A new threat intelligence report indicates that three ransomware-as-a-service (RaaS) groups — LockBit, Qilin, and DragonForce — have announced plans to form a cartel aimed at coordinating their attacks, sharing infrastructure and establishing unified rules for affiliates, according to cybersecurity firm ReliaQuest. The coalition is expected to increase the efficiency, frequency, and severity of ransomware campaigns while responding to growing law-enforcement pressure across the globe.
The cartel was proposed in early September 2025 via posts on dark-web forums. DragonForce initiated the proposal, inviting LockBit and Qilin to collaborate under terms that would reduce inter-group conflict, enforce consistent affiliate-profit structures, and permit expanded targeting, including of critical infrastructure. ReliaQuest’s Q3 2025 “Ransomware and Cyber Extortion” report outlines these developments and warns that this alliance could significantly shift ransomware operations.
“Create equal competition conditions, no conflicts and no public insults … This way we can all increase our income and dictate market conditions.” — message attributed to DragonForce during cartel proposal (CSO Online)
Proposed Cartel Model Signals Shared Infrastructure and Stabilized Affiliate Relations
Under the proposed model, LockBit, Qilin, and DragonForce would share tools, leak sites, negotiation infrastructure, and affiliate-resources, according to analysts. LockBit, rebounding under its LockBit 5.0 incarnation following law-enforcement disruptions in 2024, is seeking to rebuild trust among affiliates. Qilin has seen surge in activity across industries, while DragonForce is positioning itself as a coordinator for the cartel concept. (ZeroFox)
Several potential changes are being observed or anticipated under cartel formation:
- Unified standards for affiliate splits and partner rewards, aiming to avoid disputes over profit margins.
- Explicit permission to attack critical infrastructure entities, which had been sometimes viewed as taboo or high-risk for some ransomware groups seeking to avoid excessive scrutiny. According to ReliaQuest, LockBit affiliates have been told that critical infrastructure is now permissible. (CSO Online)
- Shared leak sites or synchronization of data-leak operations, negotiating ransom demands, possibly sharing or pooling victim data.
However, analysts note that the cartel is not yet verified as fully operational. Qilin and LockBit have not publicly confirmed the alliance beyond statements on the DragonForce forum, and no joint operations attributable to all three have been observed, though the move appears to be more than mere rhetoric. (ZeroFox)
Implications for Organizations as Cartel Increases Threat Volume and Scope
For companies and critical infrastructure operators, the new cartel model could mean more frequent, sophisticated and coordinated ransomware attacks. The shared use of leak sites and infrastructure could make double extortion, data breach threats, and public exposure more consistent and more damaging.
Industries likely to be at elevated risk include healthcare, government, manufacturing, finance, and critical utilities. These sectors have been targeted previously by each group and are often less resilient to disruption. Organizations in those sectors should review their ransomware response plans, backups, detection capabilities, and protections around remote access and privilege escalation.
According to ReliaQuest, one driver of this cartel formation is law enforcement pressure. After the takedown of LockBit’s infrastructure and leader operations in 2024, the group’s return under LockBit 5.0 appears to be accompanied by renewed strategic ambition. Forming alliances helps distribute risk and compensate for organizational disruptions.
Risk Mitigation Measures Recommended for Defending Against Cartel Activity
Cybersecurity experts recommend that organizations take immediate steps to reduce exposure in light of this emerging cartel. Suggested actions include: enforcing phishing-resistant multifactor authentication, restricting or monitoring remote desktop protocol (RDP) and VPN access from exposed or global IP ranges, segmenting networks with strict control between user- or enterprise IT environments and operational infrastructure.
Regular backup practices, tested recovery plans, and protection of data-leak endpoints are also essential. Given that cartel members are likely to standardize double-extortion and data-draining tactics, organizations should assume that stolen data may be published and plan accordingly.
Organizations should also monitor dark-web forums for cartel announcements, leak-site postings, affiliate recruitment or communication changes, and shared infrastructure usage as potential indicators of emerging threat patterns. Threat intelligence sharing with CERTs and law enforcement is also stressed. (socradar.io)
Questions Remain: Cartel Stability, Evidence of Joint Operations and Operational Risks
While the cartel proposal is being taken seriously, uncertainty remains as to how stable or binding the alliance will prove. Ransomware groups are known for dispute, opportunism and rapid rebranding. Differences in leadership, language, territory, and profit expectations may limit cooperation. Analysts have noted that some cartel-style announcements in ransomware space have preceded infighting or dissolution.
To date, no confirmed joint ransomware incident has been published in which LockBit, Qilin and DragonForce executed a fully combined attack operation. The leaking of alliance terms may be mostly aimed at recruiting affiliates rather than delivering on joint execution. Still, the announcement shifts the strategic landscape and is being treated as credible by many cybersecurity organizations.
