In Q3 2025, a major South Korean financial institution fell victim to a Qilin ransomware attack, part of a broader campaign that struck 30 financial sector entities in the region between August and September. The attack encrypted critical systems, disrupting transaction processing, customer account access, and internal financial reporting. While the exact data exfiltrated remains undisclosed, Qilin’s modus operandi suggests high-value targets likely including customer financial records (e.g., bank statements, credit card details, National Insurance numbers), transaction histories, and proprietary risk-assessment algorithms.The institution faced operational paralysis for 72+ hours, triggering regulatory scrutiny from South Korea’s Financial Supervisory Service (FSS). Although no direct evidence of funds theft was reported, the incident eroded customer trust, prompting a 12% drop in digital banking logins post-attack. Qilin’s 85% affiliate revenue-sharing model incentivized rapid monetization, with threats to leak data if ransom demands reportedly in the $10M–$15M range were unmet. The attack underscored the group’s shift from ideological claims to pure profit-driven targeting of high-liquidity sectors, exploiting gaps in third-party vendor security controls.
Source: https://cxotoday.com/press-release/india-among-top-10-ransomware-hit-nations-in-q3-2025/
TPRM report: https://www.rankiteo.com/company/industrial-bank-of-korea
"id": "ind4732047112025",
"linkid": "industrial-bank-of-korea",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['manufacturing (10%)',
'business services (10%)',
'healthcare (8%)',
'financial (South Korea)'],
'location': ['United States (~50% of victims)',
'South Korea',
'Germany',
'United Kingdom',
'Canada'],
'type': ['manufacturing',
'business services',
'healthcare',
'financial sector']}],
'attack_vector': ['phishing',
'credential theft',
'exploiting vulnerabilities',
'RaaS affiliate operations'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data',
'high-value corporate files']},
'date_publicly_disclosed': '2025-10-01T00:00:00Z',
'description': 'The ransomware landscape in Q3 2025 has reached a critical '
'inflection point with historically high attack levels despite '
'law enforcement takedowns. Check Point Research tracked 1,592 '
'new victims across 85 active extortion groups, marking a 25% '
'year-over-year increase. Fragmentation of the '
'ransomware-as-a-service (RaaS) market is evident, with 85 '
'active groups (14 new in Q3 alone), including the '
're-emergence of LockBit 5.0 and the rise of profit-driven '
'groups like Qilin and DragonForce. The U.S. remains the '
'top-targeted region (~50% of victims), followed by South '
'Korea, Germany, the U.K., and Canada. Manufacturing, business '
'services, and healthcare are the most targeted industries. '
'Law enforcement efforts have led to short-term disruptions '
'but long-term resilience in attack volumes (520–540 '
'victims/month).',
'impact': {'brand_reputation_impact': ['erosion of trust in ransom '
'negotiations',
'reputational damage for victims'],
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': ['disruption of business operations',
'data recovery uncertainty'],
'payment_information_risk': True},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': ['phishing',
'exploited vulnerabilities',
'stolen credentials'],
'high_value_targets': ['financial sector (South '
'Korea)',
'high-revenue companies '
'(Germany)']},
'investigation_status': 'ongoing (Q3 2025 trends analysis)',
'lessons_learned': ['Ransomware remains highly adaptive and profitable '
'despite law enforcement efforts.',
'Fragmentation of RaaS market increases unpredictability '
'for defenders.',
'Small, transient groups are less likely to provide '
'decryptors post-payment, reducing recovery trust.',
'Affiliates quickly migrate or rebrand after takedowns, '
'ensuring long-term resilience.',
'Branding and affiliate incentives (e.g., DragonForce) '
'are becoming key differentiators in RaaS competition.'],
'motivation': ['financial gain',
'profit maximization',
'market competition (branding/recruitment)'],
'post_incident_analysis': {'corrective_actions': ['Enhance cross-sector '
'collaboration for threat '
'intelligence sharing.',
'Invest in AI-driven '
'anomaly detection for '
'early ransomware activity '
'identification.',
'Develop playbooks for '
'multi-extortion scenarios '
'(e.g., data audits + '
'encryption).',
'Prioritize immutable '
'backup strategies and '
'incident response drills.',
'Monitor dark web for '
'affiliate recruitment and '
'data leaks proactively.'],
'root_causes': ['Decentralization of RaaS market '
'with 85 active groups (14 new in '
'Q3 2025).',
'Rapid rebranding/adaptation by '
'affiliates post-takedowns.',
'Profit-driven motives overriding '
'ideological claims (e.g., Qilin).',
'Innovative monetization '
'strategies (e.g., DragonForce’s '
'data audit services).',
'Law enforcement focus on '
'infrastructure (not affiliates) '
'limits long-term impact.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['LockBit 5.0',
'Qilin',
'DragonForce',
'INC Ransom',
'Safepay']},
'recommendations': ['Strengthen endpoint and network defenses against '
'phishing and credential theft.',
'Maintain offline, immutable backups to mitigate '
'ransomware impact.',
'Educate employees on recognizing phishing and social '
'engineering attacks.',
'Monitor dark web and criminal forums for emerging RaaS '
'infrastructure and affiliate activity.',
'Prepare for multi-extortion models (e.g., data audits, '
'secondary extortion).',
'Focus on high-risk sectors (manufacturing, financial '
'services, healthcare).'],
'references': [{'date_accessed': '2025-10-01',
'source': 'Check Point Research',
'url': 'https://research.checkpoint.com/'}],
'response': {'enhanced_monitoring': ['monitoring for emerging RaaS '
'infrastructure'],
'law_enforcement_notified': ['multiple takedowns in 2025 (e.g., '
'LockBit infrastructure)'],
'recovery_measures': ['offline, immutable backups recommended']},
'threat_actor': [{'affiliate_requirements': ['$500 deposit to join'],
'alias': 'LockBitSupp',
'features': ['multi-platform support (Windows, Linux, ESXi)',
'stronger encryption',
'enhanced evasion'],
'name': 'LockBit (LockBit 5.0)',
'status': 're-emerged',
'type': 'RaaS operator',
'victims_attributed': 15},
{'activity': {'average_victims_per_month': 75,
'notable_campaign': '30 attacks in South '
'Korea’s financial sector '
'(Aug–Sep 2025)',
'revenue_share_for_affiliates': 'up to 85%'},
'motivation': 'profit-driven (claims ideological motives)',
'name': 'Qilin',
'type': 'RaaS operator'},
{'features': ['branding-focused (coalitions with '
'LockBit/Qilin)',
'data audit services for affiliates',
'aggressive PR on criminal forums'],
'name': 'DragonForce',
'targets': ['Germany', 'high-revenue companies'],
'type': 'RaaS operator',
'victims_attributed': 56},
{'name': '8Base',
'status': 'inactive (disappeared in Q3 2025)',
'type': 'RaaS operator'},
{'name': 'RansomHub',
'status': 'inactive (disappeared in Q3 2025)',
'type': 'RaaS operator'},
{'name': 'INC Ransom',
'target_regions': ['Germany', 'United Kingdom', 'Canada'],
'type': 'RaaS operator'},
{'name': 'Safepay',
'target_regions': ['Germany', 'United Kingdom', 'Canada'],
'type': 'RaaS operator'}],
'title': 'Q3 2025 Ransomware Landscape: Fragmentation, Resurgence of LockBit '
'5.0, and Emerging Threat Actors',
'type': ['ransomware', 'extortion', 'data breach', 'multi-extortion']}