Redazione RHC : 9 October 2025 11:46
Three major ransomware groups— DragonForce, Qilin, and LockBit —have announced an alliance. This is essentially an attempt to coordinate the activities of several major ransomware-as-a-service (RaaS) operators; analysts warn that such consolidation could increase the reach and effectiveness of attacks.
DragonForce has initiated the merger. In early September, almost simultaneously with the release of LockBit 5.0, DragonForce representatives publicly proposed to their “colleagues” that they end their internal squabbles and agree on “market rules”: a level playing field, a stop to public insults, and mutual support.
LockBit responded positively, and DragonForce subsequently officially announced the alliance between the three gangs, inviting other ransomware teams to join them.
Analysts see this as a sign of a dangerous trend. A ReliaQuest report for the third quarter of 2025 noted that the merger could lead to more frequent and coordinated campaigns and a wider spread of attacks, including on critical infrastructure.
It’s possible the alliance could help LockBit recover from a major law enforcement attack in 2024. Then, in February, international operations led to the seizure of servers, domain names, and decryption keys; in May, investigators also linked the group to a specific individual, Dmitry Yuryevich Khoroshev, who, however, remains at large. These actions undermined the trust of its affiliates, and many former LockBit partners have defected to other groups.
It is important to note that a unified alliance infrastructure has not yet been created : no common data dumping website or single data leak portal has emerged, and each gang continues to claim responsibility for its own operations.
Qilin, for example, publicly announced its attack on Asahi Beer, while LockBit and DragonForce continue to publish their attacks separately. Nonetheless, sharing expertise and resources, from tools to customer databases, inherently expands the attackers’ capabilities.
Of particular concern is the shift in LockBit’s rhetoric since the release of version 5.0: in its documentation, the group has eliminated previous taboos and explicitly stated that attacks on critical infrastructure (power plants and similar facilities) are now permitted unless a separate agreement is reached with the FBI. This means that, at least apparently, operators now consider it acceptable to attack sectors they previously avoided.
Meanwhile, an English-speaking hacker group is also developing: Scattered Spider, ShinyHunters, and Lapsus$ have announced a new coalition called Scattered Lapsus$ Hunters and launched their own leak site, which has already published data on several companies.
ReliaQuest warns that this group could evolve into a RaaS provider, combining social engineering expertise with encryption technologies.
Researchers view the emergence of such alliances as a transition to a new phase in the criminal economy: instead of fragmented competition, ransomware groups are beginning to build stable “commercial” ties, sharing code, infrastructure, and data distribution channels. This makes attacks more widespread and difficult to stop, as the criminals’ resources, size, and professionalism simultaneously increase.
Redazione