Qilin Ransomware Surge and Korean Financial Sector Supply Chain Attack
A significant increase in ransomware attacks has been observed, driven by alliances between major ransomware groups and a surge in activity from the Qilin group. Qilin accounted for nearly 29% of all ransomware attacks in October 2025, with industrials, consumer discretionary, and healthcare sectors being the most targeted. North America experienced the majority of these attacks, but South Korea saw a notable spike, particularly in its financial sector, due to a sophisticated supply chain attack involving a compromised Managed Service Provider (MSP). This campaign, dubbed 'Korean Leaks,' resulted in 25 South Korean financial institutions being hit in September alone, a dramatic rise from previous months.
The Qilin group operates as a Ransomware-as-a-Service (RaaS) and has demonstrated explosive growth, leveraging affiliates that include state-linked actors such as North Korea's Moonstone Sleet. The attack on South Korea's financial sector highlights the evolving tactics of ransomware groups, including the use of MSPs as initial access vectors and the blending of criminal and state-sponsored operations. The ongoing alliances and technical sophistication of these groups are expected to drive further increases in ransomware activity, especially during high-traffic periods like the end-of-year holidays.
Related Entities
Sources
Related Stories
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
3 months agoQ3 2025 Ransomware Surge and the Rise of Qilin and Devman Groups
Ransomware attacks surged globally in the third quarter of 2025, with a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s analysis. The number of attacks reached 270 in Q3 2025, compared to 198 in the same period of 2024, marking a 335% increase since Q3 2020. This escalation affected organizations in 93 countries, spanning critical sectors such as airlines, automotive manufacturers, and government entities. The Qilin ransomware group emerged as the most active threat actor during this period, being responsible for 20 incidents, including high-profile attacks like those on the Asahi Group. Notably, 54 ransomware groups were attributed to attacks in this quarter, with 18 new groups emerging, highlighting the fragmentation and volatility in the ransomware ecosystem. Among the newcomers, the Devman group made a significant impact, conducting 19 attacks across Asia, Africa, Europe, and Latin America, and was linked to a $91 million ransom demand. Law enforcement actions in 2024 and 2025, particularly against major operators like LockBit, contributed to the proliferation of new ransomware schemes, with 37 new groups appearing in the first half of 2025 and additional groups surfacing in July and August. Despite these disruptions, the overall volume of ransomware attacks remained high, with the number of victims posted to leak sites in July and August 2025 exceeding those from the same months in 2024. The attacks were more evenly distributed across multiple groups compared to previous years, indicating a shift in the operational landscape. The ransomware threat was not limited to large organizations; small businesses also suffered significant impacts, often lacking the resources to recover, as highlighted by personal accounts of business owners losing substantial revenue and savings. The persistence of legacy vulnerabilities and the absence of multi-factor authentication continued to facilitate successful attacks. Ransomware operators increasingly leveraged data exfiltration and extortion tactics, with a substantial portion of attacks involving the theft and public release of sensitive data. The emergence of new Ransomware-as-a-Service (RaaS) platforms, such as Devman’s, further democratized access to ransomware tools, enabling affiliates to launch attacks with greater ease. The continued evolution of ransomware tactics, the rise of new groups, and the resilience of established actors underscore the ongoing challenge for organizations in defending against these threats. The global ransomware battlefield in Q3 2025 was marked by increased attack frequency, greater diversity of threat actors, and escalating financial and operational impacts on victims.
5 months agoQilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage. Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
4 months ago