Ransomware Attack Led by Qilin Aggressively Breached 104 Entities in August
In August 2025, the Qilin ransomware group, also known as Agenda, emerged as the most prolific ransomware group, nearly doubling the activity of its nearest competitor, Akira. This Russia-linked cybercriminal group, first observed in 2022, has been responsible for 104 separate global attacks.
The infection chain of Qilin begins with affiliates uploading a malicious ZIP archive, typically named to mimic legitimate software updates. Upon execution, a PowerShell one-liner drops and launches a launcher binary. This binary generates a unique AES session key, encrypts files across mapped drives, and exfiltrates sensitive documents over an HTTPS channel.
Qilin's payload employs a multi-stage loader, which decrypts the core ransomware executable at runtime using a dynamically generated AES key. Once decrypted, the Qilin payload scans the local filesystem for predefined extensions and applies AES-CTR encryption.
Following file encryption, Qilin writes ransom notes to each directory in a file named . Victims are directed to a Tor-based payment portal and threatened with public data leaks if payment is not received. If organizations ignore the demands, affiliates publish exfiltrated data on leak sites within 48 hours.
Initial compromises by Qilin have primarily leveraged exposed Remote Desktop Protocol (RDP) servers and publicly facing VPN gateways. The group's evolving toolkit, particularly its loader and encryption routines, are designed to evade detection and hinder remediation.
The loader's decryption sequence and registry persistence mechanism provide visibility into Qilin's infection chain, aiding defenders in crafting targeted detection rules. Persistence is achieved by registering the loader in the registry key, ensuring execution after reboot.
Qilin first emerged this year and has cemented its position through aggressive double-extortion tactics and a broad affiliate recruitment strategy. Victims of Qilin's attacks have reported sudden system encryption, data theft, and extortion demands.
Cyble's August threat landscape report highlights the increasing sophistication of Qilin's tooling and campaigns. Affiliates exploit weak credentials and unpatched vulnerabilities to conduct initial reconnaissance before launching attacks.
Organisations are advised to strengthen their cybersecurity defences by regularly updating and patching systems, using strong and unique credentials, and implementing multi-factor authentication. Regular backups and offline storage of sensitive data can also help mitigate the impact of ransomware attacks.
Read also:
- Musk threatens Apple with litigation amidst increasing conflict surrounding Altman's OpenAI endeavor
- Transitioning to Electric Vehicles Places Heavy Demand on Power Grids
- E-mobility continues its progress after a decade since the scandal, staying on course
- The Commission deems the assistance program to be in agreement with the domestic market regulations.
