Qilin Ransomware Activity: 5 New Victims in 24 Hours
Statistical Overview
Victim Totals
- This month: 74
- This quarter: 74
- Year to date: 5081
- Last 24h: 8
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 74 | Q4: 0
Ransomware activity continues to rise this quarter, maintaining a consistent pace with 8 new victims in the last 24 hours. Qilin operations drive this activity, and Play News also remains active.
Introduction
In the last 24 hours, eight new organizations fell victim to ransomware attacks. The period was dominated by Qilin, responsible for five new incidents, followed by Play News with two, and The Gentlemen with one. These groups collectively targeted diverse sectors including Professional Services, Manufacturing, Healthcare, and Non-profit organizations, predominantly within the United States.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 5 | Goodwill manasota, Md lewis, Sisint (+2) | United States, Portugal | Professional Services, Manufacturing |
| 2 | Play News | 2 | Locati architects, Silvestri & associates insurance | United States | Insurance, Construction & Engineering |
| 3 | The Gentlemen | 1 | Medic rescue | United States | Healthcare |
Qilin was the most active ransomware group, impacting organizations in Professional Services and Manufacturing sectors, as well as the non-profit Goodwill Manasota. Play News continued its activity by targeting firms in Insurance and Construction & Engineering. The Gentlemen also claimed Medic Rescue, an ambulance service, as a victim, demonstrating how critical community services remain vulnerable. Qilin ransomware activity, Play News ransomware operations, and The Gentlemen ransomware victims have been subjects of prior analysis.
Victim Distribution
By Country
- United States: 7
- Portugal: 1
By Industry
- Accounting Services: 2
- Engineering and Manufacturing: 1
- Ambulance Services: 1
- Architecture and Planning: 1
- Furniture and Home Furnishings Manufacturing: 1
- Insurance: 1
- Non-profit Organizations: 1
The United States remains the primary target, accounting for the vast majority of new ransomware victims. The concentration of attacks across a broad range of industries, from professional services to critical community support like ambulance services and non-profits, indicates an opportunistic yet impactful targeting strategy.
Ransomware News
Topline
Ransomware-relevant developments show the increasing role of artificial intelligence in attack automation and framework development, along with a significant data-theft extortion payment to a group eschewing encryption.
Campaigns & Operations
A U.S. government entity paid approximately $1 million to the group Kairos in a data-theft extortion case. The entity chose to suppress the leak of sensitive files rather than address encrypted data, after the group claimed to hold over 2 TB of records from Union County, Ohio. This incident demonstrates a continuing shift towards pure data-exfiltration extortion.
Vulnerabilities & TTPs
Researchers identified JadePuffer as the first ransomware operation fully automated by a large language model (LLM) agent, which autonomously executed an entire attack chain, exploiting CVE-2025-3248 in Langflow and CVE-2021-29441 in Alibaba Nacos. Separately, the Avalon modular malware framework has been discovered, integrating CrownX ransomware capabilities with an AI-assisted architecture, distributing through multi-stage phishing to deploy memory-resident payloads.
Analyst Note
The emergence of AI-driven ransomware operations and frameworks signifies a lowering of the skill floor for attackers and introduces new detection challenges. The shift to data-theft extortion requires strong data exfiltration monitoring and incident response plans.
Technical Takeaways
- Qilin continues to be a highly active ransomware group, responsible for a significant portion of new victims.
- The United States remains the predominant target for ransomware attacks, reflecting a sustained focus on this region.
- Ransomware operators are exhibiting diverse targeting across various sectors, including Professional Services, Manufacturing, Healthcare, and Non-profit organizations.
- The use of AI agents in ransomware operations, as seen with JadePuffer, demonstrates a changing threat environment with automated attack capabilities.
- New modular malware frameworks like Avalon, featuring AI-assisted development, indicate a trend towards more sophisticated and rapidly deployable ransomware strains.
- Pure data-theft extortion, without file encryption, continues to be a viable and adopted tactic by groups like Kairos, emphasizing the critical need for strong data exfiltration prevention and detection.