{"id":14930,"date":"2025-10-09T13:11:12","date_gmt":"2025-10-09T13:11:12","guid":{"rendered":"https:\/\/newestek.com\/?p=14930"},"modified":"2025-10-09T13:11:12","modified_gmt":"2025-10-09T13:11:12","slug":"lockbit-dragonforce-and-qilin-form-a-cartel-to-dictate-ransomware-market-conditions","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14930","title":{"rendered":"LockBit, DragonForce, and Qilin form a \u2018cartel\u2019 to dictate ransomware market conditions"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Three of the most notorious ransomware-as-a-service operations have formed a criminal cartel aimed at coordinating attacks and sharing resources in what they describe as an increasingly \u201cchallenging\u201d ransomware business environment.<\/p>\n<p>DragonForce, Qilin, and LockBit announced the partnership in early September, with DragonForce proposing the collaboration shortly after LockBit reemerged with its LockBit 5.0 ransomware variant, according to a ReliaQuest report.<\/p>\n<p>\u201cCreate equal competition conditions, no conflicts and no public insults,\u201d DragonForce wrote in a post on dark web forums, translated from Russian. \u201c This way we can all increase our income and dictate market conditions. Call it whatever you like \u2013 coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies.\u201d<\/p>\n<p>LockBit responded: \u201cI completely agree with you. I don\u2019t wish you anything bad. As people are to me, so I am to people,\u201d according to communications reviewed by cybersecurity firm ReliaQuest.<\/p>\n<p>DragonForce subsequently announced the coalition and invited other ransomware operators to join. \u201cThe coalition between Qilin, LockBit, and DragonForce is uniting our efforts as we collaboratively develop our direction,\u201d ReliaQuest said in a <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-ransomware-and-cyber-extortion-in-q3-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">report<\/a>, showing a screengrab from DragonForce\u2019s post.<\/p>\n<h2 class=\"wp-block-heading\" id=\"law-enforcement-pressure-drives-consolidation\">Law enforcement pressure drives consolidation<\/h2>\n<p>The alliance comes as ransomware operators face mounting pressure from <a href=\"https:\/\/www.csoonline.com\/article\/2121646\/lockbit-no-longer-the-worlds-no-1-ransomware-gang.html\" target=\"_blank\">law enforcement disruptions<\/a>. In February 2024, international authorities seized LockBit\u2019s infrastructure, arrested members, and issued a warrant for the group\u2019s alleged leader, significantly eroding affiliates\u2019 trust in the once-dominant operation.<\/p>\n<p>\u201cThis alliance could help restore LockBit\u2019s reputation among affiliates following last year\u2019s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk,\u201d Hayden Evans, the ReliaQuest threat researcher, wrote in the report.<\/p>\n<p>Earlier this week, <a href=\"https:\/\/www.reuters.com\/world\/asia-pacific\/cybercriminals-claim-hack-japans-asahi-group-2025-10-07\/\" target=\"_blank\" rel=\"noreferrer noopener\">Qilin<\/a> claimed responsibility for hacking <a href=\"https:\/\/www.csoonline.com\/article\/4065991\/dont-drink-or-drive-say-cyberattackers.html\">Japan\u2019s Asahi Group<\/a>.\u00a0<\/p>\n<p>The partnership is expected to facilitate the sharing of techniques, resources, and infrastructure among the three groups, according to the report. In 2020, LockBit partnered with the Maze ransomware group in a collaboration that introduced double extortion tactics, combining system encryption with data theft, the report noted.<\/p>\n<p>To date, ReliaQuest said it has not observed attacks indicating active collaboration between the three groups, nor has a new combined leak site been established. The groups continue to claim credit for their own attacks individually.<\/p>\n<h2 class=\"wp-block-heading\" id=\"critical-infrastructure-declared-fair-game\">Critical infrastructure declared fair game<\/h2>\n<p>As part of LockBit\u2019s return announcement, the group revealed that critical infrastructure sectors previously considered off-limits would now be permissible targets for its affiliates. \u201cIt is permissible to attack critical infrastructure such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations,\u201d the group stated, according to the report.<\/p>\n<p>The authorization includes a challenge to law enforcement: \u201cThese authorizations remain in effect until an agreement is reached between the FBI and LockBit not to attack certain categories of targets. If you are reading this and these rules have not changed, then the FBI has not yet approached us for this agreement, and they are quite comfortable with the authorizations to attack the above categories of organizations.\u201d<\/p>\n<p>The move marks a significant departure from informal rules that have governed ransomware operations since the <a href=\"https:\/\/www.csoonline.com\/article\/570705\/colonial-pipeline-shutdown-highlights-need-for-better-ot-cybersecurity-practices.html?utm=hybrid_search\">May 2021 Colonial Pipeline attack<\/a> by the DarkSide group, which led to intense law enforcement scrutiny and the group\u2019s eventual shutdown, the report said.<\/p>\n<p>The FBI did not immediately respond to a request for comment.<\/p>\n<h2 class=\"wp-block-heading\" id=\"parallel-alliance-among-english-speaking-criminals\">Parallel alliance among English-speaking criminals<\/h2>\n<p>The DragonForce-Qilin-LockBit cartel follows a similar consolidation pattern among primarily English-speaking cybercrime collectives. <a href=\"https:\/\/www.csoonline.com\/article\/4020567\/anatomy-of-a-scattered-spider-attack-a-growing-ransomware-threat-evolves.html\">Scattered Spider<\/a>, ShinyHunters, and Lapsus$ began collaborating under the name Scattered Lapsus$ Hunters, launching a data-leak site in October that listed 39 companies whose Salesforce environments had allegedly been compromised, according to the report.<\/p>\n<p>In late August, Scattered Spider announced plans to launch its own ransomware-as-a-service offering called ShinySp1d3r RaaS, claiming it would be \u201cthe best RaaS to ever live,\u201d the report said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"record-fragmentation-despite-consolidation\">Record fragmentation despite consolidation<\/h2>\n<p>The cartel formations come amid record fragmentation in the broader ransomware ecosystem. The number of active data-leak sites reached an all-time high of 81 in the third quarter of 2025, as smaller groups filled gaps left by disrupted major operations, the report said.<\/p>\n<p>ReliaQuest recommended that organizations restrict remote desktop protocol and VPN access by using device-based certificates to block attackers using stolen credentials, as \u201cransomware affiliates are increasingly gaining access by simply authenticating to RDP or VPNs,\u201d the report stated. <\/p>\n<p>For critical infrastructure organizations now explicitly targeted by LockBit affiliates, ReliaQuest recommended implementing network segmentation using the Purdue Model, which establishes separate security zones with strict access controls and firewalls between IT and operational technology systems. \u201cThis limits ransomware from spreading between networks and reduces the impact of attacks,\u201d the report stated.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Three of the most notorious ransomware-as-a-service operations have formed a criminal cartel aimed at coordinating attacks and sharing resources in what they describe as an increasingly \u201cchallenging\u201d ransomware business environment. DragonForce, Qilin, and LockBit announced the partnership in early September, with DragonForce proposing the collaboration shortly after LockBit reemerged with its LockBit 5.0 ransomware variant, according to a ReliaQuest report. \u201cCreate equal competition conditions, no&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14930\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14930","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14930"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14930\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}