Qilin campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
Qilin remains a dominant ransomware-as-a-service (RaaS) campaign as the market reconsolidates after disruptions to LockBit and RansomHub. Check Point says Qilin holds around 16% market share, and Sophos X-Ops CTU data shows 1,496 victims listed on its leak site over the last 12 months from July 2026. The group still uses double extortion and keeps up a steady victimization cadence, while The Gentlemen briefly overtook Qilin in June 2026 with 115 victims versus 78. Qilin also targeted a Check Point Remote Access VPN and Mobile Access vulnerability, affecting one customer, and the broader ransomware market remains volatile and competitive.
Related Happenings
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor Meta
H score39
First: 03.07.2026 16:00
Last: 03.07.2026 16:00
Sources 1
How related:
The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub.
About this happening:
**Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor MetaHow related: The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub.
About this happening: **Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
H score53
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law Enforcement
H score35
First: 24.03.2026 15:06
Last: 24.03.2026 15:06
Sources 1
About this happening:
The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law EnforcementAbout this happening: The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
03.07.2026 16:00 1 articles · 6d ago
Qilin grows ransomware market share and victim listings
Campaign Scope UpdateCheck Point said Qilin now holds around 16% of the cybercriminal market share, and Sophos X-Ops CTU data showed 1,496 victims listed on Qilin's data leak site over the last 12 months from July 2026. Comparitech data also said The Gentlemen briefly knocked Qilin off the top spot in June 2026, with The Gentlemen at 115 victims and Qilin at 78, underscoring continued consolidation and competition across the ransomware market.
Show sources
- Qilin Dominates Ransomware Market Amid Growing Cybercrime Consolidation — www.infosecurity-magazine.com — 03.07.2026 16:00
-
27.10.2025 17:18 1 articles · 8mo ago
Qilin cross-platform Windows ransomware campaign disclosed
Initial DisclosureTrend Micro said Qilin, also tracked as Agenda, deployed a Linux-based ransomware binary on Windows hosts by abusing AnyDesk, ATERA Networks’ remote monitoring and management (RMM) platform, ScreenConnect, WinSCP, and Splashtop Remote, while targeting Veeam backup infrastructure to harvest credentials before ransomware deployment. The intrusion chain also used fake Google CAPTCHA pages hosted on Cloudflare R2 storage infrastructure to deliver an infostealer that collected authentication tokens, browser cookies, and stored credentials, enabling MFA bypass and lateral movement with legitimate user sessions. Cisco Talos said Qilin was posting more than 40 leak-site cases per month, with a peak of 100 cases in June 2025 and a similar level in August, and Trend Micro said the operation had affected more than 700 organizations across 62 countries since January, especially in manufacturing, technology, financial services, and healthcare.
Show sources
- Qilin Targets Windows Hosts With Linux-Based Ransomware — www.darkreading.com — 27.10.2025 17:18