Qilin ransomware group - SparTech Software

Qilin is a Russian-speaking cybercrime organization and ransomware-as-a-service (RaaS) group that first emerged in July/August 2022, initially operating under the name “Agenda” before rebranding as Qilin. The group is known for its sophisticated and aggressive tactics, targeting organizations across multiple sectors—especially healthcare, manufacturing, education, and critical infrastructure—in countries including the UK, US, Canada, France, Japan, Brazil, and others.

Key Features and Tactics

Qilin provides affiliates with customizable ransomware tools and infrastructure, taking a 15–20% cut of ransom payments. The group exfiltrates sensitive data before encrypting systems, then threatens to release the stolen data unless a ransom is paid—sometimes publishing data even if the ransom is paid. Qilin uses kernel-level exploits, process injection, and Bring-Your-Own-Vulnerable-Driver (BYOVD) methods to bypass and disable security controls.

Initial access it typically gained through compromised VPNs, phishing emails, or exploiting vulnerabilities in exposed services (e.g., Fortinet devices). Persistence achieved via scheduled tasks, group policy manipulation, and registry run key modifications.

Notably, Qilin affiliates can tailor ransomware payloads for specific targets, adjust ransom amounts, and control deployment timing.

US insurance industry warned of uptick in Scattered Spider attacks.
Cybersecurity experts and Google’s Threat Intelligence Group (GTIG) issued urgent warnings to the US insurance industry regarding a surge of cyberattacks believed to be orchestrated by the hacker collective known as Scattered Spider. This group, also tracked as UNC3944, 0ktapus, Muddled Libra, and other aliases, is infamous for sophisticated social engineering campaigns that have previously targeted sectors such as retail, casinos, telecommunications, and financial services in both the US and UK.
Qilin ransomware-as-a-service (RaaS) adds a “call an attorney” feature to pressure victims to pay.
The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme have recently introduced a “Call Lawyer” feature, offering legal counsel to their affiliates as a means to increase pressure on victims during ransom negotiations. This development is part of a broader strategy to make Qilin stand out in the cybercrime marketplace by providing a full suite of services to affiliates, including legal assistance, negotiation support, data storage, DDoS capabilities, and even media support.
Patient’s death officially linked to 2024 ransomware attack that brought down London hospitals.
A patient’s death has been officially confirmed as linked to the June 2024 ransomware attack on Synnovis, a pathology services provider for the UK’s National Health Service (NHS), particularly affecting hospitals in southeast London. The attack was carried out by the Qilin ransomware group and severely disrupted diagnostic and pathology services, including blood testing and transfusion services.
Should you pay the ransomware demands now or a class-action lawsuit later? The decision is not as simple as you may think.
AT&T agreed to a $177 million settlement to resolve class action lawsuits stemming from two major data breaches, far greater than the estimated $800 thousand ransomware demand. So why did AT&T choose to refuse the cybercriminals' demands?
Why are once-dominant ransomware gangs collapsing at such a rapid pace?
The ransomware landscape is experiencing unprecedented turbulence in 2025, characterized by the rapid collapse of once-dominant groups, hostile takeovers, and internal betrayals. This upheaval has exposed deep instability within the cybercriminal ecosystem, as major ransomware-as-a-service (RaaS) outfits such as RansomHub, LockBit, Everest, and BlackLock have faced abrupt shutdowns, operational failures, and even public defacements of their dark web infrastructure. What brought these powerful groups to their knees?

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Key Features and Tactics

Related