Critical infrastructure declared fair game: As part of LockBit’s return announcement, the group revealed that critical infrastructure sectors previously considered off-limits would now be permissible targets for its affiliates. “It is permissible to attack critical infrastructure such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations,” the group stated, according to the report.The authorization includes a challenge to law enforcement: “These authorizations remain in effect until an agreement is reached between the FBI and LockBit not to attack certain categories of targets. If you are reading this and these rules have not changed, then the FBI has not yet approached us for this agreement, and they are quite comfortable with the authorizations to attack the above categories of organizations.”The move marks a significant departure from informal rules that have governed ransomware operations since the May 2021 Colonial Pipeline attack by the DarkSide group, which led to intense law enforcement scrutiny and the group’s eventual shutdown, the report said.The FBI did not immediately respond to a request for comment.
Parallel alliance among English-speaking criminals: The DragonForce-Qilin-LockBit cartel follows a similar consolidation pattern among primarily English-speaking cybercrime collectives. Scattered Spider, ShinyHunters, and Lapsus$ began collaborating under the name Scattered Lapsus$ Hunters, launching a data-leak site in October that listed 39 companies whose Salesforce environments had allegedly been compromised, according to the report.In late August, Scattered Spider announced plans to launch its own ransomware-as-a-service offering called ShinySp1d3r RaaS, claiming it would be “the best RaaS to ever live,” the report said.
Record fragmentation despite consolidation: The cartel formations come amid record fragmentation in the broader ransomware ecosystem. The number of active data-leak sites reached an all-time high of 81 in the third quarter of 2025, as smaller groups filled gaps left by disrupted major operations, the report said.ReliaQuest recommended that organizations restrict remote desktop protocol and VPN access by using device-based certificates to block attackers using stolen credentials, as “ransomware affiliates are increasingly gaining access by simply authenticating to RDP or VPNs,” the report stated. For critical infrastructure organizations now explicitly targeted by LockBit affiliates, ReliaQuest recommended implementing network segmentation using the Purdue Model, which establishes separate security zones with strict access controls and firewalls between IT and operational technology systems. “This limits ransomware from spreading between networks and reduces the impact of attacks,” the report stated.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4070290/lockbit-dragonforce-and-qilin-form-a-cartel-to-dictate-ransomware-market-conditions.html
