Following in the footsteps of an earlier unholy alliance between three other cybercrime crews, ransomware-as-a-service giants DragonForce, Qilin, and LockBit claim to be collaborating on ransomware attacks.
In early September, around the time when LockBit reemerged with its new LockBit 5.0 ransomware variant, fellow RaaS crew DragonForce proposed a partnership.
“Create equal competition conditions, no conflicts and no public insults…” the criminals said, in a post (translated from Russian) that was later shared on social media by cyber sleuths, including those at malware collector vx-underground.
“This way we can all increase our income and dictate market conditions,” it continues. “Call it whatever you like – coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies.”
To which LockBit replied: “I completely agree with you. I don’t wish you anything bad. As people are to me, so I am to people.”
The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies
Soon after, DragonForce announced the coalition between the three Russian-speaking groups and told other criminals, “Our doors are open to anyone who cares about the future of our challenging field. If you have a partnership program, feel free to reach out to us, and together we can maximize our overall income!”
This partnership is “poised to drive more frequent and effective ransomware attacks,” according to security vendor ReliaQuest’s third-quarter 2025 ransomware report, adding that the collab could also help restore LockBit’s reputation after last year’s takedown by law enforcement.
In February 2024, international cops seized servers, domain infrastructure, and decryption keys in an effort to dismantle the group, and in May, they outed LockBitSupp’s true identity – although Dmitry Yuryevich Khoroshev, a Russian national, remains at large.
The law enforcement efforts, however, eroded affiliates’ confidence in the infamous crime gang, and many of these criminals fled to other ransomware collectives, including RansomHub, before that group disappeared early this year.
So far, DragonForce, Qilin, and LockBit haven’t launched a combined leak site, and the gangs are still taking credit for their own work – most notably, Qilin alone claimed the Asahi beer breach – defenders should take note of the groups working together.
The collaboration could potentially trigger “a surge in attacks on critical infrastructure and expand the threat to sectors previously considered low risk,” the Q3 report said.
“To date, ReliaQuest has not observed attacks indicating collaboration between the three groups, nor has a new leak site been established. The coalition states that it is open to working with other partner programs (i.e., ransomware providers) and will release more information shortly,” a ReliaQuest spokesperson told The Register.
ReliaQuest’s threat hunters also reported that in LockBit’s 5.0 announcement, the group revealed that critical infrastructure was no longer off limits to its affiliates:
It is permissible to attack critical infrastructure such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations.
These authorizations remain in effect until an agreement is reached between the FBI and LockBit not to attack certain categories of targets. If you are reading this and these rules have not changed, then the FBI has not yet approached us for this agreement and they are quite comfortable with the authorizations to attack the above categories of organizations.
All of this comes after three other primarily English-speaking cybercrime collectives – Scattered Spider, ShinyHunters, and Lapsus$ – began working together under the new name of Scattered Lapsus$ Hunters, despite announcing retirement last month.
Last Friday, that combo-crew launched its new data-leak site, listed 39 companies’ Salesforce environments, and demanded a ransom payment to prevent what it claims is nearly 1 billion stolen records from being published online. For the record: The CRM giant told The Register, “Salesforce will not engage, negotiate with, or pay any extortion demand.”
But in addition to the new data-leak site, ReliaQuest warns that the collective may be developing its own ransomware-as-a-service biz combining “its notorious social engineering expertise with disruptive encryption.”
In late August, the criminals claimed ShinySp1d3r RaaS would be “the best RaaS to ever live” via Telegram.
“Although several members of the group have been arrested, Scattered Spider will continue to operate and develop this service,” ReliaQuest wrote. ®
