Full Report
Qilin was the top ransomware group by a wide margin in June, solidifying its position as the top ransomware group since RansomHub went offline at the end of March. It’s the second time in three months that Qilin led all ransomware groups in claimed victims, Cyble threat intelligence researchers reported in a blog post today. With 86 claimed victims for the month of June, Qilin was more than 50 claimed attacks ahead of rivals like Akira, SafePay, Play, and INC (image below). Cyble said the data is preliminary and could rise somewhat as all the data is finalized, but Qilin is essentially assured of finishing in the top spot. [caption id="attachment_103419" align="aligncenter" width="1200"] Qilin was the top ransomware group by a wide margin in June (Cyble)[/caption] Can Qilin Remain the Top Ransomware Group? Qilin led all ransomware groups in April after RansomHub went offline (possibly in an act of sabotage by rival DragonForce). SafePay edged out Qilin in May before Qilin returned to the top spot in June. Part of Qilin’s success in recruiting Ransomware-as-a-Service (RaaS) affiliates in the wake of RansomHub’s decline lies in the services and support the Russia-linked group offers affiliates, including legal services too. Among the group’s victims in June were high-value telecom, blockchain, healthcare and transportation organizations, Cyble said. Sensitive data may have been accessed, some of the group’s attacks have had supply chain implications. Like other top ransomware groups, Qilin has overwhelmingly targeted the U.S., claiming 50 of the 213 total U.S. attacks in June. However, the group’s attacks have been more balanced across sectors, unlike other groups that have overwhelmingly targeted construction, professional services, healthcare and manufacturing. “It remains to be seen if Qilin has RansomHub-like staying power, but so far its desire to woo affiliates with sophisticated technology and services is paying off,” Cyble said. Other Ransomware Developments in June Overall, Cyble said ransomware groups had claimed 377 victims as of late June, within range of May’s final count of 401 victims, “and a sign of potential stabilization following a three-month decline from February’s record attacks.” Other groups weren’t standing still, suggesting that Qilin will have to work to stay on top. The pro-Russian hacktivist group CyberVolk launched its own ransomware, the latest hacktivist group to move into ransomware. RALord rebranded as Nova and launched its own ransomware-as-a-service (RaaS) program, aggressively recruiting affiliates, and the Chaos group announced its own RaaS operation and aggressive recruitment efforts. A new ransomware group known as Kawa4096 also emerged, claiming five victims, with similarities to the Akira ransomware group. And the Scattered Spider group expanded from retail attacks to the insurance and airline sectors. As Cyble concluded, “The enduring resourcefulness of ransomware groups and their affiliates serves as a reminder that security teams can’t rest, either.”
Analysis Summary
# Threat Actor: Qilin
## Attribution & Identity
Qilin is identified as a top-tier Ransomware Group, solidifying its claim through its operational success in June 2025. The group is noted for its desire to **woo affiliates with sophisticated technology and services**, suggesting a robust Ransomware-as-a-Service (RaaS) model or strong affiliate management structure.
## Activity Summary
Qilin significantly impacted the threat landscape in June 2025, achieving a high volume of claimed attacks. The overall ransomware environment shows potential stabilization after a three-month decline, but Qilin's continued strong performance keeps pressure on defenders. The group has been cited alongside RansomHub regarding its operational influence.
## Tactics, Techniques & Procedures
The article focuses on Qilin's operational success rather than specific low-level TTPs or MITRE ATT&CK mapping details.
- **Operational Focus:** Using sophisticated technology and services to attract affiliates.
- **Historical Campaign Note:** Qilin's attack balancing across sectors suggests adaptable operational planning.
(No specific TTPs or MITRE ATT&CK IDs were explicitly detailed in the truncated sample.)
## Targeting
- **Sectors:** Qilin's attacks have been more balanced across sectors compared to other groups. They have not overwhelmingly focused on just one or two industries.
* *Contrast to Other Groups:* Unlike groups focusing on construction, professional services, healthcare, and manufacturing, Qilin shows broader targeting.
- **Geography:** The **U.S.** was significantly targeted, claiming 50 of the 213 total U.S. attacks reported in June.
- **Victims:** No specific organizational victims were named in the provided context, only aggregated statistics.
## Tools & Infrastructure
- **Malware families used:** Qilin Ransomware.
- **Infrastructure (C2, domains, IPs - defang URLs):** Not specified in the provided text.
## Implications
Qilin poses a major threat due to its effective RaaS approach and sophisticated support for affiliates, allowing it to maintain a lead position in the ransomware ecosystem. Its balanced targeting strategy suggests resilience against sector-specific defenses. Its ability to attract affiliates may signal long-term capability, posing a sustained risk.
## Mitigations
- Security teams must remain vigilant, as the resourcefulness of ransomware groups like Qilin means defenders "can’t rest."
- Given Qilin’s reliance on affiliates, mitigating initial access vectors used by affiliates remains critical.
- Defenses should account for a sophisticated, broad-spectrum targeting approach rather than solely focusing on traditionally targeted sectors.