SK Group, a global energy and manufacturing giant, has been claimed by the Qilin ransomware group, along with an alleged 1TB cache of stolen files.
The South Korean multi-manufacturing and services conglomerate was posted on the ransomware group’s dark leak site around 6:30 a.m. ET Thursday morning.
“Over 1TB of files downloaded from their servers,” the ransomware group claimed in the post, although as of Thursday afternoon, Qilin provided no ‘proof’ samples of its handiwork.
The suspected Russian-speaking gang went on to announce that “the company has 48 hours to contact us before we publish the data” – again, with no hint on what that data may contain.
Cybernews has reached out to the US represetative for SK Group, but has not heard back at the time of this report.
In a random update to the blog on Friday, the group posted a single image of what appears to be a business meeting between SK executives and an unidentified US official on video conference with an American flag in the background.
“Is the U.S. investing? Interesting, of course. Now there will be many people willing to buy such information,” one commenter posted under the pic.
SK holds interest in 260 affiliate companies worldwide
The SK Group is a leader in the energy, telecommunications, and semiconductor industries, operating more than 175 companies globally, including in the Information and Communications Technology (ICT), advanced materials, biopharmaceuticals, mobility, life sciences, and EV batteries sectors, the company’s website states.
SK is headquartered in Seoul and has over 260 global affiliates and over 80,000 employees worldwide. Its economic stronghold in the East Asian nation and growing footprint in the US make it a prime target.
A Fortune 100 company, SK touts recent investments of more than $50 billion in US businesses across 20 states, as laid out in the map below.
SK Group is the second largest family-run conglomerate in South Korea, only behind Samsung. According to stats compiled by Companies Market Cap, it had an annual revenue of $91.15 billion in 2024 and listed 16 companies on the Korea Exchange.
Meantime, the Qilin ransomware cartel – infamous for last summer’s hack of England’s NHS partner Synovois Labs, causing critical services to shut down at five London state-run hospitals – has been stepping up its attacks in 2025, making it one of the top five most active ransomware gangs of late.
According to the Ransomlooker tool by Cybernews, in the past four weeks, Qilin has claimed at least 68 victims, mainly in the US, earning it second place behind ransomware newcomer Babuk.
Qilin gang solidifies as major ransomware player
Notorious for targeting hospitals and the manufacturing sector, the lesser-known Qilin gang first appeared on the ransomware circuit in 2022, although its dark leak site claims it began operating in 2021.
Acting as a ransomware-as-a-service (RaaS) model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second ransom to guarantee the stolen files will not be leaked on the dark web at a later date.
Last month, the group claimed responsibility for ransomware attacks on the Houston Symphony, the local Detroit PBS, and its most significant victim so far this year, the US newspaper conglomerate Lee Enterprises, attacked on February 3rd.
Showing a steady stream of attacks over the last 12 months, Qilin’s overall victim count is clocked at 256, Ransomlooker shows, a nearly one-third increase from the 191 victims recorded the first week of March.
In another low, Qilin further claimed responsibility for the February 10th hack of the prestigious Utsunomiya cancer treatment center in Japan, exposing the sensitive health information of 300,000 patients and leaving its hospital system “unusable.”
And notably, Qilin’s June 2024 ransomware attack on the UK’s National Health Services (NHS) partner Synnovis labs came with an alleged $50 million ransom demand.
Sometimes referred to as Agenda, Qilin is believed to be of Russian origin, as the gang vows to avoid targeting the Commonwealth of Independent States, also known as CIS nations.
Its recently updated ransomware variant "Qilin.B" is said to be customizable for affiliates, offers multiple encryption methods, and is written in the Rust programming language, according to a January 2025 Blackpoint profile on the gang.
A 2023 March undercover investigation by Group-IB had initially seen targeting its victims with phishing emails, but BlackPoint research shows the Qilin recently linked to exploiting its victims by harvesting Google Chrome credentials, and by stealthily evading or disabling Endpoint Detection and Response (EDR) systems.
Qilin has also been observed exploiting the well-known “Citrix Bleed,” a zero-day vulnerability, used last year by the ALPHV/BlackCat ransom group in the massive United Health cyberattack.
The Citrix bug was disclosed by the cloud computing company in late 2023, and although it has since been patched, many companies have been slow to update their systems, leaving them exposed to attacks.
Other past Qilin victims include Yanfeng, one of the top North American auto parts suppliers for GM and Chrysler, Jeep, Dodge, and Ram.
Your email address will not be published. Required fields are markedmarked