The Qilin ransomware gang has emerged as one of the most active cybercriminal operations in 2025, listing hundreds of victims throughout the year that include large companies, local governments and hospitals.
In October alone, the suspected Russia-based group added more than 185 victims to its leak site — claiming to be behind recent cybersecurity incidents at Japanese beverage giant Asahi, the Texas city of Sugar Land, a county government in North Carolina and multiple power companies in Texas.
Incident responders at cybersecurity firm Cisco Talos published a study of the group this weekend, warning that in the second half of 2025, Qilin has published the information of about 40 victims per month.
The group has existed since July 2022 but expanded its operations in the last few years, now operating through the ransomware-as-a-service (RaaS) business model.
Nearly a quarter of the group’s attacks impact the manufacturing sector, with another 18% of attacks hitting the professional and scientific services industry and 10% of attacks targeting wholesale trade firms.
Cisco Talos said it has responded to multiple incidents involving Qilin but is unable to identify a singular intrusion technique used in each attack. In many cases, the attackers used stolen administrative credentials found on the dark web — allowing them to access VPNs.
Cybersecurity research firm Comparitech tracked more than 700 Qilin attacks in 2025, with 118 being confirmed. About half of the attacks targeted the U.S., while France, Canada, South Korea and Spain also had a large proportion of organizations that dealt with Qilin incidents.
Rebecca Moody, head of data research at Comparitech, said the shift to operating as a RaaS group has allowed Qilin to scale up rapidly and target more organizations with a higher level of success.
The group has also upped its ransom demands this year. Malaysian officials were outraged in March, with the country’s Prime Minister telling the press that it rejected a $10 million ransom demand after Kuala Lumpur International Airport was attacked.
One month earlier, the group demanded $4 million after shutting down Cleveland’s Municipal Court.
The group faced law enforcement scrutiny last year after a devastating attack on a British healthcare company that prompted major disruptions to services.
But it quickly returned with attacks on the government of Palau and one of the largest newspaper chains in the United States.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
