The cybercriminal group known as Qilin has recently enhanced its ransomware-as-a-service (RaaS) operations by introducing a Call Lawyer feature within its affiliate panel. This strategic addition aims to exert increased pressure on victims, compelling them to pay substantial ransoms.
Qilin’s Evolution and Market Position
Since its emergence in October 2022, Qilin has rapidly ascended in the cybercrime hierarchy. The group’s sophisticated infrastructure and aggressive tactics have positioned it as a formidable player in the ransomware landscape. Notably, in April 2025, Qilin led the ransomware scene with 72 reported victims, surpassing other groups such as Safepay and Luna Moth. By May 2025, Qilin was responsible for 55 attacks, maintaining its prominence in the cyber threat arena.
The Call Lawyer Feature: A New Tactic
The introduction of the Call Lawyer feature marks a significant evolution in Qilin’s extortion strategies. This function allows affiliates to request legal consultation directly through the affiliate panel. Upon activation, Qilin’s in-house legal team contacts the victim, offering qualified legal support. The presence of legal counsel is intended to intimidate victims, suggesting potential legal repercussions and thereby increasing the likelihood of ransom payment.
A translated forum post from Qilin elaborates on this tactic:
If you need legal consultation regarding your target, simply click the ‘Call lawyer’ button located within the target interface, and our legal team will contact you privately to provide qualified legal support. The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings.
Comprehensive Cybercrime Services
Beyond the Call Lawyer feature, Qilin has expanded its affiliate panel to offer a suite of services, transforming into a full-service cybercrime platform. These enhancements include:
– In-House Journalism Team: Dedicated to crafting press releases and managing public relations to manipulate public perception and apply additional pressure on victims.
– Distributed Denial-of-Service (DDoS) Capabilities: Enabling affiliates to launch DDoS attacks against victims, disrupting operations and increasing the urgency to comply with ransom demands.
– Spam Tools: Providing mechanisms to inundate corporate email addresses and phone numbers with spam, further harassing victims and complicating their recovery efforts.
These offerings underscore Qilin’s commitment to providing affiliates with a comprehensive toolkit for executing high-impact ransomware attacks.
Impact of Rival Groups’ Decline
The recent decline of prominent ransomware groups such as LockBit, Black Cat, RansomHub, Everest, and BlackLock has created a power vacuum in the cybercriminal ecosystem. Qilin has capitalized on this opportunity, attracting affiliates from these defunct groups and expanding its influence. This influx of experienced cybercriminals has likely contributed to the surge in Qilin’s activities and the rapid development of its RaaS platform.
Technical Sophistication and Evasion Techniques
Qilin’s technical infrastructure is notable for its sophistication. The group employs payloads developed in Rust and C programming languages, known for their efficiency and complexity. Additionally, Qilin utilizes advanced loaders equipped with evasion features designed to bypass traditional security measures. The affiliate panel offers functionalities such as Safe Mode execution, network propagation tools, log cleanup utilities, and automated negotiation interfaces, facilitating seamless and effective ransomware deployment.
Legal and Ethical Implications
The incorporation of legal consultation services into Qilin’s operations raises significant ethical and legal questions. By simulating legal proceedings and leveraging the fear of legal consequences, Qilin manipulates victims into compliance. This tactic not only exploits the victims’ apprehensions but also blurs the lines between cybercrime and legitimate legal practices, complicating law enforcement efforts and victim responses.
Conclusion
Qilin’s introduction of the Call Lawyer feature and the expansion of its affiliate services represent a concerning evolution in ransomware tactics. By integrating psychological manipulation with technical prowess, Qilin enhances its ability to coerce victims into paying ransoms. This development underscores the need for organizations to adopt comprehensive cybersecurity measures, including employee training, robust incident response plans, and collaboration with legal experts to navigate the complex landscape of cyber threats.
