Qilin ransomware by the numbers: a look inside one of the most prolific groups

Published: 26 October 2025
gambling, hackers, criminals

Qilin has claimed responsibility for its 700th ransomware attack of 2025 – but who are they and how do they operate?

Comparitech researchers have looked into Qilin, which is a Russia-based group that first appeared in 2022. It started being talked about only in 2023, when it claimed 45 attacks. Already in 2024, the number of its victims jumped to 179, and then quadrupled this year.

Some of the big alleged attacks by Qilin include a cyberattack on Asahi Holdings, Japan’s largest brewer, which caused a shortage of the country’s most popular beers, soft drinks, and cold teas. And an attack on Volkswagen Group France, with the gang claiming to have exfiltrated about 2,000 files and 150 GB of data consisting of sensitive client, employee, and business information.

ADVERTISEMENT

Ransomware-as-a-service

At least a part of Qilin’s recent attacks could be attributed to its ransomware-as-a-service business model, researchers say. In essence, the group rents out its malware and infrastructure to paying affiliates to carry out attacks and collect ransoms.

Qilin benefited from the RansomHub going dark in April 2025, when its affiliates switched to Qilin’s services. Around the same time, the number of its attack claims skyrocketed by 280%, from 185 at the end of April 2025 to 701 now.

Who are the victims?

The gang primarily targets manufacturers, finance companies, retailers, healthcare providers, and government agencies, as these sectors store sensitive information and can suffer the most from data breaches.

On average, businesses make up the biggest portion of Qilin’s claimed attacks, with manufacturers, such as Asahi Group Holdings and France’s Alu Perpignan, being its preferred victims. While Asahi is still struggling to restore its systems, Alu Perpignan said that a shutdown of computer systems for three weeks cost it three months’ worth of business.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

Researchers also note a recent attack on Nissan’s design agency, Nissan Creative Box Inc., in which Qilin claimed to steal over 4 TB of data (including design data), which it could potentially leak or expose to competitors.

ADVERTISEMENT

Despite Qilin largely favoring businesses as its targets, the education sector saw the most significant (420%) increase in attacks from 2024 to 2025.

Government agencies also saw a big jump (344%), while the healthcare sector saw the lowest increase (125%).

Out of the reported 701 victims, researchers note the following stats:

  • 45 attacks on healthcare providers (14 confirmed)
  • 40 attacks on government entities (22 confirmed)
  • 26 attacks on the education sector (7 confirmed)
  • 590 attacks on businesses (75 confirmed):
  • 143 on manufacturers (11 confirmed)
  • 108 on service-based businesses (9 confirmed)
  • 69 on finance companies (27 confirmed)
  • 50 on retailers (2 confirmed)
  • 34 on construction companies (2 confirmed)

In addition, the gang has stolen 116 TB of data across all attacks and breached 788,377 records in confirmed attacks.

When it comes to affected countries, the US suffered the most attacks (375), followed by France (41), Canada (39), South Korea (33), and Spain (26).

Massive ransom demands

Cybercriminals commonly target businesses not only to collect useful data and then potentially sell it – but also to demand a ransom from their victims.

When it comes to Qilin’s ransom demands in 2025, some of the biggest ones included:

Malaysia Airports Holdings Bhd – the gang demanded $10 million after an attack on Malaysia’s Kuala Lumpur International Airport in March 2025, which disrupted its systems and allegedly netted the gang 2 TB of data. Airport officials said they have refused to pay.

ADVERTISEMENT

Cleveland Municipal Court, US - Qilin reportedly demanded $4 million after causing weeks of disruption at the entity in February 2025, which the court refused to pay.

Ciudad Autónoma de Melilla, Spain – Qilin demanded $2.12 million following a disruption that affected the Spanish city in June 2025. Qilin also said that it stole 4 to 5 TB of data, although no ransom was paid.

“By operating as a ransomware-as-a-service business, Qilin has been able to scale up its organization to an alarming level, targeting hundreds of organizations and with a large amount of success,” Rebecca Moody, Head of Data Research at Comparitech, said.

“As its affiliates work to encrypt systems and steal data, Qilin is causing mass disruption to businesses of all sizes this year and, if its 100+ victims in October are anything to go by, its operation is only gaining momentum."

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked