Qilin Ransomware Group Adds New Victims to Leak Site

Qilin Ransomware Group Continues Attacks, Listing New U.S. Victims on Data Leak Site

HIGH
October 14, 2025
October 16, 2025
4m read
RansomwareThreat Actor

Impact Scope

Affected Companies

Beta DyneMiddlesex Appraisal Associates

Industries Affected

ManufacturingOther

Geographic Impact

United States (national)

Related Entities(initial)

Threat Actors

Qilin

Organizations

ResecurityAmerican Hospital Association

Other

Beta DyneMiddlesex Appraisal Associates

MITRE ATT&CK Techniques

T1486Impact

Data Encrypted for Impact

T1490Impact

Inhibit System Recovery

T1048Exfiltration

Exfiltration Over Alternative Protocol

T1059.001Execution

PowerShell

Full Report(when first published)

Executive Summary

The Qilin ransomware group, a prominent Ransomware-as-a-Service (RaaS) operator, remains highly active, updating its dark web leak site with newly compromised organizations. The latest victims include U.S.-based companies Beta Dyne and Middlesex Appraisal Associates. A report from Resecurity highlights that the group's longevity and resilience are supported by its reliance on a distributed network of bulletproof hosting providers, which complicates takedown efforts. Qilin employs a double-extortion model, encrypting victim data while also exfiltrating it, threatening to publish the stolen information if the ransom is not paid. This activity underscores the ongoing and serious threat posed by RaaS groups to businesses globally.

Threat Overview

Qilin operates a RaaS platform, providing its affiliates with the malware, infrastructure, and negotiation platform needed to conduct attacks. This model allows the core developers to focus on improving the ransomware while affiliates concentrate on gaining access to victim networks.

The group's modus operandi follows a standard double-extortion playbook:

  1. Initial Access: Affiliates use various methods to breach networks, including exploiting unpatched vulnerabilities, phishing campaigns, or compromised credentials.
  2. Reconnaissance and Lateral Movement: Once inside, they map the network, escalate privileges, and identify high-value data.
  3. Data Exfiltration: Before deploying the ransomware, sensitive data is exfiltrated to servers controlled by the Qilin group. This is used as leverage in negotiations.
  4. Encryption and Impact: The ransomware, an example of T1486 - Data Encrypted for Impact, is deployed across the network, rendering systems and files unusable.
  5. Extortion: A ransom note is left, directing the victim to the group's Tor-based negotiation site. If the victim refuses to pay, their name is added to the public leak site, and the stolen data may be released.

The use of bulletproof hosting makes the group's C2 servers and leak sites resistant to actions by law enforcement and security vendors.

Impact Assessment

Victims of the Qilin ransomware group face multifaceted consequences:

  • Operational Disruption: The encryption of critical systems can halt business operations entirely, leading to significant financial losses.
  • Data Breach: The exfiltration and potential public release of sensitive data can result in severe reputational damage, regulatory fines (e.g., under GDPR or HIPAA), and loss of customer trust.
  • Financial Cost: Beyond the ransom demand itself, victims face substantial costs related to incident response, system recovery, legal fees, and potential lawsuits.

The recent victims, a manufacturer (Beta Dyne) and a real estate appraisal firm (Middlesex Appraisal Associates), demonstrate the group's opportunistic and sector-agnostic targeting.

Detection & Response

Detecting ransomware early in its lifecycle is key to preventing widespread impact.

  1. Monitor for Reconnaissance Tools: Look for the use of common reconnaissance tools like AdFind, BloodHound, or network scanners, which are often used by affiliates before deploying ransomware.
  2. Detect Credential Dumping: Monitor for processes accessing LSASS memory or suspicious activity related to the SAM database or NTDS.dit file. This is a common precursor to lateral movement. Use D3FEND technique D3-DAM: Domain Account Monitoring.
  3. Identify Data Staging and Exfiltration: Alert on the creation of large compressed files (.zip, .7z) in unusual locations or large, sustained data transfers to unknown external destinations. Use D3FEND's D3-NTA: Network Traffic Analysis.
  4. Detect Encryption Activity: Use EDR and FIM solutions to detect rapid, widespread file modification with a specific file extension being appended. Many security tools have specific heuristics to detect this behavior.

