The ransomware threat landscape witnessed a concerning surge in July 2025, with the Qilin ransomware group maintaining its dominant position for the third time in four months.
The group successfully claimed 73 victims on its data leak site, representing 17.3% of the month’s total 423 ransomware incidents.
This marks a significant consolidation of criminal operations under established threat actors, as the ransomware ecosystem continues to evolve following the decline of previously dominant groups like RansomHub.
Qilin’s sustained leadership position reflects the group’s sophisticated operational capabilities and persistent targeting strategies.
.webp "Qilin Ransomware Leads The Attack Landscape With 70+ Claimed Victims in July 3")
The ransomware-as-a-service operation has demonstrated remarkable consistency in victim acquisition, outpacing its closest competitor, INC Ransom, which claimed 59 victims during the same period.
The United States bore the brunt of these attacks, accounting for 223 victims—eight times more than second-place Canada—highlighting the continued focus on high-value Western targets.
Cyble researchers identified 25 critical infrastructure ransomware incidents throughout July, with Qilin operations particularly impacting sectors including government and law enforcement, energy and utilities, and telecommunications.
An additional 20 incidents showed potential supply chain implications due to compromised application software providers.
The group’s targeting methodology demonstrates a calculated approach toward maximizing both financial returns and operational disruption.
Exploitation of Enterprise Vulnerabilities
Qilin’s success stems partly from its systematic exploitation of known enterprise vulnerabilities.
The group has weaponized seven critical security flaws, including CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClientEMS affecting versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10.
This particular vulnerability allows attackers to execute arbitrary SQL commands through crafted HTTP requests:-
' UNION SELECT user(), database(), version()-- Additional attack vectors include CVE-2019-18935, targeting Progress Telerik UI for ASP.NET AJAX through deserialization attacks, and CVE-2025-5777, exploiting out-of-bounds read conditions in Citrix NetScaler ADC and Gateway implementations.
Microsoft SharePoint environments face particular risk through four newly identified vulnerabilities: CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706.
The persistence of these exploitation patterns shows the critical importance of proactive patch management and vulnerability remediation programs.
Organizations must prioritize securing internet-facing applications and implementing robust network segmentation to limit the blast radius of successful initial compromise attempts.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
