former affiliates drifted to other groups like Qilin or independent operations. By partnering, LockBit seeks to regain relevance and recruit more aggressively.
Second, the coalition fosters resource sharing. Techniques, infrastructure (such as leak sites, negotiation tools, or data exfiltration platforms), and affiliate networks may be leveraged across the groups, offering “economies of scale” in cyber extortion operations. This could lead to faster deployment, more complex hybrid attacks, and broader reach into sectors that were previously peripheral to ransomware targeting.
Third, the alliance raises the stakes for critical infrastructure. LockBit 5.0 explicitly authorizes affiliates to attack targets—such as power plants, dams, and utilities—that had traditionally been off-limits for many groups to avoid provoking intense law enforcement focus. With the backing of coalition partners, these ambitions may expand.
Moreover, the alliance sends a message to the broader cybercrime ecosystem: competition is giving way to coordination. Observers note that such cartel-style frameworks may reduce infighting, normalize shared operations, and marginalize smaller, fragmented groups.
Current Context and Threat Landscape
According to ReliaQuest, Q3 2025 saw the number of active data-leak sites surge to 81—a record high—reflecting a fragmentation of ransomware activity and proliferation of smaller groups filling the gaps left by disrupted giants. While many smaller actors operate regionally or opportunistically, the new alliance re-centralizes threat potential in fewer, more powerful hands.
Qilin has been especially aggressive. In Q3 alone, it hit a record number of victims and used marketing tactics—such as running advertisements on dark web hacking forums—to recruit affiliates. DragonForce, meanwhile, has developed a cartel model since early 2025, allowing affiliates to run customized attacks under independent branding while leveraging shared infrastructure. In 2025 it also conducted a supply chain attack against a managed services provider using vulnerabilities in the SimpleHelp tool. The pairing of these capabilities with LockBit’s history and reach creates a formidable force.
Since LockBit’s takedown in early 2024 under “Operation Cronos” and the disruption of RansomHub, affiliates have been up for grabs. Qilin, DragonForce, and others absorbed many of those displaced actors. The new alliance may formalize what was already taking place: consolidation of talent, tools, and targeting power.
The coalition does not necessarily guarantee seamless operations. Differences in culture, priorities, trust, and risk tolerance among the groups could prove friction points. Law enforcement disruption remains a constant threat, especially as attacks touch critical infrastructure. Publicity, attribution, and cross-border legal pressure grow when more capable groups coordinate.
Still, some likely trajectories are already evident. We may see:
- Increases in hybrid attacks combining encryption, exfiltration, and double extortion, but executed at greater speed and scale.
- Expansion of targeting into previously avoided sectors—particularly critical infrastructure—under the justification of new affiliate mandates.
- More professionalization of ransomware operations, with shared services (leak sites, negotiation tools, affiliate on-boarding) being used across brands.
- Pressure on smaller ransomware groups to either align, merge, or be sidelined.
- Greater unpredictability in victims’ geography and sector, as the alliance could extend reach into regions with weaker defenses or less oversight.
What was once fierce competition is giving way to a cartel model that combines scale, finance, and technical strength. The reshuffling of ransomware power dynamics demands heightened vigilance from defenders, as attacks may become more frequent, more aggressive, and less predictable. The ransomware terrain is being redrawn—and this coalition may dictate much of the shape in the months ahead.
