Day 42 of 100 in the 100 Days of Cyber Challenge

by Christopher Mohr

According to Ransomware.Live, a tracking site providing real-time ransomware statistics, Ransomware-as-a-service (RaaS) group Qilin has claimed the most victims in 2025 with 1,047 as of 28 December 2025, when this article was written. This was way ahead of the second place group Akira, which had claimed 750 victims.

One of the reasons Qilin has been the most prolific ransomware attacker in the past year is its affiliate program that distributes the malware more widely than conventional attackers.

Qilin is known to have used affiliates since July 2023, according to KELA. Ransom payments go directly to the affiliates, which then transfer a portion to Qilin RaaS operators.

Affiliates keep up to 80% of the ransom if the amount is $3 million or less; 85% for ransoms greater than $3 million.

One of these affiliates Haise, recently posted on a ransomware forum site that it was offering legal services including negotiations, advice on maximizing economic damage to the victim, and assessments on what the legal impact of exfiltrated data would be.

It’s part of a strategy to persuade victims that it’s cheaper to pay the ransom than it is to have the attack become public and pay steep legal costs from defending against lawsuits.

Qilin’s attacks have succeeded in damaging numerous companies. The recent attack on Japanese brewing giant Asahi disrupted plant operations, led to shortages in distribution, the loss of 27 GB of data, and exposed 1.5 million customers’ sensitive data.

Pharmaceutical company Inotiv had 176GB of data stolen by a Qilin attack back in August. More than 9,500 people including former and current employees, dependents, and anyone who conducted business with Inotiv or their acquired companies had sensitive personal data exposed.

It appears that Inotiv paid a ransom, since the company no longer appears on Qilin’s data leak site.

Synnovis a UK-based pathology lab, was attacked by Qilin ransomware in June 2024. This impacted almost all IT services, caused massive business disruption, and led to shortages of O-negative blood across the country. It took several months to restore and rebuild damaged systems.

Blackfog grimly summarizes the devastation: $50 million (USD) in ransom, 400 GB of data stolen, 170 cases of harm to patients and at least one death.

There are different variations of attacks, but here’s the Cliff’s Notes summary.

The typical Qilin attack starts with phishing emails. Clicking on a malicious link deploys a trojan on the unwary victim’s machine.

The ransomware executable is then loaded but not launched yet. Data is exfiltrated first.

Files are then encrypted and a double extortion campaign is launched: pay the attackers for a decryption key and pay to not have compromised data released to the public.

The SANS Institute recommends the following measures to avoid Qilin attacks:

• Maintain and test backups.
• Ensure data loss prevention (DLP) systems are configured properly.
• Develop and rehearse incident response plans through tabletop exercises (TTXs).
• Prepare for scenarios where threat actors attempt to highlight the legal implications of breaches.

The Qilin attacks are just one example of many where the recommendation is to use basic cyber hygiene practices like the ones SANS suggested. It’s unclear whether (1) users are not being trained in these practices (2) are not following them or (3) if these attacks succeed in spite of a well-trained user base.

I suspect it is some combination of (1) and (2) and the question remains if the best long-term solution is to create an email system where clickable links aren’t possible. That seems like a good plan at first, but it is not practical in 2025 where email is heavily dependent on links and QR codes.

There are URL modifying techniques that would seem to work, but these can be compromised too. If you sent an email to someone@bigbuckscompany.com, Big Bucks Company’s email server could be setup to modify that URL to redirect the email through a security mechanism that analyzes mail for suspicious content and then blocks it if discovered.

Unfortunately, the bad guys are on to that. They can use an URL rewriting service just like the good guys do to wrap malicious URLs into rewritten URLs that escape detection.

There does not seem to be a one-size-fits-all solution to this problem, suggesting that a layered approach is best: training; multi-factor authentication (MFA); compartmentalizing systems to limit damage; and planning for what seem to be inevitable attacks may very well be a good start.