Full Report
The group positions itself “not just as a ransomware group, but as a full-service cybercrime platform”, according to Cybereason
Analysis Summary
# Threat Actor: Qilin (Ransomware Group)
## Attribution & Identity
**Identification:** Ransomware-as-a-Service (RaaS) group.
**Known Aliases and Associated Groups:** Qilin. Mentioned in the context of other declining groups like LockBit, RansomHub, Everest, and BlackLock.
## Activity Summary
Qilin has been active since October 2022 and is noted for steadily building its reputation in the first half of 2025 amidst the disruption of several other dominant ransomware groups. As of mid-2025, it ranks as the third most active ransomware syndicate, trailing only Akira and Cl0p, with 291 claimed victims identified by Ransomware.live. Qilin stands out due to the advanced features it offers its affiliates.
## Tactics, Techniques & Procedures
The article highlights innovative services offered to affiliates rather than specific technical TTPs, though the core operation is Ransomware-as-a-Service (RaaS).
- Provision of "Call Lawyer" function to affiliates for use in ransom negotiations.
- General features associated with a RaaS operation (e.g., operational features, affiliate recruitment/management).
- Activity is tracked via claims on its public data leak site.
- **Note:** Specific attack TTPs (e.g., initial access, lateral movement) are not detailed in this excerpt.
## Targeting
- **Sectors:** Various industries (general targeting mentioned).
- **Geography:** Not explicitly mentioned, but activity is globally tracked via victim counts.
- **Victims:** 291 claimed victims identified as of early/mid-2025. Specific organizations were not named in this excerpt.
## Tools & Infrastructure
- **Malware Families Used:** Qilin Ransomware (implied RaaS payload).
- **Infrastructure (C2, domains, IPs):** Mention of a data leak site used to track claimed victims. (No specific IPs or domains were provided/defanged).
## Implications
Qilin is emerging as a significant player in the fragmented ransomware landscape of 2025, stepping into the vacuum left by fallen major groups. Their unique offering of legal consultation services to affiliates suggests a sophisticated approach focused on maximizing pressure during ransom demands and potentially improving affiliate success rates.
## Mitigations
- Defending against ransomware operations leveraging sophisticated negotiation tactics.
- Monitoring for Qilin's data leak site for potential victims.
- (Specific technical mitigations are not provided in the source text, but standard ransomware best practices apply).