Mitigation

A defense-in-depth strategy is essential to protect against ransomware like Qilin.

  1. Data Backup and Recovery: This is the most critical mitigation. Maintain regular, offline, and immutable backups of all critical data. Regularly test your recovery procedures to ensure you can restore operations without paying a ransom. This is the core of D3FEND's D3-FR: File Restoration.
  2. Patch Management: Keep all systems, especially internet-facing ones like VPNs and RDP gateways, fully patched to prevent exploitation as an initial access vector. This is a fundamental part of M1051 - Update Software.
  3. Network Segmentation: Segment your network to prevent the rapid lateral movement of ransomware. Critical systems should be isolated from the general user network. See D3FEND's D3-NI: Network Isolation.
  4. Secure Remote Access: Enforce MFA on all remote access solutions (VPN, RDP). Disable RDP on internet-facing systems or place it behind a secure gateway.

Timeline of Events

1
October 14, 2025
This article was published
2
October 15, 2025
The attack on Middlesex Appraisal Associates is estimated to have occurred.
3
October 16, 2025
The discovery date for the new victims is listed on Qilin's leak site.

Article Updates

October 16, 2025

Qilin ransomware escalates operations, claiming numerous new victims across US, France, and Africa, including critical infrastructure.

Update Sources:
scmagazine.comMore Qilin ransomware-hit organizations disclosed
securityaffairs.coChina-linked APT Jewelbug targets Russian IT provider in rare cross-nation cyberattack (Mentions Qilin)

MITRE ATT&CK Mitigations

Data Backup

M1053enterprise

The most effective mitigation against ransomware is maintaining regular, tested, and offline/immutable backups.

Network Segmentation

M1030enterprise

Segment networks to contain ransomware outbreaks and prevent them from spreading to critical systems.

Mapped D3FEND Techniques:

D3-NI

Antivirus/Antimalware

M1049enterprise

Use modern EDR solutions with behavioral detection to identify and block ransomware activity before it can cause widespread damage.

Mapped D3FEND Techniques:

D3-PA

Multi-factor Authentication

M1032enterprise

Enforce MFA on all remote access points to prevent attackers from using compromised credentials for initial access.

Mapped D3FEND Techniques:

D3-MFA

D3FEND Defensive Countermeasures

File Restoration

D3-FRMaps to MITREM1053
D3FEND

The ultimate defense against a ransomware group like Qilin is the ability to recover without paying the ransom. This requires a robust backup strategy following the 3-2-1 rule: three copies of your data, on two different media, with one copy off-site and offline or immutable. Backups must be tested regularly to ensure they are viable. In the event of an attack, having reliable backups allows an organization to restore its systems and data, neutralizing the encryption portion of the attack and removing the primary incentive to pay. While this does not address the data exfiltration threat, it is the most critical component of ransomware resilience.

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

To limit the blast radius of a ransomware attack, organizations must implement strong network segmentation. Create distinct network zones for different business functions (e.g., user workstations, production servers, development environments). Firewall rules between these zones should be configured with a default-deny policy, only allowing necessary traffic. Critical assets, such as domain controllers and backup servers, should be in the most highly restricted zones. This 'zero trust' approach prevents ransomware from spreading laterally across the entire network from a single compromised endpoint, containing the damage and preserving critical operational capabilities.

Sources & References(when first published)

Qilin Ransomware announced new victims
Security Affairs (securityaffairs.com) October 15, 2025
Cybersecurity | AHA
American Hospital Association (aha.org) October 15, 2025
Ransomware.live
Ransomware.live (Ransomware.live) October 15, 2025
Security Affairs - Read, think, share … Security is everyone's responsibility
Security Affairs (securityaffairs.com) October 15, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RansomwareQilinRaaSDouble ExtortionData Leak

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next