Qilin Ransomware Claims 10 Victims in 24 Hours
Statistical Overview
Victim Totals
- This month: 790
- This quarter: 2333
- Year to date: 4954
- Last 24h: 39
Quarterly Breakdown
Q1: 2631 | Q2: 2333 | Q3: 0 | Q4: 0
While total ransomware activity this quarter shows a slight decrease compared to Q1, the past 24 hours indicate continued operations, with Qilin, Medusa Locker, Stormous, and DragonForce emerged as contributors.
Introduction
Ransomware operators claimed 39 new victims in the last 24 hours, with Qilin ransomware was the most active group. Other active operators included Medusa Locker, Stormous, and DragonForce. Attackers primarily targeted entities in the United States, with key sectors affected including Construction & Engineering, Agriculture & Food, Technology/Software, and Education.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 10 | 1-800-dentist, Axionlog, Bristol place (+7) | Japan, France | Construction & Engineering, Agriculture & Food |
| 2 | Medusa Locker | 7 | Bacauai, Badaqai, Baeaiai (+4) | None, Saudi Arabia | Technology / Software, Professional Services |
| 3 | Stormous | 6 | Eogb.co.uk new, Eshacloudqa.com new, Higuchi usa, inc new (+3) | Japan, United Kingdom | Education, Technology / Software |
| 4 | DragonForce | 5 | Agroprime, Hwaseng, Medipakpharma.com (+2) | Taiwan, Chile | Agriculture & Food, Pharmaceuticals & Biotech |
| 5 | Anubis | 2 | Boston orthotics & prosthetics, Esms global limited | United Kingdom, United States | Pharmaceuticals & Biotech, Healthcare |
| 6 | CMD | 2 | Lørenskog kommune, METCO Services, Metco Southeast | United States, Norway | Construction & Engineering, Government / Public Sector |
| 7 | 3AM | 1 | Guardianbarrierservices.com | United States | Media & Entertainment |
| 8 | APT73 | 1 | Viennaairport.com (sold to 3rd party) | Austria | Transportation & Logistics |
| 9 | Booba | 1 | Nfinite 9000 s.l. | Spain | Technology / Software |
| 10 | INC Ransom | 1 | GDN AR(Dorinka) | Argentina | Retail & Ecommerce |
| 11 | Krybit | 1 | Ford.mx | Mexico | Automotive |
| 12 | Prinz Eugen | 1 | Driving school software | United States | Education |
Qilin led observed activity with 10 new victims, targeting sectors such as Construction & Engineering and Agriculture & Food across Japan and France. Medusa Locker followed with 7 victims, primarily in Technology/Software. Stormous and DragonForce were also active, with Stormous impacting Education in Japan and the UK, and DragonForce affecting Agriculture & Food and Pharmaceuticals. Victims included Lørenskog kommune, a Norwegian government entity, claimed by CMD, and Viennaairport.com, targeted by APT73. Anubis also claimed Boston orthotics & prosthetics, indicating continued interest in healthcare services.
Victim Distribution
By Country
- United States: 17
- United Kingdom: 3
- Argentina: 2
- Japan: 2
- Norway: 1
- Austria: 1
- Chile: 1
- France: 1
- India: 1
- Mexico: 1
By Industry
- Manufacturing: 2
- Education: 2
- Entertainment Services: 1
- Healthcare Services: 1
- Advertising Services: 1
- Appliances, Electrical, and Electronics Manufacturing: 1
- Architecture, Engineering & Design: 1
- Construction: 1
- Digital Marketing: 1
- Education Management: 1
The United States remains the primary target region for ransomware attacks, accounting for a significant proportion of new victims. While activity is dispersed across various sectors, Manufacturing and Education show a slightly higher concentration of reported incidents within the tracked period.
Ransomware News
Topline - Recent developments cover financial, operational, and technical aspects of ransomware, including state-level asset recovery, changes in threat actor tactics, and ongoing extortion events.
Campaigns & Operations - The Nova ransomware group has claimed its first Australian victim, the NSW Rural Fire Service, by exposing historical geospatial and public-safety datasets. Separately, the Klue data breach continues to evolve, with the Icarus ransomware group reportedly deleting exfiltrated customer data, while a second, unnamed threat actor has begun independently extorting Klue's customers. The Gentlemen ransomware-as-a-service operation is rapidly expanding, targeting large corporations and critical infrastructure.
Vulnerabilities & TTPs - The Gentlemen RaaS uses custom backdoors and changing tactics, exploiting exposed online services and weak credentials, conducting thorough internal reconnaissance, and deploying via Group Policy. Their operations involve a Go-based backdoor for data exfiltration and command execution, coupled with a Go ransomware variant utilizing Curve25519 with XChaCha20 encryption, with a C-based variant adding AES-GCM and RSA-wrapped keys under development.
Analyst Note - These incidents show the many challenges ransomware presents, including direct operational impacts, complex victim negotiations, and constant adaptation by threat actors.
Technical Takeaways
- Qilin ransomware group demonstrated the highest activity, claiming 10 victims across diverse sectors including Construction & Engineering and Agriculture & Food.
- The United States accounted for the majority of new ransomware victims, indicating a persistent targeting focus on North American entities.
- The Gentlemen ransomware-as-a-service (RaaS) operation uses a sophisticated Go-based backdoor and ransomware, employing tactics such as BYOVD and Group Policy deployments.
- Ransomware groups like Nova are targeting public sector entities, exemplified by the attack on the NSW Rural Fire Service exposing geospatial data.
- Secondary extortion campaigns are evident, where additional threat actors use data from prior breaches, complicating victim response and recovery.