Qilin Ransomware Attacks Spike, Targeting Small Businesses
▼ Summary
– The Qilin ransomware group is experiencing increased activity and is one of the longest-running ransomware-as-a-service operations.
– Qilin exploits security weaknesses like unpatched VPNs, lack of multi-factor authentication, and exposed management interfaces to infiltrate networks.
– Affiliates of the Scattered Spider group are now deploying Qilin’s ransomware, indicating deeper collaboration between cybercrime organizations.
– Qilin operates like a tech business, leasing tools to affiliates and experimenting with new extortion channels such as Telegram and WikiLeaksV2.
– S-RM recommends mitigating risks by patching systems, applying MFA, limiting exposed interfaces, segmenting networks, and proactive monitoring.
A significant surge in ransomware incidents has been linked to the Qilin ransomware group, a long-standing player in the ransomware-as-a-service (RaaS) ecosystem. Cybersecurity experts report that Qilin is actively exploiting common security weaknesses, including unpatched VPN appliances, the absence of multi-factor authentication (MFA), and poorly secured management interfaces. These vulnerabilities provide the group with an initial foothold into corporate networks. While high-profile attacks like the 2024 Synnovis breach on UK healthcare systems captured public attention, the majority of Qilin’s targets are actually small and medium-sized enterprises operating within the construction, healthcare, and financial industries.
Although Qilin has maintained a relatively low profile over the years, recent intelligence points to growing collaboration among cybercrime organizations. Investigators have observed that affiliates of the well-known Scattered Spider group are now deploying Qilin’s RaaS platform, signaling deeper partnerships between prominent threat actors. Since 2023, Qilin has functioned as a RaaS provider, leasing its malicious tools and infrastructure to other criminals. In most cases, initial network access is achieved through unpatched VPNs or remote access tools that rely on single-factor authentication.
A troubling trend identified in 2025 shows that 88% of Qilin incidents involved both data theft and file encryption. When victims refuse to pay the ransom, their stolen information is frequently published on dark-web leak sites. The group has also started experimenting with new extortion methods, using platforms like Telegram and public sites such as WikiLeaksV2 to increase pressure on targeted organizations.
According to Ted Cowell, head of cybersecurity UK at S-RM, “Qilin is part of a new generation of ransomware groups that operate more like tech businesses than hackers. Their affiliates rent the tools, share the profits and constantly test new ways to break into networks.” Cowell emphasized that Qilin’s under-the-radar operations make it especially dangerous. “It doesn’t always grab headlines, but it’s increasingly being used by other threat groups, including Scattered Spider. That makes attribution harder and defense even more complex,” he explained.
Many of these breaches stem from fundamental security oversights that organizations can address. To reduce the risk of a Qilin ransomware attack, businesses are urged to take several key steps. Regularly patching and updating VPNs and remote access devices is critical, as is applying MFA to all user accounts. Companies should also limit or remove any exposed management interfaces and implement network segmentation to isolate critical systems from general network traffic. Proactive monitoring for signs of lateral movement or other indicators of compromise is equally important.
These findings underscore the increasing professionalism within ransomware networks and highlight the ongoing necessity for robust cybersecurity practices across every sector.
(Source: InfoSecurity Magazine)
