Full Report
The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. The
Analysis Summary
# Threat Actor: Qilin Ransomware Group (RaaS)
## Attribution & Identity
- **Primary Identification:** Qilin Ransomware-as-a-Service (RaaS) operation.
- **Known Aliases:** Gold Feather, Water Galura.
- **Associated Groups:** Evidence suggests affiliates from the defunct RansomHub group have migrated to Qilin.
## Activity Summary
Qilin has shown a marked resurgence, filling the operational gap left by the cessation of groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock.
- **Historical Activity:** Active since October 2022.
- **Recent Campaigns (April/May 2025):**
- Led victim counts in April 2025 with 72 victims on their leak site.
- Estimated behind 55 attacks in May 2025.
- Third most active group since the start of the year, claiming 304 total victims recognized by trackers.
- **Operational Enhancement:** Qilin is positioning itself as a "full-service cybercrime platform," expanding beyond typical ransomware offerings to include spam services, dedicated data storage, and legal counsel for affiliates.
## Tactics, Techniques & Procedures
- **Malware Development:** Payloads built using Rust and C languages, featuring advanced evasion techniques.
- **Affiliate Support:** Provides a mature affiliate panel with features for:
- Safe Mode execution.
- Automated network spreading within compromised environments.
- Automated log cleanup.
- Automated negotiation tools.
- **Extortion Tactics:** Introduced a "Call Lawyer" feature to provide legal consultation to affiliates, whose presence can pressure victims into paying higher ransoms to avoid potential legal proceedings.
- **Operational Expansion:** Offers DDoS attack capabilities and a tool for spamming corporate email addresses and phone numbers.
- **Initial Access/Support:** Potential influx of affiliates from RansomHub suggests established initial access capabilities are being integrated.
## Targeting
- **Sectors:** General targeting across corporations, indicated by activities described as "highly targeted, high-impact ransomware attacks designed to demand substantial payouts." Specific sectors are not detailed, but the focus on legal pressure implies targeting entities sensitive to reputational or legal risk.
- **Geography:** Not explicitly detailed, but activity is tracked globally via ransomware leak site statistics.
- **Victims:** Claimed 72 victims in April 2025 and 55 in May 2025. Specific organization names were not mentioned in this context.
## Tools & Infrastructure
- **Malware Families Used:** Qilin Ransomware.
- **Infrastructure:** Operates a technically mature infrastructure, including a dedicated affiliate panel and specialized support services.
- **Specific Tools:** Tool for spamming corporate email addresses/phone numbers; DDoS capabilities.
- **URLs/IPs:** None explicitly mentioned or required to be defanged.
## Implications
Qilin represents a maturing threat in the RaaS landscape due to its strong ecosystem, high level of affiliate support, and diversification into auxiliary criminal services (legal aid, DDoS). By offering comprehensive "full-service" support, Qilin lowers the barrier to entry for affiliates and increases the pressure on victims through non-technical extortion methods (legal threats). Their rise is directly correlated with the decline of several major competing RaaS operations.
## Mitigations
- **Enhance Third-Party Risk Management:** Be aware of operational instability in the cybercrime ecosystem, as affiliates migrate between groups (e.g., RansomHub to Qilin).
- **Ransomware Defense:** Implement robust endpoint detection and response (EDR) capable of detecting Rust/C-based payloads and advanced evasion techniques.
- **Operational Security:** Monitor for signs of network spreading and log manipulation attempts common in mature ransomware operations.
- **Legal/Reputational Defense:** Be prepared for nuanced extortion tactics that may involve legal threats; ensure incident response plans address complex legal and communications strategies alongside technical recovery.