Three prominent ransomware groups, DragonForce, LockBit and Qilin, have announced a new strategic ransomware partnership that highlights ongoing changes in the cyberthreat landscape.
In a report shared with The Hacker News, ReliaQuest said the coalition is seen as an attempt by the part of a financial attacker to carry out a more effective ransomware attack.
In its third quarter 2025 ransomware report, the company said, “As announced shortly after LockBit’s return, this partnership is expected to promote technology, resources and infrastructure sharing, and strengthen the operational capabilities of each group.”
“The partnership could help restore Rockbit’s reputation among affiliates following the closure last year, causing a surge in attacks on critical infrastructure and could extend the threat to areas that were previously considered low risk.”
Given that Qilin has become the most active ransomware group in recent months, bringing just over 200 victims in the third quarter of 2025 alone, the partnership with Qilin is no surprise.
“In the third quarter of 2025, Qilin unfairly targeted North American-based organizations,” ZeroFox said in its Q3 2025 ransomware summary report. “The Giraffe’s operational tempo began to rise significantly in the fourth quarter of 2024, when the group had at least 46 attacks.”
This development coincided with the arrival of LockBit 5.0, which has the capabilities to target Windows, Linux, and ESXi systems. The latest iteration was first promoted on the RAMP Darknet Forum on September 3, 2025, to celebrate the sixth anniversary of the affiliate program.
Rockbit was hit hard in early 2024 after a law enforcement operation called Chronos, in which some members were arrested by occupying infrastructure. At its peak, the group has targeted more than 2,500 victims worldwide and is estimated to have received more than $500 million in ransom.
“If this group can rebuild trust between affiliates, it could resurface as a dominant ransomware threat due to financial motivations and desire for revenge for law enforcement crackdowns,” LiliaQuest said.
Weekly R&DE incidents for the third quarter of 2025
The return of LockBit and its partnership appears that a threat actor known as Scattered Spider is preparing to launch a unique ransomware as a service (RaaS) program called ShinySp1d3r, the first such service by an English-speaking blackmailing team.
ReliaQuest announced it is tracking a total of 81 data breach sites. This is a significant increase from the 51 sites reported in early 2024. Companies in the professional, scientific and technical services sectors accounted for the largest number of victims during this period, exceeding 375.
Manufacturing, construction, healthcare, finance and insurance, retail, accommodation and food services, education, arts and entertainment, information and real estate are also commonly affected sectors.
Another notable trend is the surge in ransomware attacks targeting countries such as Egypt, Thailand and Colombia. This shows that threat actors are expanding beyond “traditional hotspots” such as Europe and the United States to avoid law enforcement surveillance. The majority of victims listed on data breach sites are based in the US, Germany, the UK, Canada and Italy.
ZeroFox data shows that in the third quarter of 2025 there were a total of at least 1,429 ransomware and digital blackmail (R&DE) incidents, down from 1,961 observed in the first quarter of 2025. Qilin, Akira, INC Ransom, Play and SafePay have been found to be responsible for around 47% of global R&DE attacks in the second and third quarters of 2025.
“The disproportionate targets of North American-based organizations may be partly attributable to geopolitical motivations and ideological beliefs of financially-targeted threat groups, fueled by opposition to ‘West’ political and social discourse,” the company said.
“North America has a wide range of solid industries that make up the rapidly growing digital attack surface. The broad integration of technologies, such as cloud networking services and Internet of Things devices, contributes to the ease of access to North American assets.”
Source link
