CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Qilin ransomware group targets multiple organizations, including South Korean financial sector

First reported
Last updated
5 unique sources, 16 articles

Summary

Hide ▲

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, and Synnovis, a UK pathology services provider. The latest attack was on South Korean financial sector, where Qilin claims to have stolen over 1 million files and 2 TB of data from 28 victims. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company.

Timeline

  1. 27.10.2025 10:55 5 articles · 1mo ago

    Qilin ransomware group uses BYOVD and legitimate tools in hybrid attacks

    Qilin affiliates use WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software (SRManager.exe) directly within Windows. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. The Qilin ransomware group has been observed targeting South Korean financial sector in a sophisticated supply chain attack. The group leveraged a Managed Service Provider (MSP) compromise as the initial access vector, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. The campaign, named 'Korean Leaks,' involved three waves of data leaks and used propaganda and political language to exert pressure on compromised organizations. The group also claimed to have an 'in-house team of journalists' to assist with writing texts for blog posts and applying pressure during negotiations.

    Show sources
    Open in new tab
  2. 07.10.2025 20:15 12 articles · 1mo ago

    Qilin ransomware targets Asahi Group

    Asahi Group Holdings has completed its investigation into the September cyberattack, revealing that the incident impacted up to 1.9 million individuals. The compromised data includes full names, genders, physical addresses, phone numbers, and email addresses, which could be used in phishing attempts. The company initially stated that no customer data was accessed but later confirmed a ransomware attack and data theft. The Qilin ransomware group claimed responsibility and published samples of exfiltrated files. Asahi has established a dedicated contact line for affected parties and is implementing enhanced security measures, including redesigned communication routes, tightened network controls, and upgraded threat-detection systems. The company is still working on restoring impacted systems two months after the initial compromise.

    Show sources
    Open in new tab
  3. 07.10.2025 18:45 1 articles · 1mo ago

    Qilin ransomware targets Mecklenburg County Public Schools

    In early September 2025, the Qilin ransomware group claimed responsibility for an attack on Mecklenburg County Public Schools (MCPS), stealing 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files. The attack disrupted operations, forcing teachers to rely on pen, paper, and whiteboards for instruction. Internet systems were restored about a week later. MCPS Superintendent Scott Worner confirmed the attack and stated that the district is assessing the extent of the breach.

    Show sources
    Open in new tab
  4. 26.08.2025 16:48 1 articles · 3mo ago

    Qilin ransomware targets Nissan subsidiary Creative Box Inc.

    On August 16, 2025, the Qilin ransomware group detected suspicious access to a server of Creative Box Inc. (CBI), a subsidiary of Nissan, stealing four terabytes of data, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. CBI implemented emergency measures and reported the incident to the police. The Qilin ransomware group added CBI to its extortion portal on August 20, 2025, threatening to make the stolen data public. Nissan confirmed the data breach and is conducting an investigation. The leaked data only impacts Nissan, as it is the sole customer of CBI.

    Show sources
    Open in new tab
  5. 19.08.2025 17:25 1 articles · 3mo ago

    Inotiv hit by Qilin ransomware attack

    On August 8, 2025, the Qilin ransomware group attacked Inotiv, encrypting critical systems and data. The incident disrupted business operations, affecting databases and internal applications. The company has engaged external security experts and notified law enforcement. The Qilin ransomware group claims to have stolen approximately 162,000 files totaling 176GB. Inotiv is working to restore affected systems and mitigate the impact, but no timeline for full recovery has been provided.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Qilin Ransomware Incident Analysis

Huntress Labs investigated a Qilin ransomware incident where the Huntress agent was installed post-incident on a single endpoint. Analysts pieced together the attack timeline using limited data sources, including managed antivirus alerts, Windows Event Logs, and Program Compatibility Assistant logs. The threat actor used a rogue ScreenConnect instance to deploy malicious files, including an infostealer, and attempted to disable Windows Defender before deploying ransomware.

Open in new tab

Kraken Ransomware Implements System Benchmarking for Encryption Optimization

Kraken ransomware, active since early 2025 and linked to the defunct HelloKitty operation, benchmarks systems to determine optimal encryption methods. The ransomware targets Windows, Linux, and VMware ESXi systems, using temporary files to decide between full or partial encryption. Kraken employs SMB vulnerabilities for initial access, deploys Cloudflared and SSHFS for data exfiltration, and encrypts data based on system performance to avoid detection. Victims include organizations in the US, UK, Canada, Panama, Kuwait, and Denmark. Kraken also operates a cybercrime forum, 'The Last Haven Board,' and demands ransoms up to $1 million in Bitcoin. The group was observed in August 2025 by Cisco Talos, detailing intrusions where SMB flaws were abused for entry, followed by the use of Cloudflare for persistence and SSHFS for data theft before encryption.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

Muji online sales disrupted by Askul ransomware attack

Muji, a Japanese retail company, halted online sales and services due to a ransomware attack on its delivery partner, Askul. The attack occurred on Sunday, October 19, 2025, affecting all retail services, including browsing, purchasing, and order histories. Muji is investigating the impact on shipments and notifying affected customers. Askul, a logistics and e-commerce company, confirmed the ransomware infection, which caused operational disruptions, including suspended order and shipping operations. The attack impacted Muji's Japan sales only, with no reports of ransomware gangs claiming responsibility. This incident follows a similar ransomware attack on Asahi, Japan’s largest beer producer, which also experienced production and launch delays.

Open in new tab

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab