Qilin Solidifies Claim As Top Ransomware Group

Qilin was the top ransomware group by a wide margin in June, solidifying its position as the top ransomware group since RansomHub went offline at the end of March.

It’s the second time in three months that Qilin led all ransomware groups in claimed victims, Cyble threat intelligence researchers reported in a blog post today.

With 86 claimed victims for the month of June, Qilin was more than 50 claimed attacks ahead of rivals like Akira, SafePay, Play, and INC (image below). Cyble said the data is preliminary and could rise somewhat as all the data is finalized, but Qilin is essentially assured of finishing in the top spot.

Can Qilin Remain the Top Ransomware Group?

Qilin led all ransomware groups in April after RansomHub went offline (possibly in an act of sabotage by rival DragonForce). SafePay edged out Qilin in May before Qilin returned to the top spot in June.

Part of Qilin’s success in recruiting Ransomware-as-a-Service (RaaS) affiliates in the wake of RansomHub’s decline lies in the services and support the Russia-linked group offers affiliates, including legal services too.

Among the group’s victims in June were high-value telecom, blockchain, healthcare and transportation organizations, Cyble said. Sensitive data may have been accessed, some of the group’s attacks have had supply chain implications.

Like other top ransomware groups, Qilin has overwhelmingly targeted the U.S., claiming 50 of the 213 total U.S. attacks in June. However, the group’s attacks have been more balanced across sectors, unlike other groups that have overwhelmingly targeted construction, professional services, healthcare and manufacturing.

“It remains to be seen if Qilin has RansomHub-like staying power, but so far its desire to woo affiliates with sophisticated technology and services is paying off,” Cyble said.

Other Ransomware Developments in June

Overall, Cyble said ransomware groups had claimed 377 victims as of late June, within range of May’s final count of 401 victims, “and a sign of potential stabilization following a three-month decline from February’s record attacks.”

Other groups weren’t standing still, suggesting that Qilin will have to work to stay on top.

The pro-Russian hacktivist group CyberVolk launched its own ransomware, the latest hacktivist group to move into ransomware.

RALord rebranded as Nova and launched its own ransomware-as-a-service (RaaS) program, aggressively recruiting affiliates, and the Chaos group announced its own RaaS operation and aggressive recruitment efforts. A new ransomware group known as Kawa4096 also emerged, claiming five victims, with similarities to the Akira ransomware group.

And the Scattered Spider group expanded from retail attacks to the insurance and airline sectors.

As Cyble concluded, “The enduring resourcefulness of ransomware groups and their affiliates serves as a reminder that security teams can’t rest, either.”

Related