A ransomware group you probably couldn't name 18 months ago just posted 1,044 victims in a single year — a 578% spike over 2024. They contributed to a patient's death at a London hospital. They stole 31.2 petabytes of data. They absorbed the affiliates of every major gang that law enforcement disrupted. And as of February 2026, they've already posted 55 new victims to their leak site. Qilin isn't coming. Qilin is here, and they are running the table.
There's a pattern in ransomware that keeps repeating: law enforcement takes down the biggest gang, the industry celebrates, and then something worse fills the vacuum. It happened when DarkSide collapsed after Colonial Pipeline. It happened when ALPHV/BlackCat exit-scammed its own affiliates. It happened when LockBit got disrupted by Operation Cronos. And now it's happened again. Except this time, the thing that filled the vacuum isn't just bigger. It's faster, meaner, and completely indifferent to whether its victims live or die.
Meet Qilin.
The Numbers That Should Scare You
GuidePoint Security's GRIT 2026 Ransomware & Cyber Threat Report, released in January 2026, painted a picture that should make every CISO lose sleep. Ransomware victims increased 58% year-over-year in 2025, with 7,515 total victims posted to data leak sites across the entire ecosystem. Q4 2025 alone saw 2,287 victims — the largest single quarter ever tracked. December 2025 was the most active month on record with 814 attacks.
"The rise of Qilin as the most active group we've ever tracked — surpassing even LockBit at its peak — underscores how the ecosystem is evolving." — Jason Baker, Lead Threat Analyst, GuidePoint Security, GRIT 2026 Ransomware & Cyber Threat Report (January 2026)
Read that again. Surpassing LockBit at its peak. LockBit, the gang that at one point was responsible for nearly a third of all ransomware incidents globally. Qilin blew past them. In 2025, Qilin posted over 1,000 victims to its leak site at a sustained pace of more than 40 per month, spiking to roughly 100 listings in June 2025 alone. According to Comparitech's year-end analysis, Qilin accounted for 14% of all ransomware attacks recorded in 2025. They also claimed to have exfiltrated 31.2 petabytes of data, the vast majority from a single U.S. manufacturer — a claim that, while unverified, would make it the largest single data theft in ransomware history if true.
And GRIT tracked 124 distinct ransomware groups operating in 2025, a 46% jump from 2024. The ecosystem isn't consolidating. It's fragmenting and accelerating simultaneously.
1,044 victims posted to leak site (578% YoY increase). 800+ victims across 50+ countries since January 2025. 40+ victims per month sustained pace in H2 2025. 31.2 PB of claimed data exfiltration. $50M+ in ransom payments collected in 2024 alone. Manufacturing (23%), professional services (18%), and wholesale (10%) were the most targeted sectors.
From Agenda to Apex Predator
Qilin didn't start as a household name, even in cybersecurity circles. The operation first surfaced in mid-2022 under the name "Agenda" — a Golang-based ransomware that was competent but unremarkable. Within months, the developers rebranded to Qilin and made a critical decision: they rewrote the payload in Rust, giving it cross-platform capabilities to hit both Windows and Linux targets. That single architectural choice put them ahead of half the ransomware ecosystem.
By late 2023, Qilin was carving out a niche by targeting VMware ESXi infrastructure — the hypervisor layer that underpins most enterprise virtualization. Encrypt the ESXi host, and you take out every virtual machine running on it. Smart targeting, minimal effort, maximum devastation. In 2024, they expanded again, bolting on Chrome credential-stealing functionality and sharpening their encryption and evasion tooling. According to Qualys threat research published in June 2025, Qilin amassed over $50 million in ransom payments in 2024 alone.
But the real inflection point came in April 2025 when RansomHub, the dominant RaaS operation of the previous three quarters, suddenly went dark. According to the CIS Multi-State Information Sharing and Analysis Center (MS-ISAC), open-source reporting from GBHackers, The Hacker News, and Qualys indicated that many former RansomHub affiliates migrated directly to Qilin's platform. In Q1 2025, Qilin accounted for just 9% of ransomware incidents reported to the MS-ISAC. By Q2, that number had tripled to 24%.
"While overall activity has stabilized, the number of distinct ransomware groups has surged to a record 77 — highlighting both the consolidation of skilled operators within major RaaS platforms and the ongoing churn of emerging or lower-skill actors entering the ecosystem." — Nick Hyatt, Senior Threat Intelligence Analyst, GuidePoint Security, Q3 2025 Ransomware & Cyber Threat Report (October 2025)
This is the new ransomware economics: law enforcement knocks out the leaders, and the most competent operators just migrate to whoever's running the best platform. Qilin was ready for them.
