DragonForce, LockBit, and Qilin form a new ransomware alliance
Threat Actor Meta
Summary
Hide ▲
Show ▼
LockBit has effectively returned after Operation Cronos disrupted the group in early 2024, with at least a dozen organizations hit by LockBit-branded ransomware in September 2025 across Western Europe, the Americas and Asia. The observed activity split between LockBit 5.0 and LockBit 3.0/LockBit Black, and the attacks affected Windows and Linux systems. LockBit 5.0 adds ESXi support, anti-analysis features, and randomized file extensions, reinforcing the group's renewed ransomware capability. The activity aligns with the broader DragonForce, LockBit, and Qilin ransomware alliance, which is meant to share techniques, resources, and infrastructure and help LockBit rebuild affiliate trust.
Related Happenings
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
Timeline
-
24.10.2025 18:15 1 articles · 7mo ago
Check Point identifies at least a dozen organizations hit by LockBit ransomware in September 2025
Victim Impact UpdateCheck Point identified at least a dozen organizations hit by LockBit-branded ransomware attacks in September 2025, with about half of the observed victims infected by LockBit 5.0 and the rest targeted with LockBit 3.0, also known as LockBit Black. The attacks spanned Western Europe, the Americas, and Asia, and affected both Windows and Linux systems.
Show sources
- New LockBit Ransomware Victims Identified by Security Researchers — www.infosecurity-magazine.com — 24.10.2025 18:15
-
08.10.2025 15:04 1 articles · 7mo ago
LockBit 5.0 advertised for Windows, Linux, and ESXi
Technical Analysis UpdateLockBit 5.0 is first advertised on the RAMP darknet forum on September 3, 2025, with tooling aimed at Windows, Linux, and ESXi systems, marking a renewed LockBit capability push ahead of the later alliance disclosure.
Show sources
- LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem — thehackernews.com — 08.10.2025 15:04
-
08.10.2025 15:04 2 articles · 7mo ago
DragonForce, LockBit, and Qilin announce ransomware alliance
Initial DisclosureDragonForce, LockBit, and Qilin announce a strategic ransomware alliance to share techniques, resources, and infrastructure, a move intended to strengthen each group's operational capability and help LockBit rebuild affiliate trust after its 2024 takedown.
Show sources
- LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem — thehackernews.com — 08.10.2025 15:04
- LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem — thehackernews.com — 08.10.2025 15:04