A Desperate Cartel: Inside the Unlikely Alliance of Qilin, DragonForce, and a Fading LockBit

In a digital underworld increasingly fractured by law enforcement takedowns and eroding trust, three of the most notorious ransomware groups have allegedly joined forces. A new report by the Yarix Intelligence Team analyzes a September 2025 announcement declaring the formation of a “cartel” involving Qilin, DragonForce, and the once-dominant LockBit.

The alliance, unveiled in a post on a Russian underground forum by DragonForce, is pitched as a necessary evolution to survive in a “high-risk environment.” However, investigators suggest this union may be less about operational synergy and more about the survival of a dying brand.

The announcement comes at a time of unprecedented instability for cybercriminals. Following major operations like the disruption of HIVE, AlphV/BlackCat, and the relentless pursuit of LockBit’s leadership, the ransomware landscape has splintered.

According to the report, “Ransomware claim distribution observed after the alliance post indicates a continued fragmentation of the ransomware ecosystem, with activity spread across a growing number of groups rather than consolidation around a single dominant actor”.

The pressure is real. The dismantling of infrastructure and the “naming and shaming” of key operators have made the traditional Ransomware-as-a-Service (RaaS) model riskier than ever.

Perhaps the most telling finding in the analysis is the hollowness of LockBit’s role in this new triad. Once the titan of the industry, LockBit has been silent for months. Despite the fanfare of the alliance and the release of a “LockBit 5.0” variant, Yarix analysts note that the group “remains completely inactive since June”.

The report paints a grim picture of the group’s internal state, noting that seasoned operators “increasingly perceive LockBit as a ‘dead man walking’—a weakened organization trapped in the past and, above all, compromised by the impact of Operation Cronos”.

Analysts believe the alliance serves primarily as a “reputational survival strategy” for LockBit, an attempt to stay relevant while banned from major forums and bleeding talent.

While LockBit fades, its partners are surging. Qilin appears to be the primary beneficiary of the alliance’s publicity. Following the September 15 announcement, Qilin’s activity spiked, propelling it past competitors to become the most active group in October 2025.

“The increase in Qilin’s activity recorded in the weeks following the alliance announcement aligns temporally with increased underground visibility generated by the post”.

This suggests that while the “cartel” might not be technically integrated, the marketing buzz successfully attracted affiliates migrating from declining groups.

Beyond the drama of the alliance, the report highlights a broader tactical shift. With ransom payments dropping by an estimated 65% in Q3 2025 and fewer victims willing to pay, criminals are adapting.

The trend is moving away from complex encryption attacks toward simpler, quieter theft. “Sustained pressure on traditional Ransomware as a Service groups and declining ransom payments might favor data only extortion models as a lower risk and more resilient approach”.

Groups like Hunters International (rebranded as “World Leaks”) are already abandoning encryption entirely to focus on holding data hostage, a method that reduces operational risk while maintaining leverage.

Whether the Qilin-LockBit-DragonForce alliance is a true merger or a desperate PR stunt remains to be seen. However, it signals a clear turning point: the era of the single, untouchable ransomware giant is over, replaced by a chaotic scramble for survival in a shrinking market.

“The alliance… can be interpreted both as a signal of adaptation and rapid growth among certain criminal groups operating under intense pressure, and as an attempt by LockBit to regain relevance,” the report concludes.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply