Full Report
Qilin became the top ransomware group in April amid uncertainty over the status of RansomHub, according to a Cyble blog post published today. RansomHub’s data leak site (DLS) went offline on April 1, and DragonForce claimed it had taken over RansomHub’s infrastructure and appealed to RansomHub affiliates to join it. Instead, it appears that Qilin may have gained the most from the uncertainty, Cyble reported, as Qilin took over the top spot in April with 74 claimed victims (image below). DragonForce ended the month with 21 claimed victims. [caption id="attachment_102432" align="aligncenter" width="1200"] Qilin emerged as the top ransomware group in April (Cyble)[/caption] Cyble said the RansomHub-DragonForce saga “highlights not only the volatility within the cybercriminal underworld but also the high-stakes competition driving rapid evolution in ransomware capabilities.” Ransomware Attacks Declined in April The total number of claimed ransomware attacks declined in April, Cyble said, as the uncertainty and chaos among the top groups may have had some effect. Cyble recorded 450 claimed ransomware victims in April, down from 564 in March, but noted that “the long-term trend for ransomware attacks remains decidedly upward so April’s decline could be reversed as soon as new RaaS leaders are established.” The U.S. led once again with 234 attacks, 52% of the global total (image below) and more than twice as many attacks as all of Europe (108). [caption id="attachment_102434" align="aligncenter" width="1200"] April 2025 ransomware attacks by country (Cyble)[/caption] Cyble noted some variations among the leading ransomware groups in global regions. RALord, a new group, was prominent in the META region (Middle East, Turkey and Africa), while Sarcoma claimed a number of victims in the Asia-Pacific and Australia-New Zealand regions. Play was the most active ransomware group targeting the U.S., with 42 victims. Ransomware Attacks Threaten Software Supply Chain Cyble recorded two new ransomware groups in April: Silent Team, which claimed two victims, a U.S.-based engineering company and a Canadian aerospace manufacturer; and Gunra, which claimed three victims – a Japan-based real estate company, a medical firm in Egypt, and a Panama-based beverage and distribution company. Cyble noted a number of potentially serious ransomware incidents in April, some of which could result in software supply chain and downstream customer attacks. An IT services subsidiary of a large international conglomerate may have been victimized by the Akira ransomware group. The Play ransomware group claimed two U.S.-based software companies that provide critical services such as security applications, network operations center (NOC) solutions, and business consulting software, “raising concerns about potential downstream supply chain impacts.” Akira claimed responsibility for compromising a U.S.-based energy cooperative that supplies electricity to rural areas in ten northeast Georgia counties. Ransomware as a Service (RaaS) affiliate DevMan, working with DragonForce, claimed to have compromised a Chinese critical infrastructure construction company, and Qilin and DevMan claimed to compromise a Taiwan-based LCD technology company and a UAE-based IT and IT services company. Qilin claimed a France-based software provider serving the transportation and logistics industry as a victim. Exfiltrated data included source code, product development materials, and other sensitive data. Qilin also claimed a major South Korean industrial conglomerate as a victim. The Hellcat ransomware group said it compromised a China-based company specializing in display technologies and electronic solutions. The Rhysida ransomware group claimed as a victim a U.S.-based company involved in engineering, architecture, and critical infrastructure projects. Cyble said the incidents highlight “the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats. Even as leading threat groups change, consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur.”
Analysis Summary
# Tool/Technique: Qilin Ransomware
## Overview
Qilin is a prominent ransomware family that has risen to become a top ransomware group, particularly noted amidst volatility in the RansomHub ecosystem. It operates using a Ransomware-as-a-Service (RaaS) model and targets a wide range of sectors globally, including critical infrastructure, technology, and industrial conglomerates.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Not explicitly detailed, but targeting industries implies Windows-based enterprise environments.
- Capabilities: Data exfiltration leading up to encryption, likely built on or related to BlackCat/ALPHV source code structure (implied by the context of evolving ransomware groups).
- First Seen: Context suggests high activity around May 2025, but the initial debut date is not provided.
## MITRE ATT&CK Mapping
*Note: Since the context only mentions activities and not specific low-level TTPs, the mapping below reflects the general behavior of ransomware operations based on the reported activity.*
- **TA0011 - Collection**
- T1005 - Data from Local System
- T1041 - Exfiltration Over C2 Channel (Implied by data theft claims)
- **TA0010 - Impact**
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Ransomware as a Service (RaaS):** Operates through affiliates (e.g., DevMan).
- **Data Exfiltration:** Steals sensitive data prior to encryption (e.g., source code, product development materials).
- **Targeting:** Focuses on high-value targets across logistics, technology, energy, and industrial sectors.
### Advanced Features
- **Multi-national Targeting:** Active campaigns against victims in the US, China, Taiwan, UAE, and France.
- **Supply Chain Concerns:** One affiliate operation potentially leveraged compromised third-party software, raising supply chain risk concerns.
## Indicators of Compromise
*The provided article snippet does not list specific file hashes, C2s, or detailed IOCs for the Qilin malware itself. The following section reflects general data often associated with such groups.*
- File Hashes: N/A (Not provided in context)
- File Names: N/A (Not provided in context)
- Registry Keys: N/A (Not provided in context)
- Network Indicators: N/A (All network indicators are defanged in this summary)
- Behavioral Indicators: Deployment of encryption payload following data collection/exfiltration.
## Associated Threat Actors
- Qilin (Primary group/affiliate structure)
- DevMan (Affiliate working with Qilin/DragonForce)
- DragonForce (Associated group in one claim)
## Detection Methods
*Detection methods must be inferred based on standard ransomware practices, as specific signatures are absent.*
- Signature-based detection: Signature matching for known Qilin binary hashes or PE characteristics.
- Behavioral detection: Monitoring unusual file modifications, high CPU/disk usage indicative of encryption routines, and mass file deletion/renaming, especially preceded by network activity suggesting data staging/exfiltration.
- YARA rules: Creation of rules targeting strings or unique code sections within known Qilin binaries.
## Mitigation Strategies
- Prevention measures: Robust offline/immutable backups, network segmentation to limit lateral movement and restrict access to critical systems.
- Hardening recommendations: Strict patching cadence, multi-factor authentication (MFA) enforcement everywhere, and rigorous verification of third-party software supply chain integrity.
## Related Tools/Techniques
- **BlackCat/ALPHV:** (Often associated due to the evolution/leak of source code in the RaaS landscape).
- **Nefilim Strain:** Mentioned in the context of another ransomware case leading to an extradition, suggesting an overlapping or historical ransomware ecosystem that Qilin may be succeeding or competing within.