Three well-known ransomware groups, DragonForce, LockBit, and Qilin, have recently formed a strategic alliance to enhance their ransomware operations, reflecting ongoing changes in the cybersecurity landscape.
This collaboration aims to improve the effectiveness of ransomware attacks by sharing techniques, resources, and infrastructure among the groups, according to a report by ReliaQuest shared with The Hacker News.
The alliance, announced shortly after LockBit’s resurgence, is expected to strengthen each group’s operational capabilities, potentially leading to a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk.
The partnership with Qilin, which has been particularly active in recent months, is a strategic move considering that the group targeted over 200 victims in Q3 2025, with a focus on North America-based organizations, according to ZeroFox.
LockBit’s latest version, LockBit 5.0, is capable of targeting Windows, Linux, and ESXi systems, making it a versatile threat in the cybersecurity landscape. The group advertised the new version on the RAMP darknet forum on September 3, 2025.
LockBit suffered a setback in early 2024 after a law enforcement operation, Cronos, dismantled its infrastructure and led to the arrest of several members. Despite this, the group is expected to regain its status as a significant ransomware threat, driven by financial motives and a desire for retaliation against law enforcement crackdowns.
 |
| R&DE incidents by week in Q3 2025 |
LockBit’s resurgence and alliance coincide with the emergence of a new ransomware-as-a-service program, ShinySp1d3r, by the threat actor Scattered Spider, marking the first such service by an English-speaking extortion crew.
There has been a significant increase in ransomware attacks, with 81 data leak sites tracked by ReliaQuest, affecting various sectors such as professional services, manufacturing, healthcare, finance, and more.
Notably, ransomware attacks are expanding to countries like Egypt, Thailand, and Colombia, indicating a shift away from traditional targets like Europe and the U.S. The majority of victims listed on data leak sites are from countries such as the U.S., Germany, the U.K., Canada, and Italy.
In Q3 2025, there were 1,429 ransomware and digital extortion incidents globally, with threat actors like Qilin, Akira, INC Ransom, Play, and SafePay responsible for a significant portion of these attacks.
The targeting of North America-based entities is driven by geopolitical motivations and opposition to Western political and social narratives, as these regions offer lucrative targets due to their robust industries and advanced technologies.
