Qilin Ransomware Claims 7 New Victims in 24h
Statistical Overview
Victim Totals
- This month: 206
- This quarter: 206
- Year to date: 5212
- Last 24h: 19
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 206 | Q4: 0
The quarter started slowly compared to previous periods, with 206 victims reported. This is significantly lower than the annual total of 5212. Daily activity remained consistent, with 19 new victims in the last 24 hours.
Introduction
Ransomware activity recently included 19 new victims. Qilin was the most active group, responsible for 7 compromises. Other groups included Settra (3 victims), Brain Cipher (2), and Everest (2). Attackers targeted various sectors: professional services, manufacturing, retail & ecommerce, and critical infrastructure. Most affected organizations were in the United States.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 7 | Alan f burke, Bronken's dist, Hum & jacoby (+4) | United States, Singapore | Professional Services, Retail & Ecommerce |
| 2 | Settra | 3 | Bergdemo.com, Gvfsinc.com, Wtlawllp.co.uk | United Kingdom, United States | Agriculture & Food, Legal |
| 3 | Brain Cipher | 2 | Iac-intl.com, Robroy.com | United States | Manufacturing, Construction & Engineering |
| 4 | Everest | 2 | Nimr oil, Techcorr | Qatar, United States | Energy & Utilities, Professional Services |
| 5 | 3AM | 1 | Tws-tac.net | United States | Transportation & Logistics |
| 6 | AiLock | 1 | Pinturas prisa | Mexico | Manufacturing |
| 7 | Arcus | 1 | East african gasoil | Kenya | Energy & Utilities |
| 8 | Payload | 1 | The commune of castries | France | Professional Services |
| 9 | PayoutsKing | 1 | Welldyne | United States | Pharmaceuticals & Biotech |
Qilin leads the activity with 7 victims, primarily targeting professional services and retail in the United States and Singapore. Other active groups were Settra ransomware, which targeted agriculture and legal sectors, and Everest ransomware, which impacted energy and professional services, including Nimr Oil and Techcorr. Key targets included The Commune of Castries in France, a governmental entity, and Welldyne in the US, a pharmaceutical benefits management firm. East African Gasoil in Kenya is critical energy infrastructure.
Victim Distribution
By Country
- United States: 12
- Belgium: 1
- United Kingdom: 1
- Singapore: 1
- Qatar: 1
- Mexico: 1
- Kenya: 1
- France: 1
By Industry
- Accounting Services: 2
- Oil and Gas: 2
- Demolition and Construction: 1
- Wholesale Trade - Nondurable Goods: 1
- Sporting Goods Retail: 1
- Recreational Boating: 1
- Pharmacy Benefits Management: 1
- Non-Destructive Testing and Inspection Services: 1
- Manufacturing and Production: 1
- Freight Transportation Arrangement: 1
Attacks continue to concentrate in the United States, which remains a frequent target. Industry targeting remains diverse, but a focus on critical sectors like Oil and Gas, Accounting Services, and Pharmaceuticals & Biotech shows they can cause significant operational disruption and data exposure.
Ransomware News
Topline
Recent intelligence shows a sustained threat from ransomware operations, characterized by significant data exfiltration, advanced evasion techniques, and a continued focus on critical sectors.
Campaigns & Operations
The CMD Organization claimed an attack on Mount Royal University, exfiltrating sensitive data and demanding a 30 BTC ransom. Recovery efforts could extend for months. Separately, a state-owned Latvian forestry company continues to restore systems weeks after a ransomware attack by a financially motivated group leaked 44 GB of data. The ASEC report shows the persistent dark web market for leaked data, including sales of Saudi Arabian medical records, data from an Irish ICT company, and a US healthcare insurer.
Vulnerabilities & TTPs
Threat actors continue to use sophisticated defense evasion tactics. For example, the GodDamn ransomware (rebranded Beast/MONSTER) deploys the signed PoisonX kernel driver for BYOVD and credential harvesting. Analysis of Windows web server attacks shows web shells remain a primary entry vector. They enable privilege escalation and lateral movement. Actor UAT-8099, for instance, deployed LockBit 3.0 ransomware after initial compromise. Exploiting unpatched software vulnerabilities remains a key initial access method.
Technical Takeaways
- Qilin is the most active ransomware group, impacting professional services and retail sectors.
- The United States remains the primary target geography, with a focus on critical sectors like Oil and Gas, Accounting Services, and Pharmaceuticals & Biotech.
- Ransomware groups actively use advanced defense evasion techniques, such as deploying signed kernel drivers (e.g., PoisonX by GodDamn ransomware), to disable endpoint security.
- Web shells are a common initial access method for compromising Windows web servers. They lead to lateral movement and ransomware deployment (e.g., LockBit 3.0 by UAT-8099).
- Data exfiltration and sales on dark web marketplaces remain an important part of ransomware operations, even when ransoms are not paid.