The first half of 2025 has seen the decline and demise of several once-dominant ransomware groups, such as LockBit, RansomHub, Everest and BlackLock, partly due to the impact of previous law enforcement operations, data leaks and breaches.
While these disruptions have left the ransomware landscape more fragmented than ever, with a lack of clear “market leaders,” as experts have noted, one group appears to be gaining a growing presence: Qilin.
This ransomware-as-a-service (RaaS) group, active since October 2022, has recently been observed steadily building its reputation through a series of high-impact cyber-attacks across various industries, according to a report by Cybereason.
The group ranks as the third most active ransomware syndicate in 2025, with 291 claimed victims identified by the ransomware tracking website Ransomware.live, trailing only Akira (348) and Cl0p (404).
The Cybereason researchers have argued that what makes Qilin stand out is not just its activity, but the set of advanced features it offers its affiliates.
These offerings range from operational features to more innovative services, such as a “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations.
Read more: Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks
Qilin’s RaaS Operational Features
According to the Cybereason report, Qilin operates a technically mature infrastructure, with custom-built malware written in Rust and C for cross-platform attacks, including Windows, Linux and ESXi systems.
The group operates by providing its ransomware tools and infrastructure to affiliates, taking a 15–20% share of the ransom payments. It explicitly instructs its affiliates not to target systems located in countries part of the Commonwealth of Independent States (CIS), including Russia and Belarus.
Its RaaS program included a wide range of operational features, including:
- An affiliate panel offering Safe Mode execution
- Loaders with advanced evasion features
- Reliable encryption algorithms (ChaCha20, AES and RSA-4096)
- Four encrypting software operating modes: normal (it fully encrypts the file), step-skip (it encrypts in chunks with fixed size and skips parts), fast (it encrypts the beginning of the file) and percent (it encrypts in chunks with fixed size and dynamic skipping, based on the file size)
- Machine reboot, file filtering and service kill features
- Network spreading features
- Log cleanup
- Automated negotiation tools
Qilin’s Cybercrime-Enabling Features
Beyond providing operational features, Qilin also offers a range of cybercrime-enabling features, including some that have never before been observed for a RaaS group.
These include:
- 24/7 services for phone call/SMS spam feature
- DDoS feature
- PB-scale data storage
- Full support for negotiations
- Legal assistance to intimidate victims during negotiations
Qilin actively advertises its legal assistance feature which the group introduced in the latest version of its RaaS program.
Cybereason translated a note posted on the group’s dark web forum which explained the feature further.
“If you need legal consultation regarding your target, simply click the ‘Call lawyer’ button located within the target interface, and our legal team will contact you privately to provide qualified legal support,” the Qilin note said.
“The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings”, the group continued.
The benefits of working with the Qilin legal department were outline as the following:
- Legal assessment of your data
- Classification of violations in accordance with applicable legal acts in different jurisdictions
- Legal evaluation of potential damages (including lawsuits, legal costs, reputational risks)
- Ability to conduct direct negotiations between the company and the lawyer
- Advice on how to inflict maximum financial damage on the company if it refuses to comply (and how to avoid similar situations in the future).
According to the Cybereason researchers, Qilin has developed these additional features to position itself “not just as a ransomware group, but as a full-service cybercrime platform.”
“As older operations collapse under pressure, betrayal, or reorganization, Qilin is stepping in, not only to fill the void, but to redefine the ransomware-as-a-service model for the next generation of affiliates,” Cybereason added.
Read now: DragonForce Engages in “Turf War” for Ransomware Dominance
