EWJ August 62 2025 web - Journal - Page 23
including a legal assessment of the victim's exfiltrated
data concerning applicable laws and regulations, and
the potential implications of non-payment, enabling
affiliates to more precisely pressure victims. Additionally, Qilin claims to employ in-house team journalists
who will collaborate with the legal advisors to create
tailored blog posts pressuring victims. S-RM has not
observed these adaptations first-hand in cases we have
supported to date.
Companies targeted in last 30 days, by sector*
Victimology
Since emerging in September 2022, Qilin has
provided affiliates with broad discretion in selecting
targets. However, since January 2025, S-RM has observed a shift toward strategic targeting of Managed
Service Providers (MSPs). This evolution suggests a
maturing operational strategy which includes centralized campaign planning and may indicate a potential
reduction in affiliate moving forward.
Figure 2. Source: ecrime.ch
*Data based on victims posted to the actor’s leak site,
and thus unlikely to be comprehensive of all victims.
Initial access
Initial access is primarily achieved through targeted
phishing campaigns or exploitation of exposed
remote services like Remote Desktop Protocols
(RDPs) and Virtual Private Networks (VPNs).
Recently, the group have been observed exploiting
CVE-2025-31324, (SAP NetWeaver Visual Composer
vulnerability) and have previously exploited
CVE-2023-27532 (Veeam Backup and Replication
vulnerability).
91%
The majority of Qilin’s victims were small-medium
sized businesses (businesses with fewer than 1,000
employees).
Companies targeted by country in last 30 days*
Propagation
Once inside a network, Qilin escalates privileges by
exploiting vulnerabilities or using legitimate tools like
Mimikatz, PsExec or Powershell, and achieves lateral
movement through standard network discovery techniques. Since August 2024, S-RM has observed Qilin
harvesting browser-stored credentials Google Chrome
browsers, enabling the group a mechanism for
re-entry into compromised environments.
The group employs multiple defense evasion
techniques, including anti-analysis measures to detect
and disable debugging sandbox environments, using
PowerShell commands to remove logs and traces of
activity, and deleting backups to cover their tracks.
Encryption
Qilin's ransomware is designed to be highly
adaptable, enabling affiliates to tailor attacks to
victim environments; the group offers support for
ChaCha20, AES-256, and RSA4096 encryption algorithms. Since October 2024, Qilin has offered a new
Rust-based variant of their encryptor dubbed 'Qilin.B,’
which reportedly offers enhanced encryption
strength, improved evasion capabilities and the ability
to disrupt data recovery mechanisms.
Figure 1 above. Source: eCrime
Notable attacks
l In April 2025, the group targeted the City of
Abilene, Texas, encrypting systems and exfiltrating
roughly 477 GB of data across several departments
including the CityLink public transit network. The
attack resulted in roughly 1 month of disruption to
the city’s bus services and other operations.
Extortion
Qilin leverages double-extortion (the theft and
encryption of sensitive data) to pressure victims to
pay a ransom. The group is known for aggressive negotiation tactics and frequently publishes stolen data in
absence of payment on both it Tor-based leak site and
clear web domain, WikiLeaksV2. In 2024, Qilin also
operated a Telegram channel to amplify leaks, though
the channel is no longer active.
l In June 2024, Qilin targeted Synnovis, a pathology
provider for several NHS hospitals, disrupting blood
testing and forcing cancellation of over 1,100 surgeries
and 2,000 appointments. The group demanded a
staggering $50 million ransom. After no payment was
made, data tied to 900,000 patients was leaked.
EXPERT WITNESS JOURNAL
21
AUGUST/SEPT 2025
