Qilin Ransomware Surge and Korean Financial Sector Supply Chain Attack
A significant increase in ransomware attacks has been observed, driven by alliances between major ransomware groups and a surge in activity from the Qilin group. Qilin accounted for nearly 29% of all ransomware attacks in October 2025, with industrials, consumer discretionary, and healthcare sectors being the most targeted. North America experienced the majority of these attacks, but South Korea saw a notable spike, particularly in its financial sector, due to a sophisticated supply chain attack involving a compromised Managed Service Provider (MSP). This campaign, dubbed 'Korean Leaks,' resulted in 25 South Korean financial institutions being hit in September alone, a dramatic rise from previous months.
The Qilin group operates as a Ransomware-as-a-Service (RaaS) and has demonstrated explosive growth, leveraging affiliates that include state-linked actors such as North Korea's Moonstone Sleet. The attack on South Korea's financial sector highlights the evolving tactics of ransomware groups, including the use of MSPs as initial access vectors and the blending of criminal and state-sponsored operations. The ongoing alliances and technical sophistication of these groups are expected to drive further increases in ransomware activity, especially during high-traffic periods like the end-of-year holidays.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Bitdefender analyzes Qilin's 'Korean Leaks' campaign
On publication, Bitdefender detailed the Qilin-led South Korean supply-chain attack, linking the campaign to MSP compromise, large-scale data theft, and possible influence from North Korean actor Moonstone Sleet.
Researchers report 88 active ransomware groups in latest quarter
By the latest reported quarter in late 2025, researchers counted 88 active ransomware groups, with new entrants such as The Gentlemen targeting healthcare, financial, and IT sectors.
LockBit 5.0 forms alliances with DragonForce and Qilin
By late 2025, LockBit 5.0 was reported to be partnering with DragonForce and Qilin, a development cited as increasing technical capabilities and making attribution more difficult.
Qilin conducts three-wave 'Korean Leaks' extortion campaign
In late 2025, Qilin carried out a three-wave campaign dubbed 'Korean Leaks,' stealing more than 1 million files and about 2 TB of data while mixing political messaging with extortion demands.
Qilin becomes the most active ransomware group in October
In October 2025, Qilin accounted for 29% of observed ransomware attacks globally, making it the most active group that month, ahead of Sinobi and Akira.
Ransomware attacks rise 41% from September to October
NCC Group reported that global ransomware attacks increased by 41% between September and October 2025, driven by new threat actors and alliances among established groups.
Qilin targets 25 South Korean financial organizations
Using the MSP compromise, Qilin deployed ransomware and conducted data theft against 25 South Korean financial organizations in September 2025, affecting more than 20 asset management companies.
Qilin compromises South Korean MSP GJTec
In September 2025, attackers linked to the Qilin ransomware operation breached South Korean managed service provider GJTec, creating a supply-chain entry point into downstream financial-sector customers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Qilin Ransomware's Surge and High-Profile Attacks on Global Organizations
The Qilin ransomware group has emerged as one of the most prolific ransomware operations, claiming responsibility for over 500 attacks in the past six months and targeting major organizations worldwide. Notably, Qilin has allegedly stolen 10 GB of data from International Game Technology (IGT), a multinational provider in the gaming and fintech sectors, with over 21,000 files reportedly exfiltrated. The group has also targeted other high-profile victims, including Cornerstone Staffing Solutions, Spark Power, and Habib Bank AG Zurich, and is known to collaborate with other ransomware operations such as DragonForce and LockBit. Qilin, along with Akira and INC, accounted for 65% of ransomware attacks in Q3 2025, with a significant portion of these incidents facilitated by compromised VPN credentials. Ransomware activity has seen a marked increase globally, with leak posts rising by 11% over the previous quarter and a surge in attacks reported in October. Attackers are increasingly exploiting vulnerabilities in VPNs and external services, and the prevalence of zero-day vulnerabilities has also grown, with notable bugs affecting Citrix NetScaler, CrushFTP, and Microsoft SharePoint. Security experts recommend organizations implement multi-factor authentication and strengthen vulnerability management practices to mitigate the escalating ransomware threat landscape.
Mar 21, 2026
Q3 2025 Ransomware Surge and the Rise of Qilin and Devman Groups
Ransomware attacks surged globally in the third quarter of 2025, with a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s analysis. The number of attacks reached 270 in Q3 2025, compared to 198 in the same period of 2024, marking a 335% increase since Q3 2020. This escalation affected organizations in 93 countries, spanning critical sectors such as airlines, automotive manufacturers, and government entities. The Qilin ransomware group emerged as the most active threat actor during this period, being responsible for 20 incidents, including high-profile attacks like those on the Asahi Group. Notably, 54 ransomware groups were attributed to attacks in this quarter, with 18 new groups emerging, highlighting the fragmentation and volatility in the ransomware ecosystem. Among the newcomers, the Devman group made a significant impact, conducting 19 attacks across Asia, Africa, Europe, and Latin America, and was linked to a $91 million ransom demand. Law enforcement actions in 2024 and 2025, particularly against major operators like LockBit, contributed to the proliferation of new ransomware schemes, with 37 new groups appearing in the first half of 2025 and additional groups surfacing in July and August. Despite these disruptions, the overall volume of ransomware attacks remained high, with the number of victims posted to leak sites in July and August 2025 exceeding those from the same months in 2024. The attacks were more evenly distributed across multiple groups compared to previous years, indicating a shift in the operational landscape. The ransomware threat was not limited to large organizations; small businesses also suffered significant impacts, often lacking the resources to recover, as highlighted by personal accounts of business owners losing substantial revenue and savings. The persistence of legacy vulnerabilities and the absence of multi-factor authentication continued to facilitate successful attacks. Ransomware operators increasingly leveraged data exfiltration and extortion tactics, with a substantial portion of attacks involving the theft and public release of sensitive data. The emergence of new Ransomware-as-a-Service (RaaS) platforms, such as Devman’s, further democratized access to ransomware tools, enabling affiliates to launch attacks with greater ease. The continued evolution of ransomware tactics, the rise of new groups, and the resilience of established actors underscore the ongoing challenge for organizations in defending against these threats. The global ransomware battlefield in Q3 2025 was marked by increased attack frequency, greater diversity of threat actors, and escalating financial and operational impacts on victims.
Mar 21, 2026
Qilin (Agenda) Ransomware Deploys Linux Binaries on Windows via Remote Management Tools
The Qilin ransomware group, also known as Agenda, has adopted a sophisticated cross-platform attack strategy by deploying Linux-based ransomware binaries on Windows systems. This technique leverages legitimate remote management and file transfer tools such as Splashtop, WinSCP, AnyDesk, ATERA RMM, ScreenConnect, and MeshCentral to bypass traditional Windows-centric endpoint detection and response (EDR) solutions. Attackers gain initial access through social engineering, including fake CAPTCHA pages, and use credential theft to facilitate lateral movement and privilege escalation. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security defenses and steals backup credentials, particularly from Veeam, to prevent recovery and maximize extortion leverage. Qilin's operations have impacted over 700 victims globally since January 2025, with a focus on sectors such as manufacturing, professional and scientific services, and wholesale trade. The group uses a double-extortion model, exfiltrating sensitive data with tools like Cyberduck before encrypting files and threatening public disclosure. Qilin's affiliates have been observed using a variety of post-exploitation tools, including Mimikatz and custom scripts, to harvest credentials and exfiltrate data. The group's rapid evolution and ability to evade detection highlight the growing sophistication of ransomware-as-a-service (RaaS) operations targeting organizations worldwide.
Mar 21, 2026