Qilin Ransomware Group Claims Attack on Malaysia Airlines
The Qilin ransomware gang has listed Malaysia Airlines on its dark web leak site, marking the latest in a series of cyberattacks targeting the aviation sector. The group, which operates under a ransomware-as-a-service (RaaS) model, has rapidly escalated its activities, emerging as the most active ransomware operation of 2025 with over 1,000 victims that year and more than 200 additional claims in early 2026.
The incident, dated February 22, 2026, remains unconfirmed by Malaysia Airlines or investigators, as Qilin has yet to provide proof of stolen data unlike its typical tactic of releasing file samples to pressure victims. The lack of evidence leaves uncertainty about whether the attack involved a confirmed breach, a failed intrusion, or a negotiation ploy. No details have been disclosed regarding potential exposure of passenger data, employee records, or operational systems.
This follows a March 2025 ransomware attack on Kuala Lumpur International Airport (KLIA), also attributed to Qilin, which disrupted flight information displays, check-in systems, and baggage handling for over 10 hours. The aviation industry has become a prime target for ransomware groups, drawn by the combination of operational leverage and access to sensitive personal and corporate data.
Qilin, linked to Russian cybercriminal networks, has expanded its victim pool beyond traditional sectors like finance and healthcare to include critical infrastructure, government agencies, and transportation entities. Past attacks on airlines and airports have exposed passenger names, passport details, and internal documents, raising concerns about identity fraud and phishing risks.
Malaysia’s aviation sector has faced repeated cyber threats, including a 2022 ransomware attack on AirAsia by the Daixin Team and a 2020–2021 data breach at Malaysia Airlines. While the current claim lacks verification, analysts note that ransomware groups often withhold evidence during negotiations, with data dumps or public disclosures occurring only if talks fail.
The incident underscores the growing vulnerability of global aviation to cyber extortion, with ransomware gangs increasingly prioritizing high-impact targets for financial gain and operational disruption.
Source: https://cybernews.com/news/malaysian-airlines-qilin-ransomware-attack-claim/
Malaysia Airlines cybersecurity rating report: https://www.rankiteo.com/company/malaysia-airlines
AirAsia cybersecurity rating report: https://www.rankiteo.com/company/airasia
"id": "MALAIR1772151934",
"linkid": "malaysia-airlines, airasia",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Aviation',
'location': 'Malaysia',
'name': 'Malaysia Airlines',
'type': 'Airline'}],
'data_breach': {'personally_identifiable_information': 'Potential',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Passenger names',
'Passport details',
'Internal documents']},
'date_detected': '2026-02-22',
'date_publicly_disclosed': '2026-02-22',
'description': 'The Qilin ransomware gang has listed Malaysia Airlines on its '
'dark web leak site, marking the latest in a series of '
'cyberattacks targeting the aviation sector. The incident '
'remains unconfirmed by Malaysia Airlines or investigators, '
'with no proof of stolen data provided by Qilin. The attack '
'may involve a confirmed breach, a failed intrusion, or a '
'negotiation ploy, but details about potential exposure of '
'passenger data, employee records, or operational systems are '
'undisclosed.',
'impact': {'brand_reputation_impact': 'High',
'identity_theft_risk': 'Potential'},
'investigation_status': 'Unconfirmed',
'motivation': 'Financial gain, operational disruption',
'ransomware': {'ransomware_strain': 'Qilin'},
'references': [{'date_accessed': '2026-02-22',
'source': 'Dark web leak site'}],
'threat_actor': 'Qilin ransomware gang',
'title': 'Qilin Ransomware Group Claims Attack on Malaysia Airlines',
'type': 'Ransomware'}