Full Report
In October alone, the suspected Russia-based group added more than 185 victims to its leak site — claiming to be behind recent cybersecurity incidents at Japanese beverage giant Asahi, the Texas city of Sugar Land, a county government in North Carolina and multiple power companies in Texas.
Analysis Summary
# Threat Actor: Qilin Ransomware Gang
## Attribution & Identity
**Identification:** Qilin ransomware gang.
**Attribution:** Suspected Russia-based group.
**Known Aliases and Associated Groups:** Operates using a Ransomware-as-a-Service (RaaS) business model. Existed since July 2022; expanded operations significantly in 2025.
## Activity Summary
Qilin has been one of the most active cybercriminal operations in 2025, listing hundreds of victims. In October alone, the group added over 185 victims to its leak site. They operate via a RaaS model, which has allowed for rapid scaling. The group has recently increased its ransom demands. Despite facing law enforcement scrutiny last year following an attack on a British healthcare company, they quickly resurfaced with attacks on other high-profile entities.
## Tactics, Techniques & Procedures
- **Initial Access:** Attackers frequently utilized **stolen administrative credentials found on the dark web** to gain access to VPNs.
- **Operational Method:** Operates as a Ransomware-as-a-Service (RaaS) enterprise.
- **Data Extortion:** Publishes victim information on a leak site.
## Targeting
- **Sectors:** Manufacturing (nearly a quarter of attacks), Professional and Scientific Services (18%), Wholesale Trade (10%), Local Governments, and Hospitals.
- **Geography:** Approximately half of the recorded attacks targeted the **U.S.**. Other significantly targeted regions include France, Canada, South Korea, and Spain.
- **Victims:**
- Japanese beverage giant **Asahi**
- **Texas city of Sugar Land**
- A **county government in North Carolina** (Catawba County mentioned indirectly)
- Multiple **power companies in Texas**
- **Kuala Lumpur International Airport** (demanded $10 million ransom)
- **Cleveland’s Municipal Court** (demanded $4 million ransom)
- A **British healthcare company**
- Government of **Palau** (Health Ministry mentioned in relation to recovery)
- One of the largest **newspaper chains in the United States**
## Tools & Infrastructure
- **Malware Families Used:** Qilin ransomware.
- **Infrastructure (C2, domains, IPs):** No specific TTP infrastructure (IPs/domains) was provided in the context requiring defanging.
## Implications
The shift to a RaaS model has enabled Qilin to significantly scale its operations, resulting in hundreds of publicly listed victims in 2025 across critical sectors, including energy, government, and manufacturing. The group demonstrates persistence, quickly recovering after previous law enforcement pressures. Their success suggests high adaptability and effective recruitment/operation framework via RaaS partnerships.
## Mitigations
- **Credential Management:** Implement strict monitoring and mandatory multi-factor authentication (MFA) on all VPNs and administrative accounts. Actively monitor the dark web for the sale of organizational credentials.
- **Sectoral Defense:** Organizations in Manufacturing, Professional Services, and Municipal Government should prioritize hardening security controls given the group's established targeting profile.
- **Incident Response:** Maintain tested ransomware response plans capable of dealing with large-scale data exfiltration and encryption scenarios.