Three of the most sophisticated ransomware operators, LockBit, Qilin (also known as BianLian), and DragonForce, have formed a strategic alliance. This coalition represents more than just a collaboration between criminal entities—it signals a fundamental shift in how ransomware threats are organized, executed, and sustained against global enterprises.
By combining LockBit's speed, Qilin's multi-layered extortion tactics, and DragonForce's ideological motivation, this alliance has created a threat ecosystem that's more resilient and dangerous than any single group operating alone.
For business leaders and security teams, understanding this alliance isn't just about knowing your adversary. It's about recognizing that ransomware and data extortion has evolved into a strategic business risk that demands immediate attention and proactive defense.
Active Since: 2019
Specialty: LockBit has built its reputation on lightning-fast encryption capabilities, double extortion tactics, and cross-platform compatibility that targets Windows, Linux, and ESXi environments. Their ransomware-as-a-service (RaaS) model has attracted numerous affiliates, making them one of the most prolific ransomware operations in recent years.
Notable Comeback: Despite Operation Cronos—a coordinated law enforcement takedown in early 2024—LockBit demonstrated remarkable resilience by launching LockBit 5.0. This comeback underscores the difficulty of permanently disrupting well-established ransomware operations and highlights the group's determination to maintain their criminal enterprise.
Industries Targeted: Healthcare institutions, manufacturing facilities, financial services, educational organizations, government agencies, and transportation infrastructure have all fallen victim to LockBit's operations. Their indiscriminate targeting strategy means virtually no sector is safe from their attacks.
Active Since: 2022
Specialty: Qilin distinguishes itself through technical innovation and psychological warfare. Their ransomware, developed in Rust and Golang, combines technical sophistication with what they call "quadruple extortion"—a devastating approach that includes traditional encryption, data theft, legal threats against victim organizations, and calculated reputational damage through strategic data leaks.
Victim Count: With over 437 confirmed victims in 2025 alone, Qilin has established itself as one of the most active ransomware operators today.
Industries Targeted: Healthcare organizations face particular risk from Qilin, along with legal firms, educational institutions, cloud service providers, and manufacturing companies. Their targeting of sensitive sectors amplifies the pressure on victims to pay ransoms quickly.
Origin: DragonForce represents a unique evolution in the ransomware ecosystem—a group that began as hacktivists before pivoting to a full-fledged Ransomware-as-a-Service (RaaS) operation.
Specialty: While DragonForcemay maintain an ideological dimension to their targeting, this hasn't prevented them from embracing the financial incentives of ransomware by shifting towards an affiliate based Ransomware as a Service model. They leverage code and tactics derived from LockBit and Conti operations, demonstrating how knowledge and tools proliferate within the cybercrime ecosystem and to evolve with and adapt as other cyber crime toolsets come and go. The group employees double extortion tactics, stealing data and then encrypting systems to pressure victims to pay.
Industries Targeted: Retail organizations, manufacturing, real estate, government entities, legal services, and healthcare verticals have all experienced DragonForce attacks. Their hybrid motivation—combining ideology with profit through partnership—makes their targeting patterns less predictable than purely financial operators.
The collective targeting scope of this alliance creates a threat landscape where virtually every major economic sector and size organization (SMB to Enterprise) faces elevated risk:
Organizations in heavily regulated industries and those with a propensity to pay to recover data face compounded. These sectors must prepare for attacks that could come from any member of the alliance, each bringing different tactics and extortion methodologies.
Understanding how these groups operate is essential for building effective defenses. While each group has unique characteristics, they share common tactics, techniques, and procedures (TTPs) that security teams can detect and defend against:
Common Tactics Across All Groups:
Initial Access: These groups gain entry through multiple vectors including phishing campaigns (T1566), exploitation of public-facing applications (T1190), and compromise of valid user accounts (T1078). The diversity of initial access methods means organizations must defend multiple entry points simultaneously.
Execution: Once inside a network, attackers leverage PowerShell scripts (T1059.001), batch files, and remote monitoring tools to execute their payloads and move laterally. These legitimate administrative tools become weapons in the hands of skilled operators.
Persistence: To maintain long-term access, groups establish scheduled tasks (T1053) and modify registry run keys (T1547), ensuring their presence survives system reboots and basic remediation attempts.
Defense Evasion: Sophisticated obfuscation techniques (T1027) and active disabling of security tools (T1562) allow these groups to operate undetected for extended periods, maximizing their opportunity to identify valuable data and prepare for encryption.
Impact: The ultimate objectives include exfiltration of sensitive information (T1041) and then data encryption for ransom (T1486) for extortion purposes. The combination of these impact techniques creates the double and quadruple extortion scenarios that make modern ransomware and data theft extortion attacks so effective.
The formation of this cybercrime coalition represents more than just cooperation—it's a force multiplier that amplifies the capabilities and reach of each participant.
Operational Synergy: By sharing infrastructure, tools, and intelligence, the alliance can launch attacks faster and at greater scale than individual groups operating independently. This shared ecosystem reduces costs and operational friction for affiliates, making ransomware operations more efficient and profitable.
