Qilin Ransomware Gang Claims 7 of 11 New Victims in 24 Hours

Daily Ransomware Report: Qilin Group Leads Surge in Attacks, Targeting Professional Services and Manufacturing

HIGH
November 8, 2025
December 3, 2025
5m read
RansomwareThreat Actor

Related Entities(initial)

Threat Actors

Qilin DragonForceSecurotopYanluowang

MITRE ATT&CK Techniques

T1486Impact

Data Encrypted for Impact

T1567.002Exfiltration

Exfiltration to Cloud Storage

T1190Initial Access

Exploit Public-Facing Application

T1566Initial Access

Phishing

T1047Execution

Windows Management Instrumentation

Full Report(when first published)

Executive Summary

The ransomware landscape remains highly active, with the Qilin ransomware group demonstrating a significant operational tempo on November 8, 2025. The group claimed seven of the eleven new victims posted on data leak sites in a 24-hour period, marking it as the most prolific operator during this time. The attacks show a continued focus on the professional services and manufacturing sectors, likely due to the sensitive data they hold and their perceived willingness to pay. Geographically, the victims were concentrated in the United States, Canada, and the United Kingdom. This activity is part of a sustained, high-volume campaign by multiple ransomware-as-a-service (RaaS) groups that continues to threaten organizations worldwide.

Threat Overview

On November 8, 2025, the following ransomware groups reported new victims:

  • Qilin: 7 victims
  • DragonForce: 3 victims
  • Securotop: 1 victim

This distribution highlights the dominance of the Qilin operation in the current threat landscape. The group operates a RaaS model, providing its malware and infrastructure to affiliates who carry out the attacks in exchange for a share of the profits. This model allows for a high volume of attacks against a diverse set of targets.

The primary targets remain:

  • Professional Services: Including legal, accounting, and consulting firms that hold sensitive client data.
  • Manufacturing: Where operational downtime caused by encryption can lead to massive financial losses, increasing the pressure to pay a ransom.

The total number of victims for 2025 has now reached 6,364, indicating that ransomware activity has not diminished despite law enforcement actions against some groups.

Technical Analysis

Qilin, like many modern RaaS operations, employs a double-extortion strategy. Their typical attack chain involves:

  1. Initial Access: Affiliates often gain access through phishing emails (T1566.001 - Spearphishing Attachment), exploiting unpatched vulnerabilities in public-facing services like VPNs and RDP (T1190 - Exploit Public-Facing Application), or purchasing access from initial access brokers.
  2. Reconnaissance and Lateral Movement: Once inside, they use tools like Cobalt Strike and legitimate system utilities to map the network, escalate privileges, and move laterally to identify and access high-value data repositories and domain controllers (T1021.001 - Remote Desktop Protocol).
  3. Data Exfiltration: Before deploying the encryptor, they exfiltrate large volumes of sensitive data to cloud storage under their control (T1567.002 - Exfiltration to Cloud Storage). This data is used as leverage for payment.
  4. Impact: Finally, they deploy the Qilin ransomware payload across the network, encrypting servers and workstations to disrupt business operations (T1486 - Data Encrypted for Impact).

Impact Assessment

The impact of a Qilin ransomware attack is severe. Victims face a multi-faceted crisis:

  • Business Disruption: Encryption of critical systems can halt all operations for days or weeks.
  • Financial Costs: These include the ransom demand itself, costs for forensic investigation, system restoration, and legal counsel.
  • Data Breach: The exfiltration of data triggers regulatory obligations and can lead to significant fines, lawsuits, and loss of customer trust.
  • Reputational Damage: Being named on a public data leak site damages the organization's brand and reputation.

For professional services firms, the breach of client confidentiality can be catastrophic, potentially leading to the loss of major clients and a collapse of the business.

Detection & Response

Early detection is key to preventing widespread encryption.

  1. EDR/XDR Alerts: Monitor for common ransomware precursors, such as the use of tools like Mimikatz for credential dumping, disabling of security software, and deletion of volume shadow copies (vssadmin). These are strong signals of an active intrusion. D3-PA: Process Analysis is essential for this.
  2. Network Data Exfiltration: Use NTA and DLP tools to monitor for and alert on large, anomalous outbound data flows. A sudden upload of gigabytes of data to a cloud service from a file server is a major red flag. This involves D3-UDTA: User Data Transfer Analysis.
  3. Active Directory Monitoring: Monitor for unusual activity in Active Directory, such as the creation of new administrative accounts, privilege escalation, and changes to group policies. D3-DAM: Domain Account Monitoring can provide early warnings.

Mitigation

A multi-layered, defense-in-depth approach is required to defend against ransomware.

