Qilin ransomware-as-a-service affiliate model and revenue-sharing ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
Qilin's ransomware-as-a-service model is expanding extortion reach by selling tools and infrastructure to affiliates and taking a 15–20% cut of ransom payments. That arrangement lowers the barrier to entry for affiliates and helps Qilin scale attacks across Windows, Linux and ESXi environments. The group's recent activity also places it among the most prolific ransomware actors, reinforcing its market position in the criminal ecosystem.
Related Happenings
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
H score15
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Medusa ransomware post-compromise deployment
Malware Activity
H score48
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Akira group rapid double-extortion ransomware activity
Malware Activity
H score45
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Timeline
-
07.10.2025 20:15 3 articles · 8mo ago
Qilin ransomware-as-a-service affiliate model
Technical Analysis UpdateQilin operates a ransomware-as-a-service ecosystem that supplies affiliates with ransomware tools and infrastructure, takes a 15–20% share of ransom payments, and uses custom-built Rust and C malware for cross-platform attacks against Windows, Linux and ESXi environments. The group's scale has been reported at 227 claimed attacks in Q3 2025 and 16% of all ransomware attacks in August 2025.
Show sources
- Qilin Ransomware Gang Claims Asahi Cyber-Attack — www.infosecurity-magazine.com — 07.10.2025 20:15
- Qilin Ransomware Gang Claims Asahi Cyber-Attack — www.infosecurity-magazine.com — 07.10.2025 20:15
- Qilin Ransomware Activity Surges as Attacks Target Small Businesses — www.infosecurity-magazine.com — 11.11.2025 18:00