Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
Qilin's ransomware-as-a-service model is expanding extortion reach by selling tools and infrastructure to affiliates and taking a 15–20% cut of ransom payments. That arrangement lowers the barrier to entry for affiliates and helps Qilin scale attacks across Windows, Linux and ESXi environments. The group's recent activity also places it among the most prolific ransomware actors, reinforcing its market position in the criminal ecosystem.
Related Happenings
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Timeline
-
07.10.2025 20:15 3 articles · 7mo ago
Qilin ransomware-as-a-service affiliate model
Technical Analysis UpdateQilin operates a ransomware-as-a-service ecosystem that supplies affiliates with ransomware tools and infrastructure, takes a 15–20% share of ransom payments, and uses custom-built Rust and C malware for cross-platform attacks against Windows, Linux and ESXi environments. The group's scale has been reported at 227 claimed attacks in Q3 2025 and 16% of all ransomware attacks in August 2025.
Show sources
- Qilin Ransomware Gang Claims Asahi Cyber-Attack — www.infosecurity-magazine.com — 07.10.2025 20:15
- Qilin Ransomware Gang Claims Asahi Cyber-Attack — www.infosecurity-magazine.com — 07.10.2025 20:15
- Qilin Ransomware Activity Surges as Attacks Target Small Businesses — www.infosecurity-magazine.com — 11.11.2025 18:00