  1. Immutable Backups: This is the most critical defense. Maintain offline (air-gapped) or immutable backups of all critical data and systems. Regularly test the restoration process to ensure you can recover without paying the ransom.
  2. Patch Management: Promptly patch all internet-facing systems and software to close the vulnerabilities that ransomware affiliates commonly exploit. This is a fundamental aspect of D3-SU: Software Update.
  3. Multi-Factor Authentication (MFA): Enforce MFA on all remote access points (VPN, RDP), email accounts, and privileged accounts. This mitigates the risk of stolen credentials being used for initial access.
  4. Network Segmentation: Segment your network to limit an attacker's ability to move laterally. A flat network allows ransomware to spread unimpeded. Isolate critical assets in secure zones.

Timeline of Events

1
November 8, 2025
11 new ransomware victims are reported, with Qilin claiming 7, DragonForce claiming 3, and Securotop claiming 1.
2
November 8, 2025
This article was published

Article Updates

December 3, 2025

Ransomware tactics shift with increased data extortion and decreased encryption rates, impacting manufacturing sector.

Update Sources:
news.sophos.comThe State of Ransomware in Manufacturing and Production 2025
ciotech.economictimes.indiatimes.comHalf of manufacturers now stop ransomware before encryption, Sophos reports
crn.inManufacturing industry blocks more ransomware attempts, while adversaries shift to data theft: Sophos report

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

The most effective control against credential-based initial access. It should be enforced on all external-facing services.

Mapped D3FEND Techniques:

D3-MFA

Update Software

M1051enterprise

Regularly patching vulnerabilities in VPNs, firewalls, and other internet-facing appliances closes common entry points for ransomware groups.

Mapped D3FEND Techniques:

D3-SU

Network Segmentation

M1030enterprise

Proper segmentation can contain a ransomware outbreak, preventing it from spreading from workstations to critical servers and backups.

Mapped D3FEND Techniques:

D3-NI

Audit

M1047enterprise

Comprehensive logging and auditing of endpoint and network activity are crucial for detecting the precursor activities of a ransomware attack.

Mapped D3FEND Techniques:

D3-DAMD3-LAM

D3FEND Defensive Countermeasures

File Encryption

D3-FEMaps to MITREM1041
D3FEND

While this seems counterintuitive in a ransomware context, proactively encrypting sensitive data-at-rest is a powerful defense against the data exfiltration component of a double-extortion attack by groups like Qilin. By using technologies like Transparent Data Encryption (TDE) for databases and full-disk encryption (e.g., BitLocker) for servers, the data remains encrypted even if an attacker manages to exfiltrate the raw files. This must be combined with strong access controls and key management. If Qilin exfiltrates an encrypted database file but does not have the decryption key, the data is useless to them, neutralizing the extortion threat. This strategy shifts the focus from preventing the breach entirely (which is difficult) to making the stolen data worthless, thereby reducing the attacker's leverage.

User Data Transfer Analysis

D3-UDTAMaps to MITREM1040
D3FEND

To detect the data exfiltration stage of a Qilin attack, organizations must implement User Data Transfer Analysis. This involves using a Data Loss Prevention (DLP) or Network Traffic Analysis (NTA) solution to monitor and baseline the volume and type of data leaving the network. Security teams should create specific rules to alert on large transfers of data, especially compressed files (.zip, .rar, .7z), to untrusted or consumer-grade cloud storage providers (e.g., Mega, Dropbox, Google Drive). An alert should be triggered if, for example, a server that normally sends minimal outbound traffic suddenly uploads 100GB of data. This provides a high-confidence indicator of an active breach and may give the security team a chance to intervene and terminate the connection before the exfiltration is complete and the encryption begins.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Detecting ransomware precursors requires deep Process Analysis via an EDR tool. Security teams must configure their EDR to alert on specific, high-risk command-line executions often used by ransomware affiliates. For groups like Qilin, this includes monitoring for any execution of vssadmin.exe delete shadows, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, or wevtutil.exe cl Security. These commands are almost exclusively used for malicious purposes to hinder recovery and cover tracks. Creating high-severity alerts for these specific process chains on any endpoint, but especially on servers, provides an unambiguous signal of an impending ransomware deployment. This allows for automated responses, such as isolating the host from the network, to be triggered immediately, containing the threat before encryption can begin.

Sources & References(when first published)

Daily Ransomware Report 11-08-2025
PurpleOps (purpleops.com) November 8, 2025
List of Recent Data Breaches in 2025
BrightDefense (brightdefense.com) November 5, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareQilinDragonForceData BreachCybercrimeRaaS

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next