The Ransomware Cartel: Inside the LockBit–Qilin–DragonForce Alliance

LockBit, Qilin, and DragonForce have done what ransomware crews almost never do in public, they’ve formed a declared coalition. Announced alongside LockBit’s comeback, the trio is positioning itself as a cartel that shares techniques, infrastructure, and affiliates to raise attack volume and success rates, even inviting other crews to join the fold. For blue teams, that turns three separate problems into a three-headed hydra: faster cross-pollination of TTPs, coordinated victim selection, and more resilient operations when one crew is disrupted. Expect higher operational tempo and broader targeting, including critical infrastructure, as these actors standardize playbooks across crews and exploit the same initial access avenues (phishing, stolen creds, edge exploits) with greater efficiency. Treat this less like “a gang” and more like a ransomware super-operator: update threat models, assume affiliate overlap during investigations, and harden remote access and segmentation accordingly. In short, the business model has scaled up; your defenses and incident playbooks need to scale with it.

Why Public Sector Leaders Should Care

Because this isn’t just three brands teaming up, it’s a business model upgrade that directly threatens government operations. The alliance is designed to share techniques, infrastructure, and affiliates, which raises the tempo and success rate of attacks. Multiple outlets report the coalition was announced right as LockBit relaunched, with explicit intent to coordinate and scale; that coordination is expected to increase pressure on critical services and sectors previously considered lower risk. 

Two shifts make this especially urgent for public sector leaders. First, LockBit has now declared critical infrastructure “fair game,” listing power plants among permissible targets until (in their words) the FBI negotiates carve-outs—an escalation that breaks with past underworld “norms.” Second, LockBit 5.0 is cross-platform (Windows, Linux, ESXi), meaning virtualized government environments and shared services can be hit end-to-end in a single campaign, complicating recovery for statewide platforms and regional consortiums alike.  

Practically, expect: (1) more intrusions via simple logins using stolen credentials to RDP/VPN, then rapid lateral movement; (2) faster playbook reuse across crews, shrinking defenders’ reaction windows; and (3) broader sectoral spillover; from professional services and education into health systems, utilities, and municipal IT driven by affiliate overlap and shared tooling. For public agencies that run critical services on shared/virtual infrastructure, the risk profile just changed from “one gang at a time” to a coordinated hydra. Update threat models and IR plans accordingly. 

Industry Verticals Affected

Short version: the alliance widens, not narrows, the blast radius. Expect spillover from the usual “pays-fast” victims into government services and critical infrastructure as affiliates share access, tooling, and playbooks. 

• State, local, and regional government. Government targets are already trending up in 2025; alliances that pool affiliates and initial access are likely to accelerate that curve. LockBit’s return plus cross-crew coordination increases the risk for municipal IT, courts, 911, and shared state platforms.
• Critical infrastructure (energy, water, transportation). Reporting around the coalition explicitly flags potential CI targeting, and LockBit 5.0’s multi-OS reach (Windows, Linux, ESXi) makes it easier to impact virtualized OT/IT edges supporting utilities and transit.  
• Healthcare and public health. Health-ISAC warns that LockBit 5.0 is in circulation; healthcare remains a high-pressure victim set because downtime is costly and sensitive.  
• Education (K-12, higher ed). Schools and universities continue to see high breach rates, making them attractive to affiliates sharing phishing kits and access.  
• Professional & technical services (including gov contractors/MSPs). Professional services have been a top victim class in 2025; shared affiliate networks mean the same access brokers can recycle footholds across clients and their public-sector engagements. 
• Manufacturing and supply chain. Activity against manufacturers is elevated; Qilin and peers have repeatedly hit industrial and ESXi-heavy environments, which ripple into public-sector supply chains.  
• Financial administration and revenue/treasury functions. Financial services stay high-value; municipalities handling tax and fee collections inherit similar risk profiles, especially where third-party portals or legacy VPNs persist.   

