3 min read

Qilin Ransomware emerging as one of 2025’s most prolific cybercrime operation

Lusanda Molefe Nov 17, 2025 5:44:54 PM

News

Qilin Ransomware emerging as one of 2025’s most prolific cybercrime operation

The Qilin ransomware group has emerged as the most active and disruptive ransomware operation in 2025, claiming hundreds of victims across healthcare, finance, staffing, and manufacturing sectors. Operating as a Ransomware-as-a-Service (RaaS) platform since 2023, Qilin has demonstrated alarming growth, more than doubling its monthly victim disclosures between January and April 2025. The group's collaboration with other major cybercrime syndicates, sophisticated technical capabilities, and deliberate targeting of critical infrastructure make it a priority threat for organizations worldwide, particularly those in healthcare, where attacks have been linked to patient deaths.

Origins and evolution

Qilin, also known as Agenda ransomware, first appeared in the cybercrime landscape in July 2022, though the group's own dark web leak site claims operations began in 2021.

The operation functions as a Ransomware-as-a-Service platform, a business model where ransomware developers create malicious software and supporting infrastructure, then lease these tools to affiliates who conduct actual attacks. Profits from successful extortions are split between developers and affiliates, creating a scalable criminal enterprise that combines technical sophistication with distributed operational capacity.

According to Cybernews' Ransomlooker surveillance tool, Qilin has listed 991 victims since 2023, with a dramatic acceleration in 2025. The group's victim disclosures tell a story of exponential growth, from July 2024 through January 2025; monthly victim counts never exceeded 23. However, February 2025 saw 48 disclosures, March recorded 44, and April peaked at 72, making Qilin the highest-ranked ransomware group for that month, surpassing established players including Akira, Play, and Lynx.

Operational model and tactics

Qilin employs double-extortion tactics that have become standard practice among sophisticated ransomware operations. Attackers first exfiltrate sensitive data from victim networks, then deploy encryption to render systems inaccessible. Victims face two separate ransom demands, one for decryption keys to restore access, and another to prevent publication of stolen data.

S-RM research revealed that 88% of observed Qilin cases in 2025 involved both data theft and file encryption, with stolen information published on dark web leak sites when ransom demands went unmet. The Synnovis NHS attack exemplifies this approach, when the healthcare provider refused payment, Qilin published approximately 400GB of stolen patient data, including sensitive medical test results for sexually transmitted infections and cancer diagnoses.

Beyond traditional dark web leak sites, Qilin has expanded its extortion channels to include Telegram and public platforms such as WikiLeaksV2, increasing pressure on victims through broader exposure of compromised data.

Initial access vectors

Qilin affiliates consistently exploit fundamental security weaknesses to gain initial network access. S-RM's intelligence identifies three primary attack vectors:

Unpatched VPN appliances: Affiliates target known vulnerabilities in remote access infrastructure that organizations have failed to patch
Lack of multi-factor authentication: Single-factor authentication on remote access tools provides easy entry points
Exposed management interfaces: Publicly accessible administrative interfaces enable direct access to critical systems

Once inside victim networks, Qilin affiliates employ valid account credentials and phishing techniques to establish persistence and move laterally.

Victim profile and geographic distribution

Qilin demonstrates clear preferences for sectors that store sensitive information and face severe consequences from operational disruptions.

Healthcare remains a primary target, with attacks on NHS partner Synnovis, pharmacy benefits manager MedImpact Healthcare Systems, Japan's Utsunomiya cancer treatment center, and Israel's Shamir Medical Center. The healthcare focus reflects both the sector's valuable patient data and organizations' willingness to pay ransoms to restore critical services.

Financial services victims include Switzerland's Habib Bank AG Zurich (2.5 TB of data including passport numbers and account balances), Texas electric cooperatives San Bernard Electric and Karnes Electric, and numerous smaller financial institutions.

Staffing and recruitment agencies represent an emerging target category, exemplified by the Cornerstone Staffing Solutions attack that allegedly exposed 120,000 resumes and over 1 million company files containing Social Security numbers and personal information.

Manufacturing and technology victims span automotive supplier Yanfeng, Asahi Holdings (Japan's largest beer producer), Volkswagen Group France, South Korean telecommunications giant SK Telecom, and Nissan's Creative Box design studio.

Geographic Distribution

Cybernews research analyzing Qilin's victim roster reveals clear geographic patterns:

United States: 375 attacks (highest concentration)
France: 41 attacks
Canada: 39 attacks
South Korea: 33 attacks
Spain: 26 attacks

Additional confirmed attacks have occurred in the Netherlands, Brazil, India, Philippines, United Kingdom, UAE, Hong Kong, Kenya, Switzerland, and Japan, demonstrating the group's global reach.

Scale and impact

Cybernews research provides unprecedented insight into Qilin's cumulative impact:

116 terabytes of total data exfiltrated across all attacks
780,000+ records exposed in confirmed attacks
991 total victims listed since 2023
500+ attacks in the final six months of 2025 alone

These figures represent only publicly disclosed incidents where victims appear on Qilin's leak site. Organizations that pay ransoms or successfully negotiate without public disclosure do not appear in these statistics, meaning actual victim counts likely exceed reported numbers.