Ransomware, Critical Infrastructure Security, Threat Intelligence

LockBit forms alliance with DragonForce, Qilin ransomware groups

Internet security and personal data theft concept with blue shadows faceless hackers in hoody using laptop and abstract virtual technological symbols

(Adobe Stock)

LockBit has come back on the scene, this time forming a partnership with prominent ransomware-as-a-service (RaaS) groups DragonForce and Qilin to potentially target critical infrastructure worldwide.

In an Oct. 8 blog post, ReliaQuest researchers reminded the industry that LockBit did this before in 2020 when it joined forces with the Maze ransomware group — a collaboration that introduced double-extortion tactics and also leveraged Maze’s data leak.

“By coming together in this way, the threat actors leverage their collective experience to increase their effectiveness and operational strength, bolster the reputations of all three actors independently and as a group, open the door for potential attack escalation due to the breadth of their scope, and finally highlight the rapidly shifting security-related challenges,” said Noelle Murata, senior security engineer, Xcape, Inc.

Murata added that of the three actors, LockBit’s motivations may be less opportunistic and more retaliatory, because of the reputation loss suffered from previously failed attacks that did not result in ransom payment, as well as the February 2024 takedown of LockBit.

“By sharing tools, techniques, and targets, this coalition can execute sophisticated attacks at high volume against a wide range of targets,” said Murata. “They are operating at economies-of-scale comparable to ‘state-level’ actors, which changes the nature of risks at the geopolitical level.”

Shane Barney, chief information security officer at Keeper Security, added that strategically, this alliance gives the cybercriminals new scale and resilience. Barney said shared infrastructure allows for rapid testing and deployment of new tactics, while joint recruitment brings together affiliates skilled in encryption, negotiation and data theft.

“These alliances mirror legitimate business ecosystems, complete with vendor relationships, subcontractors and mergers, but are optimized for exploitation,” said Barney. “For defenders, this demands a paradigm shift. Historically, security teams modeled adversaries as isolated groups. Now they must map interconnected coalitions — the alliances, split-offs and supply chains that define today’s ransomware ecosystem.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingDeepfakeDefacementDisruptionDistributed ScansDomain HijackingDumpSecDumpster DivingHybrid AttackPassword Cracking

You can skip this ad in 5 seconds