Qilin Ransomware Dominates the Month

The Qilin ransomware group emerged as the most dominant player in the global ransomware landscape, consolidating its position as a formidable cyber extortion actor. The group was responsible for approximately 73 confirmed victims, accounting for nearly 17% of the 423 ransomware disclosures tracked worldwide during the month. This marks the third time in four months that Qilin has led in victim volume, reflecting both its organizational maturity and its ability to absorb affiliates displaced by the decline of other major groups such as RansomHub and LockBit.
The United States continued to be the most heavily impacted nation, with over 220 reported victims, while Canada and several European countries followed at a distance. Attacks notably affected critical infrastructure and supply chain sectors, with at least 25 incidents targeting critical systems and 20 attacks disrupting supply chains. These intrusions were enabled by the exploitation of high-profile vulnerabilities, including flaws in Citrix NetScaler ADC and multiple Microsoft SharePoint weaknesses, underscoring Qilin’s technical adaptability.
Operating on a Ransomware-as-a-Service (RaaS) model, Qilin has successfully built a network of affiliates who utilize its toolkit for encryption, data theft, and double-extortion schemes. Its victim count in Q2 nearly doubled compared to earlier months, averaging close to 70 incidents monthly, which reflects aggressive expansion and sustained recruitment. The group has proven both opportunistic and resilient, capitalizing on the dismantling of competitors to secure its leadership position.