Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Qilin ransomware activity surge with affiliate-led RaaS operations

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Qilin ransomware operation is seeing a rise in attacks, increasing the risk of data theft and file encryption across corporate networks. The group relies on an affiliate-driven RaaS model and commonly breaks in through unpatched VPN appliances, lack of MFA, and exposed management interfaces. In 2025, 88% of observed cases combined theft and encryption, and stolen data was often posted to leak sites when ransom demands were refused. The activity is hitting small-to-medium businesses in construction, healthcare, and financial sectors, with Scattered Spider affiliates also using the platform.

Related Happenings

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns

Threat Actor Meta
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...

Open Happening

SmarterMail initial-access ransomware campaign with delayed encryption

Campaign
First: 18.02.2026 18:27 Last: 18.02.2026 18:27 Sources 1

About this happening: A **SmarterMail** ransomware campaign is using newly disclosed email-server flaws for **initial access** and delaying encryption, raising the risk that exposed mail systems become...

Open Happening

Ransomware victim listings and active groups surge across 2025

Target Trend
First: 18.02.2026 13:30 Last: 18.02.2026 13:30 Sources 1

About this happening: **Ransomware** victim listings climbed to **7,458** on leak sites in **2025**, while active groups reached **124**, signaling a broader and more fragmented extortion ecosystem.

Open Happening

Qilin, Akira and Sinobi late-2025 ransomware wave

Campaign
First: 29.01.2026 15:01 Last: 29.01.2026 15:01 Sources 1

About this happening: A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...

Open Happening

Timeline

  1. 11.11.2025 18:00 2 articles · 6mo ago

    Qilin ransomware activity surge and affiliate collaboration observed

    Initial Disclosure

    S-RM observed a rise in activity tied to the Qilin ransomware group, a ransomware-as-a-service operation active since 2023, and noted that affiliates of the Scattered Spider group are deploying Qilin’s RaaS platform. Qilin continues to gain initial access through unpatched VPN appliances, lack of MFA, exposed management interfaces, and single-factor remote access tools, while 88% of observed 2025 cases combined data theft with file encryption and sometimes published stolen data on dark-web leak sites if ransom was refused. Most victims are small-to-medium-sized businesses in construction, healthcare, and financial sectors, and Qilin has also experimented with Telegram and public extortion sites such as WikiLeaksV2.

    Show sources
    Open in new tab