CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Qilin ransomware group targets multiple organizations, including South Korean financial sector and Romanian oil pipeline operator Conpet

First reported
Last updated
5 unique sources, 20 articles

Summary

Hide ▲

The Qilin ransomware group has confirmed the theft of nearly **1TB of data** from **Conpet S.A.**, Romania’s national oil pipeline operator, following a cyberattack on February 5, 2026. While the company’s **operational technologies (SCADA and telecommunications) remained unaffected**, the breach compromised corporate IT systems, exposing internal documents—including financial records and passport scans—some dated as recently as **November 2025**. Conpet has warned of potential fraud risks stemming from the stolen data and is working with Romania’s **National Cyber Security Directorate (DNSC)** to investigate the incident. This attack is part of Qilin’s broader 2025–2026 campaign, which has targeted high-profile victims across **62 countries**, including **Asahi Group (Japan)**, **Mecklenburg County Public Schools (U.S.)**, **Creative Box Inc. (Nissan subsidiary)**, and **Synnovis (UK pathology provider)**. The group employs **hybrid tactics**, such as abusing **Windows Subsystem for Linux (WSL)** to deploy Linux encryptors on Windows systems, **BYOVD (Bring Your Own Vulnerable Driver) exploits**, and **supply-chain compromises via Managed Service Providers (MSPs)**. Qilin’s **double-extortion model**—combining encryption with data leaks—has disrupted critical infrastructure, manufacturing, and financial sectors, with **over 700 confirmed victims in 2025 alone**. Recent developments include **politically charged leaks in South Korea** and **collaborations with affiliates like Scattered Spider**, underscoring the group’s evolving threat to global cybersecurity.

Timeline

  1. 05.02.2026 17:15 2 articles · 8d ago

    Qilin ransomware targets Romanian oil pipeline operator Conpet

    On **February 5, 2026**, the Qilin ransomware group breached **Conpet S.A.**, Romania’s national oil pipeline operator, disrupting corporate IT systems and taking the company’s website offline. While **operational technologies (SCADA and telecommunications) remained unaffected**, the attack resulted in confirmed **data exfiltration**, with Qilin claiming to have stolen **nearly 1TB of documents**. Conpet later verified the breach, acknowledging that leaked sample files—including **financial records, passport scans, and confidential documents dated as recently as November 2025**—were authentic. The stolen data may include **personal identifiers, bank account numbers, and internal business records**, prompting Conpet to warn of potential **fraud risks**. The company is collaborating with Romania’s **National Cyber Security Directorate (DNSC)** to investigate the incident and has filed a criminal complaint. This attack follows Qilin’s pattern of targeting **critical infrastructure**, including prior ransomware incidents against **Romanian Waters and Oltenia Energy Complex in December 2025**.

    Show sources
    Open in new tab
  2. 27.10.2025 10:55 5 articles · 3mo ago

    Qilin ransomware group uses BYOVD and legitimate tools in hybrid attacks

    Qilin affiliates use WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software (SRManager.exe) directly within Windows. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. The Qilin ransomware group has been observed targeting South Korean financial sector in a sophisticated supply chain attack. The group leveraged a Managed Service Provider (MSP) compromise as the initial access vector, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. The campaign, named 'Korean Leaks,' involved three waves of data leaks and used propaganda and political language to exert pressure on compromised organizations. The group also claimed to have an 'in-house team of journalists' to assist with writing texts for blog posts and applying pressure during negotiations.

    Show sources
    Open in new tab
  3. 07.10.2025 20:15 13 articles · 4mo ago

    Qilin ransomware targets Asahi Group

    Asahi Group Holdings has completed its investigation into the September cyberattack, revealing that the incident impacted up to 1.9 million individuals. The compromised data includes full names, genders, physical addresses, phone numbers, and email addresses, which could be used in phishing attempts. The company initially stated that no customer data was accessed but later confirmed a ransomware attack and data theft. The Qilin ransomware group claimed responsibility and published samples of exfiltrated files. Asahi has established a dedicated contact line for affected parties and is implementing enhanced security measures, including redesigned communication routes, tightened network controls, and upgraded threat-detection systems. The company is still working on restoring impacted systems two months after the initial compromise. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