Why this changes your risk: the LockBit–Qilin–DragonForce coalition is about scale and breadth. Many sources note the alliance was designed to share techniques, infrastructure, and affiliates, which historically correlates with broader sector targeting and faster campaign reuse. ZeroFox and others also observe Qilin’s heavy North America focus—relevant for U.S. public entities.  

So what? If you operate shared services (VMware/ESXi, mixed Windows/Linux estates) for multiple agencies or school districts, treat yourself as high-impact adjacency: one affiliate’s foothold can now be productized across three brands. Tighten remote access, segment critical workloads, and harden virtualization layers accordingly. 

How to Identify if You’re Under Attack  

How to tell if the “three-headed hydra” is already in your network (indicators you can hunt today): 

• Identity & access spikes (RDP/VPN): Bursts of failed logons (Event ID 4625) against admin accounts, followed by successful remote/Network or RDP logons (Event ID 4624, Logon Type 3/10) from new geographies or untrusted ASNs. Correlate the same source IP pivoting across multiple hosts.  
• Windows Defender tampering: PowerShell changes like Set-MpPreference -DisableRealtimeMonitoring $true, Group Policy edits to AV/EDR, or scripted service/registry modifications preceding lateral movement—behavior seen in recent LockBit intrusions.  
• New or suspicious services (often PsExec): Look for Event ID 7045 with service names like PSEXESVC and remote service creation shortly before encryption jobs. Pair with Sysmon pipe events (17/18) tied to PsExec.  
• Living-off-the-land “cleanup” of recovery points: vssadmin delete shadows /all /quiet, wmic shadowcopy delete, or wbadmin delete catalog on multiple hosts (ATT&CK T1490 Inhibit System Recovery). Treat any enterprise-wide VSS deletion as a ransomware precursor.  
• Rclone / MEGA exfil trails: New rclone.exe processes, rclone.conf on disk, or egress to cloud storage prior to extortion posts; LockBit affiliates frequently use Rclone/MEGA in the run-up to detonations.  
• Cobalt Strike & SystemBC beacons: Beacon-like periodic HTTP/S or DNS callbacks and SOCKS proxies (e.g., SystemBC) used for staging and lateral movement—observed with both LockBit and DragonForce crews.  
• Audit log scrubbing: Security log clearing Event ID 1102 (and related 104/1100) on critical servers during the incident window—often part of defense evasion and anti-forensics.
• Qilin/Agenda operator fingerprints: Phishing-led initial access, RMM tool abuse, PsExec/SSH propagation, and per-victim file extensions are consistent Qilin tradecraft; Linux/ESXi builds have been observed.    
• BYOVD to kill EDR (DragonForce): Sudden kernel-driver loads and EDR service terminations—DragonForce advertises BYOVD (“Rentdrv/Truesight”) options to knock over defenses before encryption.  
• ESXi early-warning signs: New or off-hours SSH to hypervisors; esxcli/vim-cmd activity that stops VMs; VIB acceptance level changes; enabling ESXi Shell or lowering controls—these often precede datastore-level encryption (LockBit 5.0 targets ESXi aggressively).  
• Cross-platform payload staging: Same operator/source pushing Windows, Linux, and ESXi encryptors within a short window—now easier as LockBit 5.0 standardizes cross-OS tooling. Watch for mixed binaries landed via the same admin share or management host.  
• Randomized file extensions & stealthy markers (LockBit 5.0). Post-encryption folders with randomized extensions and reduced obvious markers; don’t rely on ransom-note filename alone.  

Quick hunts to kick off (copy/paste concepts): 

• Windows: search for ProcessName IN ("vssadmin.exe","wbadmin.exe","wmic.exe") AND CommandLine CONTAINS ("delete" OR "shadowcopy") within 2–4 hours of new 7045 service installs.  
• Exfil: find process=rclone.exe OR file=rclone.conf then pivot to netflow/DNS for large transfers to cloud storage providers (MEGA, etc.).  
• RDP/WinRM: sequence 4625 bursts → 4624 (Type 10/3) → PowerShell 4103/4104 or WMI exec on servers the same user rarely touches.  
• ESXi: monitor syslog for esxcli software acceptance set, role changes to Admin, or enabling SSH/ESXi Shell on hypervisors.  

If you’re seeing two or more of these behaviors in the same 24–48-hour window—especially rclone + log clearing + PsExec service installs—assume an affiliate is staging for mass encryption and move to containment immediately. 

Technical Recommendations Including Which Patches to Apply

Technical recommendations (with high-priority patches) 

Work from the outside in. The alliance thrives on the same front doors—VPNs, edge gateways, and hypervisors—then pivots to identity abuse and rapid encryption (Windows, Linux, ESXi). Patch those doors first, then harden identity, EDR, and backups. 

1) Patch now: edge/VPN and virtualization 

• Citrix NetScaler ADC/Gateway: Patch to the August 26, 2025 builds or later. Address CVE-2025-7775 (zero-day RCE, exploited), plus CVE-2025-7776 and related fixes. Validate exposure (Gateway/AAA vservers, IPv6 profiles) and review device logs for exploitation artifacts. If you can’t patch same-day, isolate from the internet and front with MFA/TLS client auth.  
• Ivanti Connect Secure / Policy Secure / ZTA: Apply January–April 2025 updates that CISA moved into KEV (CVE-2025-22457, CVE-2025-0282) and follow CISA’s compromise-assessment steps if you were exposed before patching. Rotate credentials and device certificates after upgrade.  
• Fortinet FortiOS SSL-VPN: Ensure you’ve remediated CVE-2024-21762 and older SSL-VPN flaws; Fortinet and CISA warned of post-exploitation re-use of legacy bugs. If you ever delayed patching, assume credentials and tokens are burned—force resets and audit for webshells.  
• VMware vSphere / ESXi / vCenter: LockBit 5.0 specifically targets ESXi datastores. Apply VMSA-2025-0004, -0010, and -0013 (multiple ESXi/vCenter fixes across 2025). Don’t leave hypervisor mgmt interfaces exposed; enable Lockdown Mode and audit for rogue SSH.  
• General note on hypervisors: Treat vSphere as Tier-0. Encrypt critical VMs, remove orphaned disks/VMs, and stream vCenter/ESXi logs to SIEM for detections (e.g., mass VM stops, vim-cmd, esxcli changes).  

2) Identity, remote access, and endpoint controls 

• RDP/VPN hardening: Default-deny RDP from the internet; require device-bound, phishing-resistant MFA for all remote access; enforce lockouts and geo-anomaly alerts (4625 → 4624 Type 3/10). CISA’s StopRansomware playbook is your checklist.  
  
• Application control & BYOVD: Enable Windows Defender Application Control (WDAC) or App Control for Business in enforce/audit or enforce, and turn on the Microsoft Vulnerable Driver Blocklist (HVCI/Memory Integrity). Microsoft updated the blocklist through 2025; make sure it’s actually applied.  
• Defender ASR rules: Turn on Attack Surface Reduction (block Office child-process, credential theft, script abuse) in block mode for workstations and high-risk servers. Monitor for impact, then enforce.  

3) Lateral movement, privilege abuse, and backup resilience 

• Admin boundaries: Tiered admin model; no everyday admin. Restrict PsExec/WinRM to jump hosts; alert on new service installs (7045) and high-risk LOLBins (PowerShell/WMIC) from non-admin consoles. (Map to the IoCs in the prior section.) 
• Backup strategy: 3-2-1 with at least one immutable/offline copy; routinely test bare-metal and AD forest recovery. Monitor for VSS deletions and backup catalog changes; treat those as containment triggers. 
• Data exfil: Block or alert on Rclone/MEGA and unusual egress to known cloud buckets/TOR egress; rate-limit outbound where possible. 

