One of the most prolific ransomware operations of the past year is showing no sign of slowing down. Over roughly 48 hours this weekend the Qilin crew added several more organizations to its dark web leak site, the page where ransomware gangs name companies they say they have hacked and threaten to publish stolen files unless a ransom is paid.
Among the freshly listed names are 1-800-DENTIST, a long running US dental referral service, and TransCore, a US vendor of tolling and intelligent transportation technology. The gang also posted claims against NASCO, a US food and agriculture firm, and Axionlog, a technology company in the Czech Republic.
It is important to be precise about what these listings are. A leak site entry is an accusation made by the attackers, not a confirmed breach. None of the named organizations has publicly acknowledged an incident at the time of writing, and gangs are known to exaggerate, recycle old data, or relist victims to apply pressure. Treat each claim as unverified until the company or a credible investigator confirms it.
Who is Qilin
Qilin, also tracked as Agenda, is a ransomware as a service operation, meaning the core group rents its malware and leak infrastructure to affiliates who carry out the actual intrusions and split the proceeds. The model has helped Qilin become one of the highest volume extortion brands of the past year, with victims spread across healthcare, manufacturing, logistics, and professional services. The latest names fit that pattern: a consumer healthcare referral service, a transportation technology supplier, a food producer, and a tech firm.
Why it matters
The spread of sectors is the story. Qilin affiliates are not chasing a single industry, they are hitting whatever mid sized organizations they can reach, and service providers like a dental referral network or a tolling technology vendor sit upstream of many other businesses and consumers. A successful intrusion at that kind of supplier can ripple outward through the customers and partners that depend on it.
This burst lands in an already busy stretch of leak site activity. In recent days IntelFusions also tracked a one day surge of claims from the newer Settra crew and fresh listings against a diagnostics maker and an Australian fire service, underlining how crowded the extortion ecosystem has become.
What you should do
For defenders, treat Qilin as a credible and active threat regardless of whether these specific claims hold up. The affiliates commonly gain entry through stolen or weak remote access credentials, unpatched edge devices, and exposed management interfaces, then move laterally before deploying the encryptor. Enforce phishing resistant multi factor authentication on every remote access and VPN portal, keep internet facing appliances patched, restrict and monitor administrative tools, and maintain tested offline backups so that a leak site listing does not become a full operational shutdown. Organizations that fear they may be named should watch for unusual data transfers and review who can reach their most sensitive file shares.
IntelFusions will update its Qilin profile as any of these claims are confirmed or withdrawn.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.