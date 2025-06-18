The first half of 2025 has seen the decline and demise of several once-dominant ransomware groups, such as LockBit, RansomHub, Everest and BlackLock, partly due to the impact of previous law enforcement operations, data leaks and breaches. While these disruptions have left the ransomware landscape more fragmented than ever, with a lack of clear “market leaders,” as experts have noted, one group appears to be gaining a growing presence: Qilin. This ransomware-as-a-service (RaaS) group, active since October 2022, has recently been observed steadily building its reputation through a series of high-impact cyber-attacks across various industries, according to a report by Cybereason. The group ranks as the third most active ransomware syndicate in 2025, with 291 claimed victims identified by the ransomware tracking website Ransomware.live, trailing only Akira (348) and Cl0p (404).

Qilin activity based on claims on its data leak site. Source: Ransomware.live

The Cybereason researchers have argued that what makes Qilin stand out is not just its activity, but the set of advanced features it offers its affiliates. These offerings range from operational features to more innovative services, such as a “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations. Read more: Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks Qilin’s RaaS Operational Features According to the Cybereason report, Qilin operates a technically mature infrastructure, with custom-built malware written in Rust and C for cross-platform attacks, including Windows, Linux and ESXi systems. The group operates by providing its ransomware tools and infrastructure to affiliates, taking a 15–20% share of the ransom payments. It explicitly instructs its affiliates not to target systems located in countries part of the Commonwealth of Independent States (CIS), including Russia and Belarus. Its RaaS program included a wide range of operational features, including: An affiliate panel offering Safe Mode execution

Loaders with advanced evasion features

Reliable encryption algorithms (ChaCha20, AES and RSA-4096)

Four encrypting software operating modes: normal (it fully encrypts the file), step-skip (it encrypts in chunks with fixed size and skips parts), fast (it encrypts the beginning of the file) and percent (it encrypts in chunks with fixed size and dynamic skipping, based on the file size)

Machine reboot, file filtering and service kill features

Network spreading features

Log cleanup

Automated negotiation tools

In March 2023, Group-IB researchers exposed Qilin administrative panel. Source: Group IB via Cybereason