Executive Summary
In early 2024, notorious ransomware groups LockBit, Qilin, and DragonForce announced a strategic partnership, effectively forming a collaborative ransomware 'cartel.' This alliance has seen these gangs pooling resources, intelligence, and attack methods, shortly after the release of LockBit 5.0. By inviting other e-crime affiliates, they have expanded their operational reach and attack surface across multiple industries. The cartel model increases both the speed and sophistication of attacks, complicating defenders' response and extending the lifecycle of compromised environments for criminal profit.
The incident is particularly relevant as it signals a new phase in ransomware operations, with threat actors adopting formal, syndicate-like coordination. It highlights escalating risks for enterprises, as collective intelligence sharing among attackers can quickly disrupt even mature security postures.
Why This Matters Now
This cartelization of ransomware operations sharply accelerates the threat landscape, empowering attackers with shared intelligence, new tools, and coordinated extortion campaigns. Organizations now face more agile, resilient, and capable adversaries, making robust defense and cross-team response urgently necessary.
Attack Path Analysis
The cartel of ransomware gangs initiated their attack through phishing and exploiting cloud misconfigurations, gaining initial access to targeted cloud environments. Leveraging weak IAM roles or permissions, they escalated privileges to access sensitive systems. The attackers then moved laterally across internal workloads and regions, utilizing east-west communication to reach valuable assets. Establishing covert command and control channels, they maintained persistence and controlled the environment. Sensitive data was exfiltrated via egress channels, often leveraging encrypted or obfuscated outbound traffic. The operation culminated with the deployment of ransomware, encrypting critical resources and disrupting business operations while demanding extortion payments.
Kill Chain Progression
Initial Compromise
Description
Attackers gained entry through phishing or exploitation of exposed cloud services and misconfigurations, targeting valid credentials and API endpoints.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing
Valid Accounts
Create Account
Data Encrypted for Impact
Exfiltration Over C2 Channel
Command and Scripting Interpreter
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Intrusion Detection and Monitoring
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 12
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Identity Access and Credential Governance
Control ID: 2.3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
LockBit-Qilin-DragonForce cartel threatens financial institutions with sophisticated ransomware attacks targeting encrypted traffic, requiring enhanced east-west traffic security and zero trust segmentation controls.
Health Care / Life Sciences
Healthcare sector faces critical ransomware cartel threats exploiting multicloud environments and lateral movement vulnerabilities, demanding strengthened egress security and threat detection capabilities.
Government Administration
Government agencies vulnerable to coordinated ransomware cartel attacks sharing resources and intelligence, necessitating robust intrusion prevention systems and cloud-native security fabric implementations.
Information Technology/IT
IT sector targeted by collaborative extortion gangs leveraging kubernetes security gaps and hybrid connectivity vulnerabilities, requiring comprehensive zero trust network segmentation strategies.
Sources
- LockBit, Qilin & DragonForce Join Forces in Ransomware 'Cartel'https://www.darkreading.com/cyberattacks-data-breaches/extortion-gangs-join-forces-ransomware-cartelVerified
- Notice warns of new LockBit 5.0 ransomware varianthttps://www.aha.org/news/headline/2025-10-03-notice-warns-new-lockbit-50-ransomware-variantVerified
- LockBit, Qilin, DragonForce form ransomware cartelhttps://cybernews.com/security/lockbit-qilin-dragonforce-ransomware-cartel/Verified
- LockBit 5.0 Returns After Crackdown — Ransomware Giant Turns to Cartel Model?https://lockbitdecryptor.com/lockbit-5-ransomware-cartel-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls like zero trust segmentation, anomaly detection, egress policy enforcement, and encrypted traffic inspection would have restricted attacker mobility, detected suspicious actions, and limited data exfiltration throughout the kill chain stages. Effective implementation of these controls creates strong east-west isolation, visibility, and active enforcement, significantly constraining ransomware groups’ success in cloud environments.
Control: Cloud Firewall (ACF)
Mitigation: Ingress filtering and perimeter policy enforcement block unauthorized external access.
Control: Multicloud Visibility & Control
Mitigation: Detailed audit trails and visibility help detect abnormal privilege usage or policy drift.
Control: Zero Trust Segmentation
Mitigation: Identity-based microsegmentation prevents unauthorized east-west movement.
Control: Egress Security & Policy Enforcement
Mitigation: Suspicious outbound communications are detected and blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Monitors and controls encrypted traffic to prevent covert data exfiltration.
Rapid detection and incident response minimize ransomware spread and business impact.
Impact at a Glance
Affected Business Functions
- Healthcare Services
- Financial Operations
- Manufacturing Processes
- Government Services
- Educational Institutions
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive patient records, financial data, intellectual property, and personal identifiable information (PII) due to ransomware attacks targeting critical infrastructure and various sectors.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and microsegmentation to prevent unauthorized lateral movement between workloads and services.
- • Enforce strict egress policy controls to monitor and restrict all outbound traffic, reducing exfiltration and C2 opportunities.
- • Deploy anomaly detection and real-time incident response to rapidly identify and contain threats before ransomware can execute its payload.
- • Ensure encrypted traffic inspection is integrated for both internal and external flows to detect covert exfiltration tactics.
- • Establish centralized multicloud visibility and automated policy enforcement for proactive detection of privilege escalation and policy drift.
