Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials.
Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Qilin claims hack of International Game Technology
Qilin ransomware claimed responsibility for a cyberattack against International Game Technology. The claim was reported publicly by November 20, 2025.
KnowBe4 reports global ransomware surge in October 2025
A KnowBe4 report said ransomware attacks surged globally in October 2025. The report was published on November 20, 2025, but the underlying event concerns increased attack activity during October.
Zero-day advisories increase sharply in Q3 2025
Zero-day advisories rose by 38% during the third quarter of 2025. Major disclosures involved Citrix NetScaler, CrushFTP, and Microsoft SharePoint ToolShell vulnerabilities.
Stolen VPN credentials dominate ransomware initial access in Q3
In Q3 2025, stolen VPN credentials were the most common initial access vector in ransomware incidents, appearing in 48% of cases. Akira was noted for exploiting SonicWall SSL VPN devices that lacked multi-factor authentication and proper policies.
Ransomware leak posts rise in Q3 2025
Between July and September 2025, ransomware leak posts increased by 11% compared with the previous quarter. Akira, Qilin, and INC accounted for 65% of ransomware attacks during the quarter.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Qilin ransomware claims International Game Technology hack
scworld.com
Open sourceQ3 ransomware activity dominated by three groups, stolen VPN credential use
scworld.com
Open sourceReport: Ransomware Attacks Surged Globally in October
blog.knowbe4.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Qilin Ransomware Attacks on North American Organizations
The Qilin ransomware gang has claimed responsibility for significant cyberattacks against major North American organizations, including Canadian electrical services provider Spark Power and U.S.-based recruitment firm Cornerstone Staffing Solutions. In the Spark Power incident, Qilin alleges the theft of 222 GB of data, potentially including operational files, financial records, and employee personal information, with researchers warning of possible operational disruptions if systems are locked. For Cornerstone Staffing Solutions, Qilin claims to have exfiltrated 300 GB of sensitive data, including nearly 1 million files with resumes, personal records, Social Security numbers, and internal financial documents, with sample files leaked to substantiate the breach. Qilin has emerged as one of the most prolific ransomware operations, reportedly targeting nearly 1,000 organizations since 2023 and over 500 in the past six months alone. The group’s attacks have resulted in the exposure of sensitive employee and business data, raising concerns about the operational and reputational impact on affected organizations. These incidents highlight the ongoing threat posed by ransomware groups to critical infrastructure and service providers across North America.
Mar 21, 2026
Qilin Ransomware Surge and Korean Financial Sector Supply Chain Attack
A significant increase in ransomware attacks has been observed, driven by alliances between major ransomware groups and a surge in activity from the Qilin group. Qilin accounted for nearly 29% of all ransomware attacks in October 2025, with industrials, consumer discretionary, and healthcare sectors being the most targeted. North America experienced the majority of these attacks, but South Korea saw a notable spike, particularly in its financial sector, due to a sophisticated supply chain attack involving a compromised Managed Service Provider (MSP). This campaign, dubbed 'Korean Leaks,' resulted in 25 South Korean financial institutions being hit in September alone, a dramatic rise from previous months. The Qilin group operates as a Ransomware-as-a-Service (RaaS) and has demonstrated explosive growth, leveraging affiliates that include state-linked actors such as North Korea's Moonstone Sleet. The attack on South Korea's financial sector highlights the evolving tactics of ransomware groups, including the use of MSPs as initial access vectors and the blending of criminal and state-sponsored operations. The ongoing alliances and technical sophistication of these groups are expected to drive further increases in ransomware activity, especially during high-traffic periods like the end-of-year holidays.
Mar 21, 2026
Qilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage. Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
Mar 21, 2026