Qilin is now the top ransomware threat in the world, while the LockBit ransomware campaign is back in the form of its 5.0 variant. Discover how the Qilin threat and the LockBit comeback affect the threat landscape.
Qilin Emerges as 2025’s Top Ransomware Threat
Qilin rose to notoriety due to the collapse of some older groups in the wake of law enforcement efforts. The notorious group readily absorbed LockBit alumni following the 2024 shutdown. This introduced experienced operators into the Qilin fold.
Qilin’s numbers exceeded 200 in Q3 2025. Of the reported victims, many were in North America. However, the group also extended its targets to the European and Asian regions. Qilin’s attack rate rose significantly towards the latter part of 2024.
Qilin Levels Up: Next-Gen Payloads and a High-End RaaS Operation
Qilin’s malware is written in advanced programming languages like Rust and C. These programming languages provide high performance, portability, and evasiveness. Additionally, the malware supports the Windows, Linux, and VMware ESXi operating systems. This allows Qilin to infect many enterprise networks.
Qilin promotes itself as a one-stop RaaS platform. Qilin’s affiliates enjoy the following functionalities: safe-mode execution, removal of anti-forensic logs, and network propagation. Additionally, the group offers negotiation assistance as well as adaptable ransom prices. Such offerings make Qilin very attractive to cybercriminals who seek higher profits.
LockBit 5.0 – A High-Tech Comeback After Crackdown
LockBit suffered the loss of much of its infrastructure in the early part of 2024 during the Operation Cronos server seizures. LockBit’s operators were arrested during the sweep, causing the attackers to go dark. However, LockBit’s admin “LockBitSupp” was able to revamp the operations in 2025. LockBit 5.0 was released in September 2025. According to researchers, the variant was rebuilt from the ground up. LockBit 5.0 supports all platforms for Windows, Linux, and ESXi.
Lockbit 5.0 employs improved code-obfuscation techniques to make it difficult for researchers to reverse-engineer the malware. Also, the malware produces randomly generated 16-character file extensions during the encryption process. This employs randomness to bypass many signature-based detection techniques. Additionally, the gang opened the new affiliate platform. However, the platform now implements better controls. The gang also introduced the $500 cryptocurrency entrance fee. Lockbit 5.0 was used in ransomware attacks against at least a dozen of the newly compromised firms.
Ransomware Cartel: LockBit, Qilin, and DragonForce Align
Iran-affiliated LockBit announced in October 2025 that it was partnering with Qilin and DragonForce. The groups decided to collaborate, not engage in conflicts against each other, and share methodologies. This effort is one of the most organized ransomware collaborations to date. LockBit intends to leverage the infrastructure, hosting capabilities, and intelligence of the partnership. Each group’s members also get the opportunity to employ the methods used by the members of the other groups.
LockBit ransomware operators are experiencing mounting international pressure. This new cartel allows them to diversify risks in order to fortify operational security. Experts also think the collaboration allows LockBit to restore their reputation from previous data leaks and arrest incidents. However, experts warn that the new collaboration might soon bring about a huge surge in international ransomware operations. Together, they now cover more sectors.
Expanding Targets and Rising Risk for Organizations
There was a 28% increase in ransomware attacks in September 2025. That marked the end of a six-month period during which ransomware attacks had been decreasing. This increase is indicative of the recent resurgence in the top ransomware groups.
LockBit, Qilin, & DragonForce grew beyond the conventional attack hotspots. Qilin attacked victims in Japan, Thailand, & Colombia. LockBit began new campaigns in North America, Europe, & Asia. Such attacks depict an increase in geographical diversity.
LockBit 5.0 operators also announced that power plants and the utility sector are now valid targets.
The healthcare industry, finance institutions, the manufacturing sector, and the public sector are now at the receiving end. Not to say that the less prominent sectors are safe either.
Conclusion: When Ransomware Evolves, Your Defense Must Be Instant
The resurgence of LockBit, the rise of Qilin, and the formation of a ransomware cartel with DragonForce mark a turning point in the global threat landscape. These groups are faster, more coordinated, more evasive, and more determined than ever — and their cross-platform tooling means no sector, no region, and no organization is off-limits.
Today, every organization is a viable target. These ransomware operations don’t rely on luck or broad targeting — they combine social engineering, credential theft, advanced payloads, log wiping, and rapid lateral movement to break into even the most mature environments. Whether you’re an enterprise, a mid-market company, a critical infrastructure provider, or a regional business, their techniques are designed to bypass traditional defenses, exploit identity systems, and encrypt or exfiltrate data before anyone has time to respond. For organizations without modern protection, the window between compromise and full-scale impact has effectively collapsed
But for organizations protected by Xcitium’s patented Zero-Dwell platform, these threats lose all meaning. Even the newest ransomware variants are isolated the moment they execute — no encryption, no spread, no disruption. While the rest of the world faces rising risk, Xcitium users operate with confidence, knowing ransomware never gets a chance to act.
Xcitium = No Ransomware.
If you want to make ransomware irrelevant, upgrade to Xcitium’s Advanced EDR today.
