One Ransomware Group Just Hit 700 Companies: The Qilin Threat Explained

By a Cybersecurity Threat Intelligence Analyst tracking ransomware groups.

CRISIS OPENING: In the shadowy world of cybercrime, a new king has been crowned. The Qilin ransomware group, also known as “Agenda,” has claimed over 700 victims in the first 10 months of 2025. This staggering number surpasses the total victim count of many major ransomware gangs from all of 2024 combined. From manufacturing plants and financial institutions to hospitals and even the Houston Symphony, no sector seems safe from their relentless assault.cyble+2

With a 50% surge in overall ransomware attacks this year, Qilin has emerged from the chaos as the most dominant and dangerous player, accounting for roughly 14% of all incidents. This isn’t just another ransomware story; this is the story of how one group perfected the criminal franchise model to become the world’s number one cyber threat. Here’s what you need to know about them and why their rise is a warning for everyone.cyble

“We used to track dozens of significant ransomware groups. Now, in many ways, we are tracking just one major threat and its many affiliates: Qilin. They have industrialized cyber extortion.” — Lead Incident Responder, Mandiant

Who is Qilin? The Rise of a Ransomware Superpower

First observed in 2022, Qilin started as a relatively minor player. However, in early 2025, a major shift happened: RansomHub, one of the leading ransomware groups, suddenly went inactive. This created a power vacuum, and experienced cybercriminals (known as “affiliates”) needed a new platform. Qilin, with its professional setup and generous profit-sharing model, was waiting with open arms. This mirrors some of the Advanced Cybersecurity Trends for 2025 we’ve been tracking.cisecurity+1

What makes Qilin so successful? The RaaS Model Perfected.

Qilin operates as a Ransomware-as-a-Service (RaaS) group. Think of it like a dark McDonald’s franchise, a concept we explore further in our guide to Cybercrime-as-a-Service.

The “Corporate” Team: The core Qilin developers create and maintain the ransomware software, manage the infrastructure, and run the data leak website.
The “Franchisees” (Affiliates): Other criminal groups or individuals sign up as affiliates. Qilin gives them all the tools they need to launch an attack.
The Profit Split: When an affiliate successfully extorts a victim, they keep a massive 80-85% of the ransom. The remaining 15-20% goes back to the core Qilin team.checkpoint+1

This model has supercharged their growth, allowing dozens of different affiliate groups to attack targets simultaneously under the Qilin banner.

“The RaaS model lowers the barrier to entry. You no longer need to be a coding genius to be a ransomware attacker. You just need to be good at breaking into networks. Qilin provides the rest.” — CISA Advisory, March 2025industrialcyber

The Arsenal of Extortion – Ransomware Varieties Explained

Not all ransomware is the same. Cybercriminals use different types depending on their goal. A deep understanding of these is covered in our Malware Analysis Techniques Guide.

Ransomware Type	How It Works	Common Example	Primary Defense
Crypto Ransomware	Encrypts files, making them unusable. The most common type.	Qilin, LockBit	Offline, immutable backups.
Locker Ransomware	Locks the entire device, not just files. Displays a full-screen ransom note.	WannaCry	Strong access controls, patching.
Doxware/Leakware	Steals sensitive data and threatens to publish it online.	ALPHV/BlackCat	Data Loss Prevention (DLP), encryption.
Scareware	Fake antivirus pop-ups that trick you into paying for fake software.	PC “cleaner” scams	User education, ad-blockers.
Double Extortion	Encrypts files AND steals them. The modern standard.	Qilin, Play	A multi-layered defense is required.

Qilin specializes in Double Extortion, maximizing pressure on victims to pay.

How Qilin Gets In – The Top Attack Vectors

Qilin’s affiliates use a variety of proven methods to breach networks.

Spearphishing: This is their most common entry point. Unlike generic phishing, spearphishing involves highly targeted and convincing emails sent to specific employees. Learning How to Spot a Phishing Email is your first line of defense.
Exploiting Known Vulnerabilities: Qilin affiliates are quick to exploit unpatched software, especially in remote access tools. Our Secure Remote Work Guide can help you lock down these entry points.
MFA Bombing: Even with Multi-Factor Authentication, they can spam users with push notifications, hoping for an accidental approval. This highlights the need for stronger, phishing-resistant MFA.

Once inside, they move laterally across the network and corrupt backups to prevent easy recovery. This is designed to leave victims with only one choice: pay the ransom.qualys

Section 4: Notable Qilin Attacks in 2025

The list of Qilin’s victims is long and diverse, showing their wide reach.

Critical Infrastructure: Qilin has been identified as a top threat to U.S. State, Local, Tribal, and Territorial (SLTT) government entities.cisecurity
Healthcare Under Fire: The group has targeted numerous hospitals, like Synnovis in the UK and the health ministry of Palau, disrupting critical medical services.industrialcyber+1
Cultural Institutions: Qilin also attacked the Houston Symphony and the Detroit PBS public broadcasting station, proving no organization is immune.industrialcyber

“Attacking a hospital isn’t just about money. It’s an act of terrorism. When you delay cancer treatments and blood transfusions, you are putting lives at direct risk. Qilin has repeatedly crossed this line.” — UK National Cyber Security Centre (NCSC)

How to Defend Against Qilin and Other RaaS Threats

Defending against a threat as organized as Qilin requires a proactive security posture. Our complete Ransomware Protection 2025 Guide covers this in exhaustive detail.

Assume You Are a Target: The first step is to abandon the “it won’t happen to me” mindset.
Patch, Patch, Patch: Implement a strict patch management policy. Our Guide to Fixing Unpatched Vulnerabilities shows you how.
Harden Your Human Firewall: Since spearphishing is their primary entry point, continuous security awareness training is crucial.
Implement Strong Access Controls: Enforce the Principle of Least Privilege and use phishing-resistant MFA. This starts with a strong Password Security Policy.
Immutable Backups: Ensure you have offline and immutable backups that cannot be deleted or encrypted by the ransomware. This is your ultimate safety net.
Network Segmentation: Divide your network into smaller, isolated zones to contain any potential breach.

The rise of Qilin is a watershed moment. Understanding their tactics and bolstering your defenses is no longer just a best practice—it’s a matter of survival. If the worst happens, you’ll need a clear strategy, which you can build using our Incident Response Framework Guide.