The Qilin ransomware gang has named 31 organizations on its dark web extortion site in the past seven days, 19 of them added in the last three days alone. The victims span 15 countries and roughly a dozen industries, from an Italian telecom operator to energy firms in the Gulf and clinics in central Europe, making Qilin one of the busiest ransomware brands online right now.
These are unverified extortion claims. Each name is a listing that Qilin itself posted to pressure the organization into paying, not a confirmed or independently verified breach. Some victims will have already contained the intrusion, some may dispute it, and a few listings recycle earlier attacks. Even so, the volume and reach are notable.
Who Qilin is
Qilin, previously known as Agenda, is a Russian-speaking ransomware-as-a-service operation active since 2022. Its affiliates rent the group's Rust and Go based encryptor, break into a target, steal data, then scramble files, a tactic known as double extortion because the crew threatens both to keep systems locked and to leak the stolen files. Qilin drew global attention in 2024 when an affiliate hit Synnovis, a pathology provider to London hospitals, forcing operations to be postponed and blood supplies to be rationed. Over the past year it has grown into one of the highest-volume crews, helping fill the gap left by the law enforcement disruption of LockBit and the collapse of rival brands.
Who is on the list
The fresh claims cut across sectors and continents. In telecommunications, Qilin listed Retelit, a publicly traded Italian network and data center operator. Financial firms Century Equities in the United States and Eurodefi in Morocco appear alongside energy contractor Inter Power Engineering in the United Arab Emirates, the Red Planet Hotels chain in the Philippines, Singapore technology firm SPACElogic, and Next Clinics, a healthcare provider in the Czech Republic. Manufacturers, construction firms, and food and agriculture businesses across the United States, Mexico, Brazil, Belgium, Germany and the United Kingdom round out the run.
The pace mirrors a wider surge in leak site activity this month. In the same window, the Deadlock crew dumped 65 victims in a single day, and Qilin itself was posting steadily through late June, when it added dental referral and tolling firms to the same site.
What defenders should do
Qilin affiliates typically gain a foothold through exposed remote access, unpatched edge devices such as VPN gateways and firewalls, and phishing. Organizations should enforce multi-factor authentication on every remote and administrative account, prioritize patching of internet-facing appliances, and keep offline, tested backups that ransomware cannot reach or encrypt. Watch for unusual bulk data transfers to external storage, which often precede the final encryption stage by hours or days, and treat any Qilin listing of your organization as a signal to begin incident response immediately rather than waiting for confirmation.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.