    Show sources
    Open in new tab
  4. 07.10.2025 18:45 1 articles · 4mo ago

    Qilin ransomware targets Mecklenburg County Public Schools

    In early September 2025, the Qilin ransomware group claimed responsibility for an attack on Mecklenburg County Public Schools (MCPS), stealing 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files. The attack disrupted operations, forcing teachers to rely on pen, paper, and whiteboards for instruction. Internet systems were restored about a week later. MCPS Superintendent Scott Worner confirmed the attack and stated that the district is assessing the extent of the breach.

    Show sources
    Open in new tab
  5. 26.08.2025 16:48 1 articles · 5mo ago

    Qilin ransomware targets Nissan subsidiary Creative Box Inc.

    On August 16, 2025, the Qilin ransomware group detected suspicious access to a server of Creative Box Inc. (CBI), a subsidiary of Nissan, stealing four terabytes of data, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. CBI implemented emergency measures and reported the incident to the police. The Qilin ransomware group added CBI to its extortion portal on August 20, 2025, threatening to make the stolen data public. Nissan confirmed the data breach and is conducting an investigation. The leaked data only impacts Nissan, as it is the sole customer of CBI.

    Show sources
    Open in new tab
  6. 19.08.2025 17:25 2 articles · 5mo ago

    Inotiv hit by Qilin ransomware attack

    On August 8, 2025, the Qilin ransomware group attacked Inotiv, encrypting critical systems and data. The incident disrupted business operations, affecting databases and internal applications. The company has engaged external security experts and notified law enforcement. The Qilin ransomware group claims to have stolen approximately 162,000 files totaling 176GB. Inotiv is working to restore affected systems and mitigate the impact, but no timeline for full recovery has been provided. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Marquis Software Solutions Ransomware Attack Exposes Data from 74 US Financial Institutions

Marquis Software Solutions, a financial software provider, suffered a ransomware attack on August 14, 2025, through a compromised SonicWall firewall. The breach impacted over 74 US banks and credit unions, exposing personal information of approximately 400,000 customers. The stolen data includes names, addresses, phone numbers, Social Security numbers, financial account information, and dates of birth. Marquis has since taken steps to enhance its security measures, but there is no evidence of data misuse or publication. The attack is suspected to be linked to the Akira ransomware gang, which has been targeting SonicWall VPN devices.

Open in new tab

INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies. An operational security failure by the INC ransomware gang allowed researchers to recover data stolen from a dozen U.S. organizations. The investigation, conducted by Cyber Centaurs, revealed artifacts from the legitimate backup tool Restic, which exposed attacker infrastructure. The researchers developed a controlled enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations.

Open in new tab

Qilin Ransomware Incident Analysis

Huntress Labs investigated a Qilin ransomware incident where the Huntress agent was installed post-incident on a single endpoint. Analysts pieced together the attack timeline using limited data sources, including managed antivirus alerts, Windows Event Logs, and Program Compatibility Assistant logs. The threat actor used a rogue ScreenConnect instance to deploy malicious files, including an infostealer, and attempted to disable Windows Defender before deploying ransomware.

Open in new tab

Kraken Ransomware Implements System Benchmarking for Encryption Optimization

Kraken ransomware, active since early 2025 and linked to the defunct HelloKitty operation, benchmarks systems to determine optimal encryption methods. The ransomware targets Windows, Linux, and VMware ESXi systems, using temporary files to decide between full or partial encryption. Kraken employs SMB vulnerabilities for initial access, deploys Cloudflared and SSHFS for data exfiltration, and encrypts data based on system performance to avoid detection. Victims include organizations in the US, UK, Canada, Panama, Kuwait, and Denmark. Kraken also operates a cybercrime forum, 'The Last Haven Board,' and demands ransoms up to $1 million in Bitcoin. The group was observed in August 2025 by Cisco Talos, detailing intrusions where SMB flaws were abused for entry, followed by the use of Cloudflare for persistence and SSHFS for data theft before encryption.

Open in new tab