A new alliance formed between three prominent ransomware groups—Qilin, DragonForce, and LockBit—is marking a concerning development in the global cybercrime landscape. Announced on September 15, 2025, on a Russian underground forum, this coalition is seen as a strategic maneuver by these operators to counter increased pressure from international law enforcement efforts that have successfully disrupted numerous ransomware operations.
The formation of this alliance underscores the evolving tactics of cybercriminals operating in an environment where law enforcement agencies are increasingly dismantling their infrastructures and pursuing their administrators. This fragmentation within the ransomware ecosystem has made recruitment more challenging, prompting groups to seek new collaborations to maintain their operations and profitability. The announcement explicitly stated the coalition’s aim to address these mounting challenges and stabilize their precarious position within the criminal underground.
Ransomware Landscape Under Pressure
Recent data from Yarix analysts reveals a significant, albeit complex, shift in the ransomware landscape throughout 2025. Ransomware claims increased by 61% year-over-year from January to November 2025 compared to the same period in 2024. However, this overall growth masks a more profound impact on dominant players. The share of total attacks attributed to the top ransomware groups has slightly declined, from 54.8% in 2024 to 53.1% in 2025, suggesting a diffusion of criminal activity across a wider array of smaller and emerging groups.
This trend indicates a move away from highly consolidated operations towards a more dispersed, though still dangerous, criminal network. The financial incentives for ransomware gangs are also diminishing. Yarix research highlights a substantial decrease in ransom payments, with the median payment dropping by 65% in Q3 2025 compared to the previous quarter, reaching approximately USD 140,000. Furthermore, only 23% of victims opted to pay ransoms during this period, reflecting improved cybersecurity defenses and backup strategies among organizations.
Changes in Attack Operations and Group Activity
Analysis of Data Leak Site activity among the allied groups paints a varied picture of their operational status. Qilin emerged as the most active group in 2025, accounting for 13.07% of all ransomware claims between January and November. The group showed consistent growth, with a notable peak in October 2025, which coincided with the alliance announcement. This surge suggests that the coalition may have boosted Qilin’s recruitment efforts or created a broader visibility that attracted new operators seeking active platforms.
DragonForce displayed a more gradual but steady upward trajectory, improving its ranking among active groups throughout the year. The group maintained consistent operational activity, with monthly claims ranging from 0.08% to 0.45%. In contrast, LockBit has shown a significant decline, publishing no claims from June through November 2025. This prolonged period of inactivity follows Operation Cronos, a major international law enforcement action in February 2024 that disrupted the group’s infrastructure.
Alliance: Genuine Integration or Branding Strategy?
The divergent activity levels of the three groups raise questions about the true nature of their alliance. Yarix researchers posit that LockBit’s inclusion might serve more as a reputational anchor, preserving its brand name rather than contributing active operational capabilities. The lack of concrete operational signals from LockBit, coupled with the independent growth of Qilin and DragonForce, suggests the coalition might be more symbolic than a fully integrated operational unit.
However, the observed spike in Qilin’s activity post-alliance announcement indicates that even symbolic collaborations can yield tangible results by attracting cybercriminals looking for established and active groups to join. The increasing pressure from law enforcement and the diminishing financial returns from ransom demands are forcing ransomware operators to adapt. The long-term efficacy and operational integration of this new alliance remain to be seen, with further monitoring of their activities crucial for understanding the future trajectory of organized cybercrime.