Qilin Ransomware Attacks on North American Organizations
The Qilin ransomware gang has claimed responsibility for significant cyberattacks against major North American organizations, including Canadian electrical services provider Spark Power and U.S.-based recruitment firm Cornerstone Staffing Solutions. In the Spark Power incident, Qilin alleges the theft of 222 GB of data, potentially including operational files, financial records, and employee personal information, with researchers warning of possible operational disruptions if systems are locked. For Cornerstone Staffing Solutions, Qilin claims to have exfiltrated 300 GB of sensitive data, including nearly 1 million files with resumes, personal records, Social Security numbers, and internal financial documents, with sample files leaked to substantiate the breach.
Qilin has emerged as one of the most prolific ransomware operations, reportedly targeting nearly 1,000 organizations since 2023 and over 500 in the past six months alone. The group’s attacks have resulted in the exposure of sensitive employee and business data, raising concerns about the operational and reputational impact on affected organizations. These incidents highlight the ongoing threat posed by ransomware groups to critical infrastructure and service providers across North America.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Qilin alleges extensive breach of Spark Power
Qilin separately claimed responsibility for an extensive hack of Spark Power, indicating another victim disclosure by the ransomware group. No earlier incident date is given in the reference, so the event is dated to the publication date.
Qilin claims hack of Cornerstone Staffing Solutions
The Qilin ransomware operation took responsibility for a cyberattack against Cornerstone Staffing Solutions, publicly alleging the company had been compromised. No additional timing details are provided beyond the report date.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
Mar 21, 2026
Qilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage. Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
Mar 21, 2026
Qilin Ransomware Surge and Korean Financial Sector Supply Chain Attack
A significant increase in ransomware attacks has been observed, driven by alliances between major ransomware groups and a surge in activity from the Qilin group. Qilin accounted for nearly 29% of all ransomware attacks in October 2025, with industrials, consumer discretionary, and healthcare sectors being the most targeted. North America experienced the majority of these attacks, but South Korea saw a notable spike, particularly in its financial sector, due to a sophisticated supply chain attack involving a compromised Managed Service Provider (MSP). This campaign, dubbed 'Korean Leaks,' resulted in 25 South Korean financial institutions being hit in September alone, a dramatic rise from previous months. The Qilin group operates as a Ransomware-as-a-Service (RaaS) and has demonstrated explosive growth, leveraging affiliates that include state-linked actors such as North Korea's Moonstone Sleet. The attack on South Korea's financial sector highlights the evolving tactics of ransomware groups, including the use of MSPs as initial access vectors and the blending of criminal and state-sponsored operations. The ongoing alliances and technical sophistication of these groups are expected to drive further increases in ransomware activity, especially during high-traffic periods like the end-of-year holidays.
Mar 21, 2026