Understanding the New Ransomware Triad: How DragonForce, LockBit, and Qilin Are Teaming Up
The landscape of cybercrime is constantly evolving, shifting from isolated attacks to sophisticated, business-like operations. Today, a new and dangerous alliance has emerged, creating a highly efficient attack chain that poses a significant threat to organizations worldwide. This new triad consists of three specialized groups: DragonForce, LockBit, and Qilin, each playing a distinct role in a devastating ransomware strategy.
Understanding how these groups collaborate is the first step toward building a more resilient defense. This isn’t just another ransomware variant; it’s a streamlined criminal enterprise.
The Infiltrator: Who is DragonForce?
Every successful ransomware attack begins with a single point of entry. This is where DragonForce comes in. DragonForce operates as an Initial Access Broker (IAB), a specialist in finding and exploiting vulnerabilities in corporate networks.
Their primary methods include:
- Exploiting unpatched vulnerabilities: DragonForce actively scans the internet for public-facing systems with known security flaws, such as unpatched VPNs, firewalls, and remote desktop protocols (RDP).
- Phishing campaigns: They deploy sophisticated phishing emails to trick employees into revealing credentials or downloading malware.
- Brute-force attacks: Systematically trying to guess passwords for exposed accounts.
Once DragonForce gains a foothold in a network, they don’t carry out the ransomware attack themselves. Instead, they package this access and sell it on dark web forums to the highest bidder, acting as the first link in the cybercrime supply chain.
The Enforcer: The Notorious LockBit Ransomware
LockBit is one of the most infamous and prolific names in the cybercrime world. They operate a Ransomware-as-a-Service (RaaS) model, which means they develop the malicious software and infrastructure and then lease it to “affiliates” who conduct the actual attacks.
By purchasing access from an IAB like DragonForce, a LockBit affiliate can bypass the difficult initial infiltration phase and move straight to deployment. LockBit is known for its:
- Speed and efficiency: Its malware is designed to encrypt files across a network very quickly.
- Double extortion tactics: LockBit doesn’t just encrypt data; it first exfiltrates sensitive corporate files. If the victim refuses to pay the ransom, the group threatens to publish the stolen data publicly, adding immense pressure on the organization.
- Resilience: Despite international law enforcement efforts to dismantle its infrastructure, LockBit has repeatedly demonstrated its ability to regroup and continue its operations.
The Power Player: The Rise of the Qilin Gang
Similar to LockBit, Qilin is another dangerous ransomware group that has gained notoriety for its aggressive and targeted attacks. While they also function as a RaaS provider, Qilin is particularly known for its highly customizable ransomware payloads. This allows their affiliates to tailor the attack specifically to the victim’s environment, potentially bypassing standard security measures.
Qilin affiliates are also active purchasers of network access from IABs. Their involvement in this new triad means organizations now face threats from multiple, highly capable ransomware deployers who are all leveraging the same initial access points.
A Dangerous Synergy: How the Triad Operates
The collaboration between these three groups creates a dangerously efficient assembly line for cyberattacks. Here’s how a typical attack unfolds:
- Infiltration: DragonForce identifies and exploits a vulnerability in an organization’s perimeter.
- Sale of Access: The access is sold on a criminal marketplace to an affiliate of either LockBit or Qilin.
- Deployment: The affiliate uses the purchased access to move laterally within the network, escalate privileges, and steal sensitive data.
- Extortion: The affiliate deploys the LockBit or Qilin ransomware payload, encrypting critical systems. A ransom note is left behind, demanding payment in cryptocurrency to both decrypt the files and prevent the public release of stolen information.
This specialization of labor makes the entire process faster and more effective. DragonForce focuses solely on breaking in, while LockBit and Qilin focus on monetization.
How to Protect Your Organization from This Evolving Threat
Defending against such a coordinated threat requires a multi-layered security strategy. Waiting to react is not an option; proactive defense is essential.
- Implement a Robust Patch Management Program: DragonForce’s success relies heavily on unpatched systems. Prioritize patching for all internet-facing devices, including VPNs, firewalls, and servers. Time is critical—apply security updates as soon as they become available.
- Enforce Multi-Factor Authentication (MFA): MFA is one of the most effective controls for preventing unauthorized access, even if credentials are stolen. Enable MFA on all critical accounts, especially for remote access and administrative roles.
- Conduct Regular Security Awareness Training: Since phishing is a common entry vector, educate your employees on how to spot and report suspicious emails. A well-informed workforce is a powerful line of defense.
- Maintain Immutable and Offline Backups: Your backups are your last line of defense. Follow the 3-2-1 rule (three copies of data, on two different media, with one copy off-site). Ensure at least one copy is offline or immutable, meaning the ransomware cannot reach and encrypt it.
- Develop and Test an Incident Response Plan: Know exactly who to call and what steps to take the moment you suspect a breach. A well-rehearsed plan can significantly reduce the duration and impact of an attack.
- Segment Your Network: By dividing your network into smaller, isolated zones, you can contain an attacker’s movement. If a breach occurs in one segment, this strategy can prevent the infection from spreading to critical parts of your infrastructure.
The emergence of collaborative triads like DragonForce, LockBit, and Qilin is a clear signal that ransomware threats are becoming more organized and potent. By understanding their tactics and reinforcing your defenses, you can dramatically reduce your risk of becoming their next victim.
Source: https://securityaffairs.com/183119/cyber-crime/dragonforce-lockbit-and-qilin-a-new-triad-aims-to-dominate-the-ransomware-landscape.html
