Bottom line: Ransomware groups collaborate through partnerships and shared infrastructure, increasing their attack capacity and intensifying threats to critical sectors.
Cybercriminals are increasingly organizing themselves in coordinated networks rather than operating in isolation. The cybersecurity company aDvens documents in its Threat Status Report 2025/2026 strategic partnerships and shared technical infrastructure that make attacks more efficient.
Organizational structures in the ransomware ecosystem are changing fundamentally. Rather than operating independently, established groups are forming strategic partnerships and collaborating in division-of-labor networks. The group Qilin recorded an average of approximately 75 documented victims per month in 2025. Other active groups such as SafePay and WorldLeaks are, according to aDvens, part of these strategic collaborations. The collective “Scattered LAPSUS$ Hunters” combines capabilities from multiple known groups and is attributed to internationally operating enterprises.
Beyond traditional collaborations, a new organizational form with cartel-like characteristics is emerging. The example of DragonForce demonstrates an innovative model: rather than offering pure ransomware-as-a-service, DragonForce provides its partners with shared technical infrastructure, including servers, payment services and campaign management tools. The participating groups retain their organizational independence but utilize the same technical resources. This model is said to be particularly attractive to former members of established ransomware groups.
Healthcare facilities, financial and retail sectors, as well as government institutions are the focus of these coordinated attack waves. Through intensified collaboration, cybercriminals can prepare attacks more quickly, execute them, and share their infrastructure more efficiently. According to aDvens, this professionalization leads to an elevated threat level for companies, authorities and operators of critical infrastructure. The division-of-labor structures make future attacks potentially more economically viable and operationally more capable.
Source: www.it-daily.net · Published 1 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.