CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Qilin ransomware group targets multiple organizations, including South Korean financial sector and Romanian oil pipeline operator Conpet

First reported
Last updated
5 unique sources, 19 articles

Summary

Hide ▲

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, Synnovis, a UK pathology services provider, and Conpet, Romania's national oil pipeline operator. The latest attack was on Conpet, where Qilin claims to have stolen nearly 1TB of documents and leaked over a dozen photos of internal documents containing financial information and passport scans as proof of the breach. The attack caused significant operational disruption, including the temporary takedown of the company's website. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

Timeline

  1. 05.02.2026 17:15 1 articles · 7h ago

    Qilin ransomware targets Romanian oil pipeline operator Conpet

    On February 5, 2026, the Qilin ransomware group targeted Conpet, Romania's national oil pipeline operator, disrupting its business systems and taking down the company's website. The group claims to have stolen nearly 1TB of documents and leaked photos of internal documents as proof of the breach. The incident affected Conpet's corporate IT infrastructure but did not disrupt its core operations. Conpet is investigating the incident with the help of national cybersecurity authorities and has filed a criminal complaint. This attack follows previous ransomware incidents in Romania, including attacks on Romanian Waters and Oltenia Energy Complex in December.

    Show sources
    Open in new tab
  2. 27.10.2025 10:55 5 articles · 3mo ago

    Qilin ransomware group uses BYOVD and legitimate tools in hybrid attacks

    Qilin affiliates use WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software (SRManager.exe) directly within Windows. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. The Qilin ransomware group has been observed targeting South Korean financial sector in a sophisticated supply chain attack. The group leveraged a Managed Service Provider (MSP) compromise as the initial access vector, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. The campaign, named 'Korean Leaks,' involved three waves of data leaks and used propaganda and political language to exert pressure on compromised organizations. The group also claimed to have an 'in-house team of journalists' to assist with writing texts for blog posts and applying pressure during negotiations.

    Show sources
    Open in new tab
  3. 07.10.2025 20:15 13 articles · 4mo ago

    Qilin ransomware targets Asahi Group

    Asahi Group Holdings has completed its investigation into the September cyberattack, revealing that the incident impacted up to 1.9 million individuals. The compromised data includes full names, genders, physical addresses, phone numbers, and email addresses, which could be used in phishing attempts. The company initially stated that no customer data was accessed but later confirmed a ransomware attack and data theft. The Qilin ransomware group claimed responsibility and published samples of exfiltrated files. Asahi has established a dedicated contact line for affected parties and is implementing enhanced security measures, including redesigned communication routes, tightened network controls, and upgraded threat-detection systems. The company is still working on restoring impacted systems two months after the initial compromise. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

    Show sources
    Open in new tab
  4. 07.10.2025 18:45 1 articles · 4mo ago

    Qilin ransomware targets Mecklenburg County Public Schools

    In early September 2025, the Qilin ransomware group claimed responsibility for an attack on Mecklenburg County Public Schools (MCPS), stealing 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files. The attack disrupted operations, forcing teachers to rely on pen, paper, and whiteboards for instruction. Internet systems were restored about a week later. MCPS Superintendent Scott Worner confirmed the attack and stated that the district is assessing the extent of the breach.

    Show sources
    Open in new tab
  5. 26.08.2025 16:48 1 articles · 5mo ago

    Qilin ransomware targets Nissan subsidiary Creative Box Inc.

    On August 16, 2025, the Qilin ransomware group detected suspicious access to a server of Creative Box Inc. (CBI), a subsidiary of Nissan, stealing four terabytes of data, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. CBI implemented emergency measures and reported the incident to the police. The Qilin ransomware group added CBI to its extortion portal on August 20, 2025, threatening to make the stolen data public. Nissan confirmed the data breach and is conducting an investigation. The leaked data only impacts Nissan, as it is the sole customer of CBI.

    Show sources
    Open in new tab
  6. 19.08.2025 17:25 2 articles · 5mo ago

    Inotiv hit by Qilin ransomware attack

    On August 8, 2025, the Qilin ransomware group attacked Inotiv, encrypting critical systems and data. The incident disrupted business operations, affecting databases and internal applications. The company has engaged external security experts and notified law enforcement. The Qilin ransomware group claims to have stolen approximately 162,000 files totaling 176GB. Inotiv is working to restore affected systems and mitigate the impact, but no timeline for full recovery has been provided. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Qilin Ransomware Incident Analysis

Huntress Labs investigated a Qilin ransomware incident where the Huntress agent was installed post-incident on a single endpoint. Analysts pieced together the attack timeline using limited data sources, including managed antivirus alerts, Windows Event Logs, and Program Compatibility Assistant logs. The threat actor used a rogue ScreenConnect instance to deploy malicious files, including an infostealer, and attempted to disable Windows Defender before deploying ransomware.

Open in new tab

Kraken Ransomware Implements System Benchmarking for Encryption Optimization

Kraken ransomware, active since early 2025 and linked to the defunct HelloKitty operation, benchmarks systems to determine optimal encryption methods. The ransomware targets Windows, Linux, and VMware ESXi systems, using temporary files to decide between full or partial encryption. Kraken employs SMB vulnerabilities for initial access, deploys Cloudflared and SSHFS for data exfiltration, and encrypts data based on system performance to avoid detection. Victims include organizations in the US, UK, Canada, Panama, Kuwait, and Denmark. Kraken also operates a cybercrime forum, 'The Last Haven Board,' and demands ransoms up to $1 million in Bitcoin. The group was observed in August 2025 by Cisco Talos, detailing intrusions where SMB flaws were abused for entry, followed by the use of Cloudflare for persistence and SSHFS for data theft before encryption.

Open in new tab

DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

DragonForce, a Conti-derived ransomware operation, has evolved into a cartel-like structure, recruiting affiliates and partnering with Scattered Spider for sophisticated attacks. The group exploits vulnerable drivers to deactivate security programs and has intensified its operations, publishing details of more compromised entities. DragonForce offers affiliates 80% of profits, customizable encryptors, and infrastructure, lowering the barrier to entry for new cybercriminals. The group's partnership with Scattered Spider has enabled high-profile breaches, including the Marks & Spencer incident. DragonForce has also proposed cooperation among major ransomware operations to stabilize the market and increase collective profits. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Open in new tab

Conduent Data Breach Affects Millions

Conduent, a business services provider, has confirmed that a data breach in 2024 impacted over 10.5 million individuals. The breach, initially disclosed in January 2025, affected government agencies in multiple US states. The attackers accessed Conduent's network on October 21, 2024, and were evicted on January 13, 2025. The compromised data includes names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information. Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies. The company has not provided an exact number of affected individuals, but breach notices indicate at least 10.5 million people were impacted, with the largest number in Oregon (10.5 million) and over 4 million in Texas. The Safepay ransomware group claimed responsibility for the attack in February 2025 and claimed to have stolen 8.5TB of data. Conduent provides services to several other states where specific data breach figures aren't published, potentially increasing the actual impact. As of October 24, 2025, there is no evidence that the stolen data has been misused. Additionally, Ingram Micro, a major IT services provider, revealed a ransomware attack in July 2025 that affected over 42,000 individuals. The SafePay ransomware group was behind this attack, claiming to have stolen 3.5TB of documents. The attack triggered a massive outage and highlighted SafePay's growing activity as a significant ransomware threat.

Open in new tab