The NHS Attack: When Ransomware Kills
On June 3, 2024, Qilin hit Synnovis, a London-based pathology services provider that processes blood tests for multiple NHS trusts. The attack crippled diagnostic services across Guy's and St Thomas' NHS Foundation Trust, King's College Hospital, the Royal Brompton, Evelina London Children's Hospital, and GP surgeries across six London boroughs. Over 10,000 outpatient appointments were disrupted. 1,710 elective procedures were postponed. A nationwide shortage of O-negative blood followed because hospitals lost the ability to perform routine blood matching.
"We believe it is a Russian group of cyber criminals who call themselves Qilin. They're simply looking for money. It's unlikely they would have known that they would have caused such serious primary healthcare disruption when they set out to attack the company." — Professor Ciaran Martin, former CEO of the UK National Cyber Security Centre, speaking on BBC Radio 4's Today Programme (June 5, 2024)
The gang demanded $50 million to prevent the release of approximately 400GB of healthcare data. When Synnovis refused to pay, Qilin dumped the data onto their darknet site and Telegram channel — patient names, dates of birth, NHS numbers, and blood test results, including STD and cancer screening results for an estimated 900,000 individuals.
But here's the part that should haunt you: in June 2025, King's College Hospital NHS Foundation Trust confirmed that a patient died during the attack. The trust's own safety investigation identified a delayed blood test result — caused directly by the cyberattack — as one of several contributing factors in the death.
"We are deeply saddened to hear that last year's criminal cyberattack has been identified as one of the contributing factors that led to this patient's death. Our hearts go out to the family involved." — Mark Dollar, CEO of Synnovis, statement to The Record (June 2025)
The South East London Integrated Care Board reported 170 total cases of patient harm linked to the attack, including two classified as severe with long-term or permanent damage. Dr. Saif Abed, a former NHS doctor, told the Financial Times that he believed more patients had died due to data breaches than official reports indicated.
Qilin's response? They told the BBC they were "sorry" but refused to accept blame, framing their actions as a political statement. That's the caliber of human being you're dealing with here.
According to GuidePoint Security's GRIT 2026 report, Qilin has claimed more healthcare victims than any other ransomware group. The Synnovis attack alone caused over $40 million in losses. Healthcare ranked fourth overall in targeted sectors, with more than 500 ransomware victims across all groups in 2025.
Under the Hood: How Qilin Actually Works
Qilin operates as a Ransomware-as-a-Service platform, meaning the core development team builds and maintains the malware, infrastructure, and affiliate portal while affiliate operators execute the actual attacks. The developers provide a configurable payload that affiliates can customize per target — including choosing which processes to kill, setting custom encrypted file extensions, and selecting encryption parameters. According to Cisco Talos, who responded to multiple Qilin incidents throughout 2025, the attack flow typically proceeds from VPN compromise through lateral movement to full encryption.
Initial Access
Qilin affiliates get in through the usual doors, but they're getting better at it. Common vectors include phishing and spear-phishing campaigns (increasingly AI-enhanced for language and personalization), exploitation of public-facing applications like unpatched Fortinet firewalls (CVE-2024-21762 and CVE-2024-55591), exposed RDP services, and compromised VPN credentials found on dark web marketplaces. In one incident documented by Cisco Talos, leaked administrative credentials appeared on the dark web, and approximately two weeks later, NTLM authentication attempts began hitting the victim's VPN — a direct pipeline from infostealer logs to ransomware deployment.
Perhaps most alarming, threat intelligence firm PRODAFT reported in June 2025 that Qilin-linked actors were actively exploiting CVE-2025-31324, a CVSS 10.0 vulnerability in SAP NetWeaver Visual Composer, before it was publicly disclosed. Incident response firm OP Innovate independently corroborated this assessment. Zero-day exploitation puts Qilin in a different tier from the spray-and-pray operators.
In April 2025, Qilin affiliates also compromised a managed service provider through phished ScreenConnect credentials and used that access to launch downstream ransomware attacks on the MSP's customers — the classic supply chain play that multiplies a single intrusion into dozens of victims.
Encryption and Evasion
The 2025 Qilin payloads brought significant technical upgrades. According to Vectra AI's analysis, the latest variants employ AES-256-CTR for high-speed symmetric encryption, OAEP (Optimal Asymmetric Encryption Padding) for RSA key wrapping to resist cryptographic attacks, AES-NI hardware acceleration for near-instantaneous file encryption on modern CPUs, and ChaCha20 as an alternative stream cipher for certain communications and file types. Decryption without the key is effectively impossible.
