The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Andrew Scott October 9, 2025 Three of the most sophisticated ransomware operators, LockBit, Qilin (also known as BianLian), and DragonForce, have formed a strategic alliance . This coalition represents more than just a collaboration between criminal entities—it signals a fundamental shift in how ransomware threats are organized, executed, and sustained against global enterprises. By combining LockBit's speed, Qilin's multi-layered extortion tactics, and DragonForce's ideological motivation, this alliance has created a threat ecosystem that's more resilient and dangerous than any single group operating alone. For business leaders and security teams, understanding this alliance isn't just about knowing your adversary. It's about recognizing that ransomware and data extortion has evolved into a strategic business risk that demands immediate attention and proactive defense. Who Are These Groups? LockBit: Built for Speed Active Since : 2019 Specialty : LockBit has built its reputation on lightning-fast encryption capabilities, double extortion tactics, and cross-platform compatibility that targets Windows, Linux, and ESXi environments. Their ransomware-as-a-service (RaaS) model has attracted numerous affiliates, making them one of the most prolific ransomware operations in recent years. Notable Comeback : Despite Operation Cronos—a coordinated law enforcement takedown in early 2024—LockBit demonstrated remarkable resilience by launching LockBit 5.0. This comeback underscores the difficulty of permanently disrupting well-established ransomware operations and highlights the group's determination to maintain their criminal enterprise. Industries Targeted : Healthcare institutions, manufacturing facilities, financial services, educational organizations, government agencies, and transportation infrastructure have all fallen victim to LockBit's operations. Their indiscriminate targeting strategy means virtually no sector is safe from their attacks. Qilin (BianLian/Agenda): The Multi-Layered Extortionist Active Since : 2022 Specialty : Qilin distinguishes itself through technical innovation and psychological warfare. Their ransomware, developed in Rust and Golang, combines technical sophistication with what they call "quadruple extortion"—a devastating approach that includes traditional encryption, data theft, legal threats against victim organizations, and calculated reputational damage through strategic data leaks. Victim Count : With over 437 confirmed victims in 2025 alone, Qilin has established itself as one of the most active ransomware operators today. Industries Targeted : Healthcare organizations face particular risk from Qilin, along with legal firms, educational institutions, cloud service providers, and manufacturing companies. Their targeting of sensitive sectors amplifies the pressure on victims to pay ransoms quickly. DragonForce: The Ideological Operator Turned RaaS Provider Origin : DragonForce represents a unique evolution in the ransomware ecosystem—a group that began as hacktivists before pivoting to a full-fledged Ransomware-as-a-Service (RaaS) operation. Specialty : While DragonForcemay maintain an ideological dimension to their targeting, this hasn't prevented them from embracing the financial incentives of ransomware by shifting towards an affiliate based Ransomware as a Service model. They leverage code and tactics derived from LockBit and Conti operations, demonstrating how knowledge and tools proliferate within the cybercrime ecosystem and to evolve with and adapt as other cyber crime toolsets come and go. The group employees double extortion tactics, stealing data and then encrypting systems to pressure victims to pay. Industries Targeted : Retail organizations, manufacturing, real estate, government entities, legal services, and healthcare verticals have all experienced DragonForce attacks. Their hybrid motivation—combining ideology with profit through partnership—makes their targeting patterns less predictable than purely financial operators. Industries at Risk The collective targeting scope of this alliance creates a threat landscape where virtually every major economic sector and size organization (SMB to Enterprise) faces elevated risk: Professional Services Manufacturing Construction/Architecture/Engineering Healthcare Financial Services Retail/Hospitality SLED Technology Health sciences/biopharma Entertainment Organizations in heavily regulated industries and those with a propensity to pay to recover data face compounded. These sectors must prepare for attacks that could come from any member of the alliance, each bringing different tactics and extortion methodologies. Attack Techniques (MITRE ATT&CK Mappings) Understanding how these groups operate is essential for building effective defenses. While each group has unique characteristics, they share common tactics, techniques, and procedures (