Qilin Ransomware Claims 5 Victims in 24h

Statistical Overview

Victim Totals

  • This month: 188
  • This quarter: 1734
  • Year to date: 4358
  • Last 24h: 15

Quarterly Breakdown

Q1: 2631 | Q2: 1734 | Q3: 0 | Q4: 0

Ransomware activity remains consistent. 15 new victims were reported in the last 24 hours. The year-to-date total shows persistent threats; Q2 contributed significantly to overall victim numbers this year.

Introduction

Ransomware operations recorded 15 new victims. Qilin was the most active group, accounting for five publicly claimed incidents, followed by Akira, RansomHouse, and Termite. The United States remained the primary target geography, with various sectors impacted, including manufacturing, healthcare, and professional services.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Qilin5Isuzu motors, Kinetic education, Opera comique (+2)United States, ThailandEducation, Media & Entertainment
2Akira4Centre ellipse, Rockaway river country club, Smpc architects (+1)United States, FranceHospitality & Travel, Healthcare
3RansomHouse2Aegle Aviation, Ma Pak Leung Company LimitedHong KongTransportation & Logistics, Pharmaceuticals & Biotech
4Termite2Https://www.rolandmachinery.com/, Https://www.wieseusa.com/United StatesManufacturing, Construction & Engineering
5Gunra1Cambridge law chambersBahamasLegal
6Nova (RALord)1TreviItalyTechnology / Software

Qilin leads in reported victim count, showing continued activity across sectors like education and entertainment. Akira and RansomHouse also maintained operations, targeting hospitality, healthcare, and transportation sectors. The United States remains a primary geographical focus for multiple ransomware groups.

Victim Distribution

Which Geographies Experienced Ransomware Activity?

  • United States: 6
  • Australia: 2
  • France: 2
  • Hong Kong: 2
  • Bahamas: 1
  • Italy: 1
  • Thailand: 1

Which Industries Were Most Targeted?

  • Education: 1
  • Healthcare Services: 1
  • Law firm: 1
  • Healthcare: 1
  • Performing Arts: 1
  • Airlines and Aviation: 1
  • Traditional Chinese Medicine Manufacturing: 1
  • Consumer Electronics: 1
  • Manufacturing: 1
  • Architecture and Interior Design: 1

Ransomware activity is concentrated in the United States. While no single industry dominates, many sectors, including manufacturing, healthcare, and various professional services, continue to experience attacks. This shows broad targeting rather than a narrow sectoral focus this period.

Ransomware News

Topline

Qilin ransomware activity is prominent in recent reporting, due to its exploitation of a significant Check Point zero-day vulnerability.

Campaigns & Operations

The Qilin operation has been linked to an authentication-bypass vulnerability (CVE-2026-50751) in Check Point Remote Access VPN, exploited since May 2026. This activity coincides with Qilin's claim against Australia's Tripod Farmers Group, part of its ransomware-as-a-service model affecting over 1,900 victims globally. Separately, Mandiant attributes a data-theft extortion campaign against US law and professional services firms to UNC3753, the Silent Ransom Group, employing advanced social engineering and legitimate remote access tools. An additional ransomware attack forced the closure of Evanston Township High School in Illinois.

Vulnerabilities & TTPs

Beyond Qilin's exploitation of CVE-2026-50751, threat actors are using IT/OT convergence to target industrial automation systems via engineering workstations and remote-access points. Silent Ransom Group's tactics include phishing, vishing, and the use of tools like AnyDesk, Zoho Assist, WinSCP, and Rclone for data exfiltration.

Analyst Note

These incidents demonstrate significant vulnerability exploitation, targeted data exfiltration, and the changing role of social engineering and dark web marketplaces in facilitating ransomware operations.

Technical Takeaways

  • Qilin ransomware has been observed exploiting CVE-2026-50751, a significant authentication-bypass vulnerability in Check Point Remote Access VPN products.
  • The United States remains the most frequently targeted country, facing many ransomware attacks across various industries.
  • Ransomware operations increasingly use advanced social engineering techniques, including vishing and pretexts, to gain initial access and facilitate data exfiltration.
  • Some groups, like Silent Ransom Group (UNC3753), are employing legitimate remote access tools and common file transfer utilities (e.g., AnyDesk, WinSCP, Rclone) for post-exploitation activities and data exfiltration.
  • Threats to industrial automation systems continue to change, with targeted intrusions and ransomware exploiting IT/OT convergence points.