Affiliate Magnet: The alliance creates a more attractive platform for criminal affiliates. With broader targeting options, proven tools from multiple groups, and potentially higher payouts from successful operations, the coalition can recruit and retain top-tier cybercriminal talent more effectively than standalone operations.
Expanded Threat Surface: The combined expertise of these groups means that previously safe or low-priority targets now face elevated risk. Hybrid cloud environments, ESXi virtualization platforms, and sectors that might have been avoided by individual groups are now viable targets for the alliance's diversified capabilities.
Resilience Against Law Enforcement: LockBit's rapid recovery following Operation Cronos demonstrates a concerning reality: modern ransomware ecosystems have evolved mechanisms for survival that make permanent disruption extremely difficult. The alliance structure provides additional redundancy—if one member faces law enforcement action, the others can continue operations, potentially absorbing affected affiliates and maintaining operational continuity.
Defending against this alliance requires a layered security approach that addresses prevention, detection, and response capabilities:
The most effective defense against ransomware remains preventing initial compromise. Organizations should prioritize the following:
Zero Trust Network Access: Limit effectiveness of stolen credentials, tokens, etc. by leveraging SASE and Zero Trust Network Access capabilities to limit environment and remote access to only known devices, users, locations, and networks. These should also be continually monitored 24x7x365.
Patch Management: Critical vulnerabilities in widely-deployed systems like Citrix, Veeam backup solutions, and ESXi virtualization platforms represent prime targets for these groups. Establish aggressive patch management timelines—delays measured in days rather than weeks can mean the difference between safety and compromise.
Multi-Factor Authentication: Enforce MFA across all remote access points without exception. Single-factor authentication, regardless of password complexity, isn’t sufficient against credential theft and brute force attacks that these groups routinely employ.
Attack Surface Reduction: Disable unused Remote Desktop Protocol (RDP) and VPN services. Every unnecessary service represents a potential entry point. Conduct regular audits of exposed services and eliminate those that aren't essential for business operations.
Email Security: Harden email gateways with advanced threat protection and conduct regular phishing awareness training for all employees. Human vulnerability remains one of the most exploited attack vectors, and ongoing education is essential for maintaining organizational resilience.
Even with strong prevention controls, organizations must assume compromise is possible and maintain robust detection capabilities:
Behavioral Analytics: Deploy Endpoint Detection and Response (EDR) solutions with behavioral analytics capabilities. Monitor specifically for the MITRE ATT&CK techniques associated with these groups, including suspicious account usage (T1078), exploitation attempts (T1190), and encryption activity (T1486).
Tool Monitoring: Establish alerts for suspicious PowerShell execution, PsExec usage, and Rclone activity. While these are legitimate administrative tools, their use in unexpected contexts or by unexpected accounts can indicate compromise.
Anomaly Detection: Implement User and Entity Behavior Analytics (UEBA) to identify deviations from normal patterns. Unusual data access, off-hours activity, and atypical administrative actions can provide early warning of ransomware preparation activities before encryption begins. Todyl’s Anomaly Framework directly supports environment, device, and user activity fingerprinting to rapidly identify deviations from this.
When prevention and detection fail, rapid and effective response capabilities become the final line of defense:
Incident Response Planning: Develop and regularly test ransomware-specific incident response playbooks. These should include decision trees for ransom payment considerations, communication protocols for stakeholders and regulators, and technical procedures for isolation and recovery.
Backup Strategy: Maintain offline, immutable backups that ransomware operators cannot encrypt or delete. Test restoration procedures regularly to ensure backups are viable when needed. Organizations with reliable backups significantly reduce the pressure to pay ransoms.
Network Architecture: Implement network segmentation that limits lateral movement and enforce least privilege access principles throughout the environment. These architectural controls slow attacker progression and contain damage when breaches occur.
The alliance between LockBit, Qilin, and DragonForce marks a significant turning point in the ransomware ecosystem. This is no longer a landscape of isolated criminal groups—it's an increasingly organized, resilient, and sophisticated threat that requires organizations to fundamentally rethink their approach to cybersecurity.
Ransomware must be treated as a strategic business risk, not merely a technical problem to be solved by the IT department. Board-level awareness, cross-functional preparation, and investment in both technology and people are essential components of organizational resilience in this new era.
The groups forming this alliance have demonstrated remarkable persistence, technical capability, and adaptability. They have survived law enforcement actions, evolved their tactics in response to defensive measures, and built sustainable criminal enterprises that show no signs of disappearing. Organizations that fail to take this threat seriously—that rely on outdated defenses, postpone critical patches, or neglect employee training—do so at their own peril.
Proactive defense, layered security controls, and rapid response capabilities aren’t optional. They're essential for survival in a landscape where sophisticated, well-resourced adversaries are actively targeting organizations across every sector of the economy. The question is no longer whether your organization might face a ransomware attack, but whether you'll be prepared when it happens.
Learn how you can protect what you built.
Subscribe to our newsletter to get our latest insights.