Qilin Ransomware Sees Surge After Collapse of Dominant RansomHub RaaS

The ransomware landscape underwent significant disruption, marked by the abrupt cessation of operations from several prominent Ransomware-as-a-Service (RaaS) groups, including RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, Cactus, Hunters International, and LockBit.

This wave of disappearances has fragmented the ecosystem, diminishing the dominance of major players and fostering a proliferation of smaller, independent actors.

Global law enforcement efforts, encompassing infrastructure takedowns, indictments, and exposures of affiliates, have played a pivotal role in this decline.

Fragmentation Hits Ransomware Ecosystem

Concurrently, a 6% drop in victims published on Data Leak Sites (DLS) compared to the prior 12-month average underscores reduced activity, with Q2 recording 1,607 victims across over 75 monitored DLS platforms a stark contrast to Q1’s 2,289.

This downturn correlates with diminished ransom payment rates, estimated at 25-27%, driven by policy restrictions, unreliable decryption tools, and enhanced victim resilience through backup strategies.

Geographically, the United States continued to bear the brunt, comprising half of reported victims, while groups like Safepay targeted Germany (claiming 40% of its 76 victims), Akira focused on Italy (10% of its victims), and Satanlock hit Brazil (14% of its cases).

Industry-wise, healthcare remained vulnerable, representing 8% of victims, with INC Ransom accounting for nearly 17% of sector disclosures, predominantly through data exfiltration tactics.

Shift to Data-Centric Extortion

The collapse of RansomHub in early April 2025 created a vacuum that Qilin swiftly exploited, nearly doubling its monthly victim publications from 35 to 70 by attracting orphaned affiliates via aggressive recruitment on forums like Ramp.

As a veteran RaaS operator since 2022, Qilin provides affiliates with an advanced administrative panel featuring encryptors, negotiation infrastructure, and novel extortion tools, including integrated DDoS capabilities and AI-assisted services for regulatory complaint preparation, customer outreach, and communication channel flooding.

According to a Check Point Research report, this aligns with an industry-wide pivot from encryption-based attacks fraught with detection risks and low payout success to data-theft extortion, emphasizing public exposure and psychological leverage.

Qilin’s innovations, such as legal assessments of stolen data for submissions to authorities like the FBI and spam tools potentially powered by AI, aim to escalate victim pressure and boost compliance rates.

Meanwhile, competitors like DragonForce have adopted marketing-driven strategies, forming a “Ransomware Cartel” for white-label operations and claiming RansomHub’s migration, which correlated with spikes in their victim counts.

Hunters International exemplifies the low-friction trend, abandoning encryption in favor of the World Leaks platform for discreet data-only extortion, notifying only leadership to minimize visibility.

Emerging AI integrations, as seen in Global Group’s negotiation support, further signal automation’s role in refining extortion psychology.

Despite these adaptations, encryption persists as a threat, evidenced by Scattered Spider’s deployment of DragonForce encryptors against UK retailers like Marks & Spencer, causing operational disruptions.

Overall, Q2 2025 highlights a contracting yet resilient ransomware domain, where strategic shifts toward fragmented, data-focused models counterbalance enforcement pressures and declining profitability.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!