The ransomware landscape witnessed a dramatic shift in June 2025 as the Qilin ransomware group surged to become the most active threat actor, recording 81 victims and representing a staggering 47.3% increase in activity compared to previous months.
This Ransomware-as-a-Service operation, which has accumulated over 310 victims since its emergence, has distinguished itself through sophisticated attack methodologies and strategic exploitation of critical infrastructure vulnerabilities.
The group’s rapid ascension reflects the evolving nature of ransomware threats, where technical innovation and opportunistic targeting converge to create unprecedented cybersecurity challenges.
The group’s recent campaign has primarily leveraged critical vulnerabilities in Fortinet’s enterprise security appliances, specifically targeting CVE-2024-21762 and CVE-2024-55591 in unpatched FortiGate and FortiProxy devices.
These vulnerabilities enable authentication bypass and remote code execution capabilities, providing threat actors with direct pathways into enterprise networks.
Despite CVE-2024-21762 being patched in February 2025, tens of thousands of systems remain exposed, creating an expansive attack surface that Qilin has systematically exploited through partially automated deployment mechanisms.
Cyfirma analysts identified that the campaign, observed intensively between May and June 2025, initially focused on Spanish-speaking regions but has since evolved into opportunistic targeting that transcends geographical and sectoral boundaries.
The researchers noted that Qilin’s approach differs significantly from traditional ransomware operations, incorporating zero-day exploits and leveraging widely deployed perimeter security devices as primary attack vectors.
This strategic pivot demonstrates the group’s technical maturity and ability to adapt quickly to emerging vulnerabilities in enterprise environments.
The scope of Qilin’s operations extends beyond conventional ransomware deployment, encompassing a comprehensive cybercrime ecosystem that includes spam distribution, DDoS attacks, petabyte-scale data storage capabilities, and even in-house journalists for psychological pressure campaigns.
This multi-faceted approach positions Qilin to fill the operational vacuum left by defunct groups like LockBit and BlackCat, attracting affiliates and expanding their reach across global markets.
Infection Mechanism and Exploitation Chain
Qilin’s infection mechanism represents a sophisticated multi-stage process that begins with the systematic identification and exploitation of vulnerable Fortinet appliances.
The attack chain initiates when threat actors conduct reconnaissance to identify unpatched FortiGate and FortiProxy devices exposed to the internet.
Upon discovering vulnerable systems, the group leverages CVE-2024-21762’s authentication bypass capability to gain initial access without requiring valid credentials.
The exploitation process involves sending specially crafted requests to the vulnerable Fortinet devices, enabling remote code execution that establishes a foothold within the target network.
Once inside, Qilin’s payload, written in Rust and C programming languages, employs advanced persistence mechanisms including Safe Mode execution and network propagation capabilities.
The malware’s modular architecture allows for automated negotiation tools and psychological pressure tactics, including the recently introduced “Call Lawyer” feature that simulates legal engagement during ransom negotiations, maximizing the psychological impact on victims while streamlining the extortion process.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
