Sysco, the world’s largest food supplier serving restaurants, hospitals, schools, hotels and more, is the latest ransomware victim claimed by the Qilin gang, with alleged internal documents posted as proof of access.

Qilin posted Sysco on its dark web victim blog on Wednesday, giving the food and hospitality services company until May 12th to presumably make contact with the group to negotiate a ransom payoff.

A “Time till publication” countdown clock was ticking away at 149 hours and 27 minutes – just over 6 days and 5 hours – when Cybernews first observed the entry.

Sysco operates more than 340 distribution facilities worldwide, supplying nearly 500 fresh and frozen food products, culinary supplies, and restaurant equipment to roughly 750,000 locations spanning 10 countries.

The foodservice retail giant, which also owns a portfolio of 150 local subsidiaries and supports customers across 90 countries, further provides business planning and technology services, offering clients customized supply chain solutions.

The company distributes to an endless list of customers around the globe, including restaurants, healthcare and senior living facilities, government agencies (including FEMA and the Red Cross), military installations, higher education facilities, hotels and lodging, airlines, airports, cruise ships, entertainment venues, sports stadiums, amusement parks, casinos, supermarkets, and convenience stores.

This means Sysco holds a treasure trove of sensitive client information that could potentially be leveraged to carry out a range of future cyberattacks.

Cybernews has reached out to Sysco and is awaiting a response at the time of this report.

Alleged Sysco documents exposed

Qilin provided three samples as proof of its alleged unauthorized access to Sysco’s IT network, which Cybernews was able to view.

However, the group did not provide the amount or type of data it purportedly exfiltrated from the company’s servers.

The first sample, dated from 2021 through 2022 and stamped “confidential,” appears to be some sort of formula-based customer pricing list of food products shown in American dollars.

The second sample appears to be a customer invoice billed to a local eatery in St. Paul, Minnesota, from February 2026.

The third sample, dated June 2025, shows a Certificate of Resale tax document for a local food paper supplier, presumably already filed with the Illinois Department of Revenue.

Formed in 1969 and based in Houston, Texas, Sysco employs about 75,000 workers globally and boasted an annual revenue of over $81 billion in 2025, according to its website, also making the company an attractive target for extortion groups.

Who is Qilin?

First identified by researchers in 2022, the Russian-linked group has rapidly eclipsed many of its rivals, emerging as the most active ransomware gang of 2025.

Its victims include manufacturers, financial firms, retailers, healthcare providers, government agencies, and transportation-related entities.

According to Cybernews’ in-house surveillance tool Ransomlooker, the gang listed more than 1,000 victims in 2025 and has extended that surge into 2026, claiming more than 200 additional victims by the end of February.

Earlier this week, the group listed the US-based commercial real estate giant Cushman & Wakefield on its leak site, seemingly piggybacking on a claim by the notorious ShinyHunters extortion group, while in February, Qilin claimed an attack on Malaysia Airlines, providing very little proof to back up both victim claims.

By contrast, in January, the cybercriminal cartel claimed massive attacks on the Tulsa International Airport – posting more than a dozen leaked files, including internal operations documents and executive and employee data.

It also claimed to have infiltrated New York City’s TWU Local 100 – a union representing more than 67,000 active and retired transit workers for the nation’s largest public transportation system.

Operating a ransomware-as-a-service (RaaS) model, Qilin allows affiliates to deploy its malware and leverage its negotiation infrastructure in exchange for a cut of ransom payments.

High-profile claims in 2025 included Japan's Asahi Holdings., digital gaming giant International Game Technology (IGT), Korea’s SK Group, US newspaper group Lee Enterprises, Nissan Japan's design arm, Creative Box, and the controversial religion Scientology.

---

Unlock more exclusive Cybernews content on YouTube.