On the evasion side, Qilin brings serious anti-forensics capabilities: Bring Your Own Vulnerable Driver (BYOVD) techniques to kill EDR processes, Safe Mode reboots to disable security software before encryption begins, deletion of Volume Shadow Copies to prevent recovery, clearing of Windows event logs, and self-deletion of the payload post-encryption.
But the technique that earned the most attention in 2025 was genuinely creative: running Linux encryptors on Windows hosts. SOCRadar documented Qilin operators enabling or installing Windows Subsystem for Linux (WSL) on compromised Windows machines, then executing an ELF binary encryptor inside the WSL environment. Since most Windows EDR tools only inspect PE binaries, the Linux payload flies completely under the radar. That's the kind of lateral thinking that separates a mature RaaS operation from script kiddies.
# Qilin attack chain (simplified from Cisco Talos IR findings)
1. Obtain leaked VPN credentials from dark web
2. NTLM auth attempts against victim VPN
3. Establish foothold via RDP/VPN
4. Deploy Cobalt Strike / Splashtop / WinSCP for persistence
5. Credential harvesting (NTDS.dit dump, Mimikatz, etc.)
6. Lateral movement via PsExec, SSH, RDP
7. Exfiltrate data via Cyberduck to cloud servers
8. Disable EDR via BYOVD
9. Delete Volume Shadow Copies (vssadmin.exe)
10. Deploy Qilin payload — encrypt everything
11. Drop ransom note, self-delete payloadThe Affiliate Vacuum Cleaner
Understanding Qilin's rise requires understanding the ecosystem dynamics that fed it. In February 2024, Operation Cronos disrupted LockBit. ALPHV/BlackCat pulled an exit scam on its own affiliates in March 2024 after collecting the Change Healthcare ransom. RansomHub rose to fill that gap, dominating Q3 and Q4 2024 and Q1 2025. Then RansomHub abruptly went dark in April 2025.
Each time a major RaaS platform collapsed, the skilled affiliates — the people who actually execute attacks — needed somewhere to go. And these aren't loyal operators. They've already demonstrated they'll leave any platform that shows instability. Qilin was ready with a mature platform, competitive revenue splits, a feature-rich affiliate panel, and constant payload updates.
"Newer groups such as SafePay demonstrate how even small, insular actors can thrive by staying under the radar. This 'new normal' isn't a reason for complacency — it underscores the need for sustained vigilance in an increasingly fragmented threat landscape." — Nick Hyatt, Senior Threat Intelligence Analyst, GuidePoint Security, Q3 2025 Ransomware & Cyber Threat Report (October 2025)
The result is a ransomware ecosystem that's simultaneously more fragmented (124 named groups in 2025, up 46% from 2024) and more concentrated at the top (Qilin and Akira absorbing the lion's share of experienced affiliates). It's the worst of both worlds for defenders: you face a wider variety of TTPs from the long tail while the most dangerous operations are getting more capable, not less.
Qilin's affiliate model also drives the diversity of their targeting. Because affiliates choose their own victims, Qilin's footprint spans every sector. Manufacturing took the biggest hit at 23% of all Qilin listings, followed by professional services (18%) and wholesale trade (10%). But healthcare, education, government, finance, and critical infrastructure all feature prominently. The "Korean Leaks" operation in September 2025, documented by SOCRadar, saw Qilin-linked affiliates hit at least 25 South Korean financial firms in a single month through a compromised managed service provider. No sector is safe. No geography is exempt.
What 2026 Looks Like
As Christine Barry, Senior Chief Cybersecurity Storyteller at Barracuda, noted in a January 2026 analysis, Qilin showed no signs of slowing down entering the new year. By mid-January 2026, they had already posted 55 victims to their leak site, ahead of their 2025 pace. The GRIT 2026 report explicitly states that high ransomware activity levels are expected to persist through 2026.
But Qilin's aggressive posture is a double-edged sword. History shows that the most prolific ransomware groups eventually attract the kind of heat that kills them. DarkSide collapsed after Colonial Pipeline drew the full attention of the U.S. government. Conti imploded after picking sides in the Russia-Ukraine conflict. The Synnovis attack — with its confirmed patient death, nearly 600 safety incidents, and 900,000 compromised records — is exactly the kind of high-profile carnage that mobilizes coordinated international law enforcement response.
New threats are emerging too. GuidePoint flagged Sinobi, a group that appeared in mid-2025 and immediately began targeting healthcare with the tempo of an established operation, not a startup. GRIT noted that the group's rapid acceleration suggests it's either a rebrand of an existing group or is staffed by highly experienced affiliates who've cycled through other RaaS platforms. LockBit has also resurfaced, posting 106 new victims in December 2025 alone.
