top of page
Search

The New King of Ransonware

Qilin’s Explosive Reign and What It Means for Critical Infrastructure


Ten months into 2025, the ransomware group Qilin has hit a grim milestone: its 700th claimed victim. That makes it the most prolific ransomware outfit of the year—eclipsing last year’s leader, RansomHub, which logged 547 total victims in 2024.


Once a fringe player in the cybercrime underground, Qilin now dominates the ransomware-as-a-service (RaaS) market, turning data extortion into an industrialized business. Analysts say the group’s expansion this year marks a turning point in how ransomware is organized, distributed, and monetized.


A Ransomware Startup Gone Global


Qilin surfaced in late 2022 but only started gaining momentum in 2023, when it claimed 45 attacks. That number jumped to 179 in 2024—and then skyrocketed this year after RansomHub mysteriously disappeared in April. Affiliates who once worked with RansomHub reportedly migrated to Qilin, fueling a 280% surge in attack claims from spring to fall.


Like other RaaS groups, Qilin sells access to its malware and infrastructure, taking a cut of the ransoms collected by its affiliates. Investigators say affiliates typically keep around 80–85% of the payout, while Qilin takes the rest—a model that turns the gang into a profit-sharing startup for cybercrime.


“Think of it like a franchising system for hackers,” said one threat analyst. “Qilin provides the brand, the tools, and the PR machine. Affiliates bring the hustle.”


How Qilin Took the Lead


Several factors have propelled Qilin to the top of the ransomware hierarchy:


  • Affiliate Migration: When RansomHub folded, experienced hackers flocked to Qilin’s more stable infrastructure.


  • Multi-Platform Malware: Written in modern languages like Rust and Go, Qilin’s payloads can hit Windows, Linux, and VMware ESXi systems, making it versatile and hard to detect.


  • Mass-Targeting Strategy: Instead of focusing on mega-attacks, Qilin goes wide—flooding manufacturing, government, healthcare, and financial networks worldwide.


  • Opportunity Gap: With legacy players like LockBit facing crackdowns, Qilin capitalized on the power vacuum.


“Qilin has industrialized ransomware,” said a U.S.-based cybersecurity researcher. “It’s fast, scalable, and ruthlessly efficient.”


The Scale of the Damage


Qilin’s numbers are staggering:


  • 701 total claimed victims (118 confirmed)


  • 45 attacks on healthcare providers


  • 40 attacks on government agencies


  • 26 attacks on schools and universities


  • 590 attacks on businesses across every major sector


  • Over 788,000 records breached and 116 terabytes of data stolen


The United States leads in victim count (375), followed by France, Canada, South Korea, and Spain. Education and government have seen the sharpest rise in activity, while manufacturing remains Qilin’s favorite target—especially in Japan, where it recently hit Asahi Group Holdings and Nissan’s design arm.


Healthcare in the Crosshairs


Few sectors illustrate Qilin’s impact better than healthcare.The gang has already launched at least 45 attacks on healthcare organizations this year, stealing over 10 terabytes of patient data.


“With over 50 million members and daily claim processing affected, the ransomware attack on pharmacy benefit manager MedImpact is a crucial example of the growing threat to the healthcare information ecosystem,” said Damon Small, Board of Directors at Xcape, Inc.
“The Qilin gang’s participation in the ransomware-as-a-service industry highlights a rise in attacks across critical industries. The probable exfiltration of financial operation details, such as commissions, claims, and bank summaries, signals a serious loss of proprietary and partner data, even though MedImpact’s transition to a segregated ‘new environment’ is an essential step in recovery.
“Organizations must now view their entire supply chain as a single, vulnerable attack surface due to Qilin’s swift and aggressive growth. In healthcare, downtime is dangerous—but silence is fatal; contain fast, restore safely, and tell the truth early.”

Hospitals, insurers, and pharmaceutical service providers are all prime targets because downtime can directly endanger lives—and because they often hold both financial and medical data that’s lucrative on the dark web.


Big Ransom Demands, Bigger Consequences


Qilin’s ransom demands vary widely—from $300,000 against a U.S. sheriff’s office to a staggering $10 million against Malaysia Airports Holdings. The group demanded $700,000 from Israel’s Shamir Medical Center after allegedly stealing 8 terabytes of patient records.


Even when victims refuse to pay, recovery costs can be steep. The Cleveland Municipal Court spent weeks restoring systems after an attack, while France’s Alu Perpignan lost three months of business after a shutdown lasting three weeks.


How Defenders Can Keep Up


Security teams facing Qilin-level threats are being urged to focus on the fundamentals:


  • Tighten patching cycles and monitor for public-facing vulnerabilities.


  • Map and secure supply-chain dependencies—vendors are often the soft underbelly.


  • Maintain offline backups and test recovery frequently.


  • Disclose incidents promptly to limit reputational fallout.


  • Monitor affiliate behavior—many reuse infrastructure or loaders that can be tracked.


The Road Ahead


If Qilin continues at its current pace, it could surpass 1,000 claimed attacks by year’s end, more than any single ransomware group in history.


But experts warn that this dominance may not last forever. Law enforcement takedowns, affiliate infighting, or the next “hot” ransomware brand could disrupt its reign. Still, Qilin’s ascent signals an uncomfortable truth: ransomware has become not just an epidemic, but an economy.

bottom of page