Three major ransomware groups have joined forces to create what cybersecurity experts are calling one of the most concerning developments in the criminal underground.
On September 15, 2025, the ransomware group DragonForce announced the formation of an alliance between DragonForce, Qilin, and LockBit through a post on a Russian underground forum.
This coalition represents a strategic response to the increasing pressure from international law enforcement operations that have successfully disrupted several primary ransomware operations in recent years.
The alliance announcement comes at a time when the ransomware landscape has become increasingly dangerous for criminal operators.
Law enforcement operations have not only dismantled group infrastructures but also identified collective administrators and issued international arrest warrants.
This has created a more fragmented and less cohesive ransomware ecosystem, making it harder for groups to recruit both new and experienced operators.
The post specifically stated that the coalition was formed to address the challenges posed by the ransomware criminal ecosystem.
Recent data indicate that ransomware claims increased by 61% year over year, from January to November 2025, compared with the same period in 2024.
However, this growth masks a more profound crisis within the ransomware world. The top ransomware groups now account for a smaller share of total attacks, declining from 54.8% in 2024 to 53.1% in 2025.
This shift indicates that criminal operations are spreading across more groups rather than consolidating under dominant players.
Yarix analysts identified this trend while monitoring ransomware claims throughout 2025 to assess the potential risk and credibility of the alliance announcement.
The research also revealed that victim organizations are increasingly refusing to pay ransoms.
The median ransom payment dropped by 65% in Q3 2025 compared to the previous quarter, falling to approximately USD 140,000.
Only 23% of victims chose to pay ransoms during this period, a significant decline that reflects improved organizational preparedness and backup strategies.
This dramatic reduction in payments has forced ransomware groups to reconsider their operational models and seek new approaches to maintain profitability.
Changes in Attack Operations and Group Activity
Analysis of Data Leak Site activity shows distinct patterns among the three allied groups.
Qilin emerged as the most active ransomware group in 2025, accounting for 13.07% of all claims between January and November.
The group showed consistent growth throughout the year, with activity peaking in October 2025 at 3.25% of monthly claims.
This surge came just weeks after the alliance announcement, suggesting that the coalition may have helped attract new operators or created a marketing effect that boosted recruitment.
.webp "New Research Uncovers the Alliance Between Qilin, DragonForce and LockBit 3")
DragonForce demonstrated steady but gradual growth, climbing from ninth place in August to eighth place by October 2025.
The group maintained operational continuity throughout the year with claims ranging from 0.08% to 0.45% monthly. Meanwhile, LockBit showed a completely different trajectory.
Despite being historically one of the most prolific ransomware collectives, LockBit published no claims from June through November 2025.
This prolonged inactivity suggests that the group has not recovered from Operation Cronos, the major law enforcement operation that disrupted its infrastructure in February 2024.
%20(Source%20-%20Yarix).webp "New Research Uncovers the Alliance Between Qilin, DragonForce and LockBit 4")
The timing of these trends raises questions about whether the alliance represents genuine operational integration or simply a branding strategy.
Yarix researchers noted that LockBit’s inclusion may primarily serve to preserve its reputation rather than contribute active capabilities.
The lack of concrete operational signals from LockBit, combined with the autonomous growth of Qilin and DragonForce, indicates that the coalition might be more symbolic than functional.
However, the spike in Qilin’s activity following the announcement demonstrates that even symbolic alliances can have real effects by attracting criminal operators seeking active and visible groups to join.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
