NuHarbor Security Blog Industry Insights Security Operations Compliance Advisory and Planning Cybersecurity Technology Security Testing Application Security Threat Intelligence Managed Detection and Response Managed Services Cyber Talent NuHarbor LockBit, Qilin, and DragonForce cartels have done what ransomware crews almost never do in public, they’ve formed a declared coalition. Announced alongside LockBit’s comeback, the trio is positioning itself as a cartel that shares techniques, infrastructure, and affiliates to raise attack volume and success rates, even inviting other crews to join the fold. For blue teams, that turns three separate problems into a three-headed hydra: faster cross-pollination of TTPs, coordinated victim selection, and more resilient operations when one crew is disrupted. Expect higher operational tempo and broader targeting, including critical infrastructure, as these actors standardize playbooks across crews and exploit the same initial access avenues (phishing, stolen creds, edge exploits) with greater efficiency. Treat this less like “a gang” and more like a ransomware super-operator: update threat models, assume affiliate overlap during investigations, and harden remote access and segmentation accordingly. In short, the business model has scaled up; your defenses and incident playbooks need to scale with it. Why Public Sector Leaders Should Care Because this isn’t just three brands teaming up, it’s a business model upgrade that directly threatens government operations. The alliance is designed to share techniques, infrastructure, and affiliates, which raises the tempo and success rate of attacks. Multiple outlets report the coalition was announced right as LockBit relaunched, with explicit intent to coordinate and scale; that coordination is expected to increase pressure on critical services and sectors previously considered lower risk. Two shifts make this especially urgent for public sector leaders. First, LockBit has now declared critical infrastructure “fair game,” listing power plants among permissible targets until (in their words) the FBI negotiates carve-outs—an escalation that breaks with past underworld “norms.” Second, LockBit 5.0 is cross-platform (Windows, Linux, ESXi ), meaning virtualized government environments and shared services can be hit end-to-end in a single campaign, complicating recovery for statewide platforms and regional consortiums alike. Practically, expect: (1) more intrusions via simple logins using stolen credentials to RDP/VPN, then rapid lateral movement; (2) faster playbook reuse across crews, shrinking defenders’ reaction windows; and (3) broader sectoral spillover; from professional services and education into health systems, utilities, and municipal IT driven by affiliate overlap and shared tooling. For public agencies that run critical services on shared/virtual infrastructure, the risk profile just changed from “one gang at a time” to a coordinated hydra. Update threat models and IR plans accordingly. Industry Verticals Affected Short version: the alliance widens, not narrows, the blast radius. Expect spillover from the usual “pays-fast” victims into government services and critical infrastructure as affiliates share access, tooling, and playbooks. State, local, and regional government. Government targets are already trending up in 2025 ; alliances that pool affiliates and initial access are likely to accelerate that curve. LockBit’s return plus cross-crew coordination increases the risk for municipal IT, courts, 911, and shared state platforms. Critical infrastructure (energy, water, transportation) . Reporting around the coalition explicitly flags potential CI targeting , and LockBit 5.0’s multi-OS reach (Windows, Linux, ESXi ) makes it easier to impact virtualized OT/IT edges supporting utilities and transit. Healthcare and public health. Health-ISAC warns that LockBit 5.0 is in circulation; healthcare remains a high-pressure victim set because downtime is costly and sensitive. Education (K-12, higher ed). Schools and universities continue to see high breach rates , making them attractive to affiliates sharing phishing kits and access. Professional & technical services (including gov contractors/MSPs) . Professional services have been a top victim class in 2025 ; shared affiliate networks mean the same access brokers can recycle footholds across clients and their public-sector engagements. Manufacturing and supply chain. Activity against manufacturers is elevated ; Qilin and peers have repeatedly hit industrial and ESXi-heavy environments, which ripple into public-sector supply chains. Financial administration and revenue/treasury functions . Financial services stay high-value ; municipalities handling tax and fee collections inherit similar risk profiles, especially where third-party portals or legacy VPNs persist. Why this changes your risk: the LockBit–Qilin–DragonForce coalition is about scale and breadth. Many sources note the alli