In April 2025, the cybercriminal landscape witnessed a significant shift with the Qilin ransomware group emerging as the most active threat actor, orchestrating 74 cyber attacks globally. This surge follows the unexpected decline of RansomHub, which had dominated the ransomware scene since early 2024 but reported only three attacks in April before its data leak site went offline.
The Rise of Qilin
Qilin’s rapid ascent underscores a major realignment in the ransomware-as-a-service (RaaS) market. As RansomHub’s influence waned, many affiliates sought new partnerships, with Qilin becoming a preferred choice due to its aggressive tactics and sophisticated operations.
Geographic Reach and Target Selection
Qilin’s operations have demonstrated remarkable geographic diversity, with significant activity across North America, Europe, and the Asia-Pacific region. While the United States remained the most targeted country, experiencing 234 ransomware attacks overall in April, Qilin established itself as a formidable threat across multiple continents. The group has particularly focused on high-value targets in the software, manufacturing, and critical infrastructure sectors, suggesting a strategic victim selection methodology designed to maximize ransom potential.
Notable Attacks Attributed to Qilin
Several high-profile incidents have been linked to Qilin’s operations:
– Healthcare Sector: In June 2024, Qilin launched a devastating attack on Synnovis, a key supplier of blood testing and transfusion services for NHS hospitals in London. The breach triggered a critical incident, causing widespread disruption across healthcare services. ([em360tech.com](https://em360tech.com/tech-articles/what-qilin-ransomware-rising-threat-cybersecurity?utm_source=openai))
– Automotive Industry: In November 2023, Qilin claimed responsibility for a cyber attack on Yanfeng Automotive Interiors, one of the world’s largest automotive parts suppliers. The attack disrupted operations and highlighted the group’s capability to target major industrial players. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/qilin-ransomware-claims-attack-on-automotive-giant-yanfeng/?utm_source=openai))
– Media Sector: In February 2025, Qilin targeted Lee Enterprises, a US-based media company operating over 77 daily newspapers and numerous digital platforms. The attack led to significant operational disruptions and the exfiltration of sensitive data. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/qilin-ransomware-claims-attack-at-lee-enterprises-leaks-stolen-data/?utm_source=openai))
Operational Tactics and Techniques
Qilin employs a sophisticated multi-stage attack process:
1. Initial Compromise: The group often begins with targeted phishing emails containing malicious attachments that exploit known vulnerabilities in document processing applications.
2. Persistence and Reconnaissance: Once executed, the malware establishes persistence through registry modifications and conducts comprehensive network reconnaissance to identify critical assets for encryption.
3. Data Exfiltration and Encryption: Before deploying its encryption routine, Qilin exfiltrates data via encrypted channels to command and control servers, primarily located in jurisdictions with limited international cooperation.
This double extortion approach, involving both data theft and encryption, has become increasingly refined in their recent campaigns. For instance, in April alone, Qilin claimed to have stolen over 1.1TB of data from a France-based transportation software provider and approximately 1TB from a major South Korean industrial conglomerate.
Global Impact and Response
Despite a temporary dip in global ransomware attacks to 450 in April from 564 in March—the lowest level since November 2024—analysts caution that this likely reflects a transitional period as affiliates realign with emerging RaaS leaders like Qilin, rather than any sustainable decrease in ransomware threat activity. The long-term trend for ransomware attacks remains decisively upward.
The emergence of Qilin as April’s leading ransomware threat signals a critical need for organizations to bolster their cybersecurity defenses. Implementing robust email filtering, conducting regular security awareness training, and maintaining up-to-date software patches are essential steps in mitigating the risk posed by such sophisticated threat actors.