The takeaway: even if Qilin faces disruption, the affiliate pool that made them dangerous doesn't disappear. It just migrates again.
Defending Against Qilin: What Actually Works
Qilin's TTPs are well-documented at this point, thanks to incident response work from Cisco Talos, Darktrace, CrowdStrike, and others. Here's what actually matters for defense, ordered by impact:
Kill the initial access vectors. Qilin affiliates are getting in through leaked VPN credentials, unpatched Fortinet devices, exposed RDP, and phished MSP credentials. Patch CVE-2024-21762 and CVE-2024-55591 on FortiOS/FortiProxy immediately if you haven't. Audit all external-facing VPN and RDP endpoints. Enforce MFA on everything, especially remote access and administrative consoles. Monitor dark web credential dumps for your domain names.
Assume breach and limit blast radius. Network segmentation is the single most effective control against ransomware lateral movement. Segment your OT from IT. Segment your backup infrastructure. Implement tiered administrative access so that compromising one admin account doesn't hand attackers the keys to Active Directory. If you're running VMware ESXi, lock down management interfaces and audit access rigorously — Qilin has been targeting hypervisors since 2023.
Protect your backups like they're the last line of defense — because they are. Qilin specifically targets Veeam backup infrastructure to steal backup credentials before encryption. Immutable backups, air-gapped copies, and regularly tested restoration procedures are non-negotiable. If your backups are on the same network as your production systems with the same admin credentials, you effectively don't have backups.
Watch for the new evasion techniques. The WSL-based ELF payload trick is a real problem for traditional Windows EDR. Monitor for unexpected WSL installation or enablement on endpoints where it shouldn't exist. Deploy EDR solutions that can inspect activity within WSL environments. Watch for BYOVD activity — specifically, the loading of known vulnerable drivers that Qilin uses to kill security processes.
Harden your MSP relationships. Multiple Qilin campaigns in 2025 used compromised managed service providers as springboards into downstream customer networks. If you use an MSP, understand their security posture, mandate MFA on all administrative access to your environment, and enforce the principle of least privilege on their service accounts. Review your MSP contracts for security requirements and breach notification obligations.
# Priority detection rules for Qilin TTPs
# Monitor for these in your SIEM/EDR:
- vssadmin.exe delete shadows /all /quiet
- Unexpected WSL installation (wsl --install, LxssManager service start)
- Known BYOVD driver hashes (check LOLDrivers project)
- Cobalt Strike beacon network signatures
- Cyberduck or WinSCP connections to unknown cloud endpoints
- Mass file rename operations with unusual extensions
- NTLM authentication spikes against VPN infrastructure
- PsExec lateral movement patterns
- Safe Mode boot configuration changes (bcdedit)
- Event log clearing (wevtutil cl)Key Takeaways
- Qilin is the new apex predator in ransomware: With over 1,000 victims in 2025 and activity accelerating into 2026, Qilin has surpassed LockBit at its peak. The GRIT 2026 report confirms it's the most active ransomware group GuidePoint Security has ever tracked. This isn't a theoretical threat — it's the current dominant threat.
- Ransomware now has a confirmed body count: The Synnovis NHS attack directly contributed to a patient's death, caused 170 cases of patient harm, and exposed 900,000 records. Qilin targets healthcare disproportionately and shows zero restraint. Every organization in healthcare and critical infrastructure needs to treat ransomware defense as a patient safety issue, not just an IT issue.
- The affiliate economy makes disruption temporary: Law enforcement operations against LockBit, ALPHV, and RansomHub didn't reduce overall ransomware volume. They redistributed talent. Qilin absorbed the best affiliates each time. Even if Qilin faces disruption, the ecosystem will regenerate. Defense cannot depend on law enforcement alone.
- Technical sophistication is escalating: WSL-based evasion, BYOVD, zero-day exploitation of SAP NetWeaver, AES-256-CTR with hardware acceleration, and AI-enhanced phishing campaigns put Qilin's capabilities well beyond the spray-and-pray ransomware of a few years ago. Defenders need to keep pace or get burned.
- Your supply chain is their attack surface: MSP compromise, third-party vendor exploitation, and supply chain attacks were consistent themes in Qilin campaigns throughout 2025. Your security is only as strong as the weakest vendor with access to your network.
The ransomware economy isn't contracting. It's evolving into something more distributed, more resilient, and more dangerous. Qilin is the current face of that evolution — but even if they're gone tomorrow, the conditions that created them remain. The affiliates are still out there, the vulnerabilities are still unpatched, and the next platform is already being built. The only thing standing between your organization and becoming victim number 1,045 is whether you've done the work before the attack, not after.