CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

LockBit, Qilin, and DragonForce Form Ransomware Alliance

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

LockBit, Qilin, and DragonForce have formed a strategic alliance to enhance their ransomware operations. This collaboration aims to share techniques, resources, and infrastructure, potentially increasing the threat to critical infrastructure and expanding the attack surface to previously low-risk sectors. LockBit has returned to active operations with new victims identified in September 2025, marking a significant comeback over a year after Operation Cronos disrupted its infrastructure. The alliance comes as LockBit returns to the scene following a significant law enforcement operation in early 2024, which disrupted its infrastructure and led to the arrest of some of its members. Qilin has been the most active ransomware group in recent months, targeting North America-based organizations disproportionately. The partnership is expected to bolster LockBit's reputation among affiliates and facilitate a surge in attacks.

Timeline

  1. 24.10.2025 18:15 1 articles · 23h ago

    LockBit 5.0 released with enhanced capabilities

    LockBit 5.0, the latest variant, includes enhanced features such as multi-platform support for Windows, Linux, and ESXi systems, improved anti-analysis mechanisms, and optimized routines to evade detection. The threat group has revamped its affiliate panel, providing improved management interfaces with individualized credentials. Affiliates must deposit roughly $500 in Bitcoin for access to the control panel and encryptors. Updated ransom notes identify themselves as LockBit 5.0 and include personalized negotiation links with a 30-day deadline.

    Show sources
    Open in new tab
  2. 08.10.2025 15:04 2 articles · 17d ago

    LockBit, Qilin, and DragonForce Form Ransomware Alliance

    LockBit has returned to active operations with new victims identified in September 2025. The attacks span Western Europe, the Americas, and Asia, targeting both Windows and Linux systems. LockBit 5.0, the latest variant, includes enhanced features such as multi-platform support, improved anti-analysis mechanisms, and optimized routines to evade detection. The article also details the revamped affiliate panel and the requirements for new affiliates to join.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

PipeMagic Backdoor Used in Play Ransomware Attacks Exploiting Windows CLFS Vulnerability

The Play ransomware group, tracked as Storm-2460, is using the PipeMagic backdoor to exploit CVE-2025-29824, a critical Windows Common Log File System (CLFS) elevation-of-privilege vulnerability. This flaw allows attackers to gain system-level privileges on compromised systems. The campaign targets various sectors across multiple geographies, including IT, financial, and real estate in the US, Europe, South America, and the Middle East. The backdoor mimics ChatGPT Desktop to evade detection and maintain persistence within infected systems. The vulnerability was patched in April, but unpatched systems remain at risk. Microsoft and Kaspersky have observed ongoing activity, with PipeMagic showing sustained interest in Saudi Arabian and Brazilian manufacturing sectors. The backdoor's modular design allows for updates and lateral movement within targeted networks.

Open in new tab

Qilin ransomware group targets multiple organizations

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, and Mecklenburg County Public Schools (MCPS). The latest attack was on Asahi Group, where Qilin claims to have stolen 27 GB of sensitive data, including 9,000 files containing contracts, employee information, financial documents, forecasts, and other business data. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The attack on Inotiv, which occurred on August 8, 2025, encrypted certain systems and data, disrupting business operations. The Qilin ransomware group claimed to have stolen approximately 162,000 files totaling 176GB. The company has engaged external security experts and notified law enforcement. The disruption affects databases and internal applications used in business processes, with no estimated timeline for full recovery. On August 16, 2025, the Qilin ransomware group targeted Creative Box Inc. (CBI), stealing four terabytes of data, including 3D vehicle design models and internal reports. CBI implemented emergency measures and reported the incident to the police. The Qilin ransomware group added CBI to its extortion portal on August 20, 2025, threatening to make the stolen data public. Nissan confirmed the data breach and is conducting an investigation. The leaked data only impacts Nissan, as it is the sole customer of CBI. In early September 2025, the Qilin ransomware group also claimed responsibility for an attack on Mecklenburg County Public Schools (MCPS), stealing 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files. The attack disrupted operations, forcing teachers to rely on pen, paper, and whiteboards for instruction. Internet systems were restored about a week later. MCPS Superintendent Scott Worner confirmed the attack and stated that the district is assessing the extent of the breach. The Qilin ransomware group has claimed to have exfiltrated more than 9,300 files in 27GB of data from Asahi Group. Asahi Group is Japan’s largest brewing company, with 30,000 employees, an annual production of 100 million hectoliters, and a yearly revenue of $20 billion. The group published 29 images showing internal financial documents, employee IDs, confidential contracts, and internal reports as proof of the theft. Asahi Group suspended operations at six Japan-based facilities due to a cyberattack on September 29, 2025. The Qilin ransomware group added Asahi to its data leak site, likely after failing to negotiate a ransom with the company. The group is infamous for exploiting critical flaws in edge network devices, deploying credential theft tools, and continually advancing their encryptor. Qilin claims that the attack will cause Asahi to lose up to $335 million due to production disruptions at six breweries impacting thirty labels. Asahi Group resumed production of its flagship beer, 'Super Dry,' thanks to a temporary manual ordering system. Shipping for more labels is expected to resume from October 15, 2025, although factories are not yet fully operational.

Open in new tab