Qilin Ransomware Gang Escalates Attacks in 2025, Targeting Critical Sectors Worldwide
The Qilin ransomware gang has become one of the most prolific cybercriminal operations in 2025, compromising hundreds of organizations, including major corporations, government entities, and healthcare providers. In October alone, the suspected Russia-based group claimed over 185 victims, including Japanese beverage giant Asahi, the Texas city of Sugar Land, a North Carolina county government, and multiple Texas power companies.
Cybersecurity firm Cisco Talos reported that Qilin has been publishing data from roughly 40 victims per month in the second half of 2025. Active since July 2022, the group has expanded its operations under a ransomware-as-a-service (RaaS) model, enabling rapid scaling and increased attack success rates. Nearly a quarter of its attacks target the manufacturing sector, followed by professional and scientific services (18%) and wholesale trade (10%).
Qilin’s intrusion methods vary, but stolen administrative credentials often sourced from the dark web have been used to breach VPNs in multiple incidents. Comparitech tracked over 700 Qilin-related attacks in 2025, with 118 confirmed, predominantly affecting the U.S. (50%), alongside France, Canada, South Korea, and Spain.
The group has also escalated ransom demands, including a $10 million extortion attempt against Kuala Lumpur International Airport in March and a $4 million demand following an attack on Cleveland’s Municipal Court in February. Despite law enforcement scrutiny after a 2024 attack on a British healthcare provider, Qilin has continued its operations, targeting entities like the government of Palau and a major U.S. newspaper chain.
Source: https://therecord.media/qilin-ransomware-gang-hits-hundreds-of-orgs-2025
Asahi TPRM report: https://www.rankiteo.com/company/asahigroup-holdings
City of Sugar Land TPRM report: https://www.rankiteo.com/company/city-of-sugar-land
Government of Palau TPRM report: https://www.rankiteo.com/company/cgr-center-for-governmental-research-
"id": "asacitcgr1768389558",
"linkid": "asahigroup-holdings, city-of-sugar-land, cgr-center-for-governmental-research-",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Beverage',
'location': 'Japan',
'name': 'Asahi',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Local Government',
'location': 'Texas, USA',
'name': 'City of Sugar Land',
'type': 'Government'},
{'industry': 'Local Government',
'location': 'North Carolina, USA',
'name': 'County Government',
'type': 'Government'},
{'industry': 'Energy',
'location': 'Texas, USA',
'name': 'Power Companies',
'type': 'Corporation'},
{'industry': 'Transportation',
'location': 'Malaysia',
'name': 'Kuala Lumpur International Airport',
'size': 'Large',
'type': 'Infrastructure'},
{'industry': 'Judicial',
'location': 'Ohio, USA',
'name': 'Cleveland Municipal Court',
'type': 'Government'},
{'industry': 'National Government',
'location': 'Palau',
'name': 'Government of Palau',
'type': 'Government'},
{'industry': 'Media',
'location': 'United States',
'name': 'Newspaper Chain',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Healthcare',
'location': 'United Kingdom',
'name': 'British Healthcare Company',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': ['Stolen administrative credentials', 'VPN access'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Sensitive operational data']},
'date_publicly_disclosed': '2025-10',
'description': 'The Qilin ransomware gang has emerged as one of the most '
'active cybercriminal operations in 2025, listing hundreds of '
'victims including large companies, local governments, and '
'hospitals. The group has expanded its operations under the '
'ransomware-as-a-service (RaaS) model, targeting multiple '
'sectors with high ransom demands.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Major disruptions to services',
'systems_affected': ['VPNs', 'Critical infrastructure']},
'initial_access_broker': {'entry_point': 'Stolen administrative credentials'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The shift to RaaS has allowed Qilin to scale operations '
'rapidly, increasing the frequency and success rate of '
'attacks. Stolen credentials and VPN access remain primary '
'attack vectors.',
'motivation': ['Financial gain', 'Data exfiltration'],
'post_incident_analysis': {'root_causes': ['Stolen credentials',
'Lack of multi-factor '
'authentication',
'Unsegmented networks']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': ['$10 million', '$4 million'],
'ransomware_strain': 'Qilin'},
'recommendations': ['Enhance credential security and monitoring',
'Implement multi-factor authentication for VPN access',
'Segment networks to limit lateral movement',
'Regularly update incident response plans',
'Monitor dark web for stolen credentials'],
'references': [{'date_accessed': '2025-10', 'source': 'Cisco Talos'},
{'date_accessed': '2025', 'source': 'Comparitech'}],
'response': {'third_party_assistance': 'Cisco Talos'},
'threat_actor': 'Qilin ransomware gang',
'title': 'Qilin Ransomware Gang Cyber Incidents 2025',
'type': 'Ransomware'}