The ransomware landscape experienced a significant shift in the second quarter of 2025 as Qilin ransomware emerged as the dominant threat following the unexpected collapse of RansomHub, previously the most prolific ransomware-as-a-service operation.
This transition has reshaped the cybercriminal ecosystem, with Qilin capitalizing on the vacuum left by RansomHub’s abrupt cessation of operations in early April 2025.
RansomHub’s disappearance marked the end of an era for what had been the leading RaaS platform, averaging approximately 75 listed victims per month over the preceding six months.
The group’s sudden exit left numerous affiliates scrambling for alternative platforms, creating an opportunity that Qilin quickly seized.
The impact was immediate and measurable, with many former RansomHub operators migrating their operations to Qilin’s infrastructure.
Check Point researchers identified a dramatic surge in Qilin’s activity during this period, with the group nearly doubling its victim count from an average of 35 victims per month to almost 70.
This represents one of the most significant power shifts observed in the ransomware ecosystem, highlighting how quickly threat actors can adapt and redistribute following major disruptions.
The migration pattern suggests a level of operational continuity that demonstrates the resilience and adaptability of modern ransomware networks.
Enhanced Extortion Mechanisms
Qilin’s rise to prominence has been accompanied by the introduction of sophisticated extortion mechanisms that represent a significant evolution in ransomware tactics.
The group has moved beyond traditional encryption-based attacks, embracing a comprehensive data-theft-and-exposure model that maximizes pressure on victims while reducing operational risks associated with file encryption.
The ransomware operation now offers an integrated DDoS capability directly within its administrative panel, allowing affiliates to overwhelm victim networks while conducting negotiations.
This dual-pressure approach combines data theft with service disruption, creating multiple leverage points against targeted organizations.
Additionally, Qilin has introduced what it terms “legal assistance” services, where the group analyzes stolen data to identify potential regulatory violations and prepares documentation for submission to relevant authorities including tax agencies and law enforcement bodies.
Perhaps most concerning is Qilin’s development of automated harassment tools designed to flood corporate communication channels.
These include bulk email and phone spam capabilities targeting victim employees, customers, and partners.
The group also advertises support from alleged journalists to create public exposure campaigns, though security researchers believe many of these services rely heavily on AI-generated content and automated systems rather than human operatives.
This evolution reflects the broader industry trend toward data-centric extortion models, where the threat of public exposure and regulatory consequences often proves more compelling to victims than traditional file encryption.
Qilin’s comprehensive toolkit demonstrates how modern ransomware groups are adapting their business models to maintain profitability in an increasingly challenging operational environment.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
