How a new alliance in the ransomware economy is forcing defenders to evolve from reaction to rehearsal.

Introduction

In the cyber-underground, alliances are often loose, opportunistic, and temporary. But recent reporting suggests something more structured: three of the biggest ransomware actorsQilin, LockBit, and DragonForce—are forming what amounts to a cyber cartel. They are no longer competing; they are coordinating.

This shift matters because it changes how defenders must think about ransomware: from isolated attacks to coordinated business ecosystems.

Who’s Who: The Players

Qilin Known earlier as Agenda, Qilin has run a full ransomware-as-a-service (RaaS) program since 2022. It offers affiliates polished extortion kits, leak sites, and negotiation portals. Qilin’s playbook includes double extortion and use of legitimate tools (RMM, scheduled tasks) to blend in before detonation.

LockBit LockBit is the veteran—responsible for thousands of global incidents and now reinvented as LockBit 5.0. It continues to operate as a structured criminal enterprise, complete with branding, affiliate recruitment, and “press releases” for its breaches.

DragonForce DragonForce is newer but rising fast. Analysts note it has adopted a cartel-style model, offering white-label ransomware, absorbing rivals, and sharing infrastructure with partners. In short, it’s not a single crew—it’s an ecosystem builder.

The Cartel Concept

Reports from multiple sources now suggest these groups are collaborating—coordinating attacks, sharing affiliates, and aligning pricing. In traditional crime terms, this is a cartel: a syndicate designed to regulate competition and stabilize profit.

If this proves true, it signals a maturity in the ransomware economy: organized markets, not chaos.

Why It Matters

The implication for defenders is serious. A cartel means shared tooling, faster attack chains, and greater resilience to takedowns. It also means your detection coverage against one actor may suddenly apply—or fail—across several.

But here’s the twist: this cartelization also gives defenders a chance to train smarter. If the adversaries are coordinating, defenders can coordinate their emulation.

Emulate Before They Arrive: Testing Your Defenses Against a Cartel’s Style of Attack

Imagine Qilin, LockBit, and DragonForce as the cyber-equivalent of a multinational conglomerate—testing their business model on your network before product launch. The only rational response is to test yourself first. That’s where adversary emulation comes in.

Emulation means rehearsing their tactics before they do, safely and within scope. It’s not “red teaming for show”—it’s Purple Teaming with purpose.

Step 1: Build the Adversary Profile Start by translating each group’s known behaviors into a MITRE ATT&CK map:

  • Qilin favors credential theft (T1078), scheduled tasks (T1053), and Safe Mode evasion (T1562.009).
  • LockBit affiliates rely on phishing, RDP exploitation (T1133), and automated encryption scripts (T1486).
  • DragonForce affiliates experiment with white-label malware, data-theft APIs, and public shaming leak sites (T1654).

From this, you can identify what telemetry your defenses should detect.

Step 2: Design a Safe, Controlled Exercise Use controlled emulation tools or internal scripts to simulate those behaviors—never real ransomware. Run them in your test or segmented environment under a strict Rules of Engagement document. Involve legal, compliance, and your SOC leads.

Step 3: Run It as a Purple Team Sprint Your Red Team executes realistic behaviors; your Blue Team monitors and tunes detections in real time. Run it as a one-week cycle:

  • Day 1: Credential abuse & lateral movement simulation.
  • Day 2: Persistence and privilege escalation checks.
  • Day 3: Mock data staging and exfiltration test.
  • Day 4: Simulated encryption and recovery validation.
  • Day 5: After-action review and detection tuning.

This schedule fits perfectly with your existing 8 AM–4 PM Purple Team exercise framework.

Step 4: Measure What Matters Don’t just grade by “we saw the alert.” Track:

  • MTTD – Mean Time to Detect.
  • MTTC/MTTR – Mean Time to Contain/Recover.
  • Coverage Gaps – Which techniques lacked detection or logging.
  • Remediation Velocity – How quickly you closed those gaps.

These metrics tell you how your defenses perform under cartel-grade pressure.

Step 5: Deliverables Every emulation run should end with:

  • Executive summary: current resilience posture, business impact, and top 3 investment priorities.
  • Technical appendix: detection rule IDs, log sources, gaps, and proposed Exabeam/EDR improvements.
  • Runbook updates: communication flows, backup restore validation, legal response templates.

Beyond Reaction: Building Institutional Muscle

Running these cartel-based emulations does more than sharpen the SOC. It forges cross-team trust: IT learns what Security needs; Security learns what Ops can actually deliver; Leadership sees resilience quantified.

The exercise converts fear into data. And data is how you win.

Conclusion

The rumored Qilin–LockBit–DragonForce cartel isn’t just a headline—it’s a mirror. It reflects how professionalized the underground economy has become. But it also gives defenders a new playbook: study, emulate, rehearse, and improve faster than the adversary can adapt.

Cyber defense is no longer just detection—it’s pre-experience. Emulatie before they arrive. Because once they do, the test has already begun.