4) Virtualization-specific hardening (because LockBit/Qilin hit ESXi) 

• Access: ESXi Shell/SSH disabled by default; unique creds, PAM/MFA for vCenter; no shared root. Segregate mgmt networks from user subnets. 
• Policy: Enforce execInstalledOnly, signed VIBs, and Lockdown Mode; baseline for sudden VM power-off bursts and datastore operations. 
• Exposure: No public mgmt endpoints; front with VPN that has MFA + device certificates. (If you must expose, you must monitor.)  

5) Detection engineering refresh (fast wins) 

• Shadow copy tampering: Detect vssadmin delete shadows /all /quiet, wmic shadowcopy delete, and wbadmin delete catalog. 
• PsExec spread: Alert on service PSEXESVC and remote service creation spikes (event 7045). 
• ESXi pre-encryption: Watch for vim-cmd/esxcli that stop many VMs, VIB acceptance changes, enabling Shell/SSH after hours. 
• Blocklist drift: Verify the WDAC/blocklist policy is current on DCs and key servers (we still see “policy exists but not applied”).  

Patch-board you can hand to Change Control (summary) 

1. Citrix NetScaler ADC/Gateway: Patch to Aug 26 2025 releases or newer (fixes CVE-2025-7775/7776). Validate not exposed and enable MFA.  
2. Ivanti Connect Secure/Policy Secure/ZTA: Apply Jan–Apr 2025 security updates (CVE-2025-22457, CVE-2025-0282) and run compromise checks.  
3. Fortinet FortiOS SSL-VPN: Ensure fixes for CVE-2024-21762 and prior; hunt for residual webshells/tokens.  
4. VMware vSphere/ESXi/vCenter: Apply VMSA-2025-0004/-0010/-0013; enforce Lockdown Mode and remove public exposure.  
5. Windows fleet: Enable WDAC/App Control and the Vulnerable Driver Blocklist (HVCI/Memory Integrity); roll out Defender ASR rules in block.  

Why this matters right now: LockBit 5.0 is purpose-built for Windows/Linux/ESXi, which means a single affiliate can jump between OS families without changing tradecraft. If your edge gear or hypervisors lag on these 2025 bulletins, you’re gift-wrapping initial access and mass-impact encryption for the cartel. Patch, segment, and enforce application/driver controls before they enforce downtime.  

Technical Downloadable Indicator Files (SPL, KQL, Sigma, Yara, etc.)

Downloadable detection content (SPL, KQL, Sigma, YARA) 

All files are packaged and also available individually so your team can drop them straight into your SIEM and triage workflows. 

• Complete pack (ZIP): Download the Detection Pack 

Individual files:

• Splunk hunts (SPL): bursts of 4625→4624 (Type 10/3), PsExec service installs (7045), shadow copy wipes, rclone/MEGA usage, and log clearing (1102). 
  spl_lockbit_qilin_dragonforce_hunts.spl 
• Microsoft Sentinel hunts (KQL): anomalous RDP successes, failed RDP bursts, PsExec service creation, Defender tamper, rclone/MEGA, and ESXi syslog heuristics. 
  kql_lockbit_qilin_dragonforce_hunts.kql 
• Sigma rules (YAML): ready for conversion to Splunk/Elastic/Sentinel via Sigma tools. 
  1. Shadow copy deletion (T1490) — sigma_vssadmin_delete_shadows.yml 
  2. PsExec service install (T1569.002) — sigma_psexec_service_install.yml 
  3. Defender tampering via PowerShell (T1562) — sigma_windows_defender_tamper.yml 
  4. Rclone/MEGA exfil usage (T1041/T1567) — sigma_rclone_exfil.yml 
• YARA (triage strings): LockBit 5.0 / Qilin identifiers and ransom-note markers (use for lab triage, tune as samples evolve). 
  yara_lockbit_qilin.yar 
• README / usage notes: quick MITRE mapping, tuning tips, and deployment reminders. 
  README.txt 

We're Available to Help

Book a 30-minute readiness review with our team this week. We’ll sanity-check your remote access, ESXi hardening, and detections against the LockBit–Qilin–DragonForce playbook and leave you with a prioritized 30-day hardening plan. 

Don't miss another article. Subscribe to our blog now.