Cyber Threat Actor: Qilin

The Qilin ransomware group, also operating under the alias Quilin, conducts financially motivated cyberattacks primarily targeting healthcare providers, government entities, social enterprises, and critical infrastructure across multiple regions. Publicly attributed incidents demonstrate consistent patterns of data theft, extortion, and disruptive ransomware deployment against organizations in Europe, North America, Australia, and South America. Their operations focus on exfiltrating sensitive personal, medical, and corporate data—including passports, financial records, medical histories, and internal communications—to pressure victims into paying ransoms under threat of public data leaks. The group has repeatedly compromised entities with limited cybersecurity resources or legacy vulnerabilities, such as elderly care facilities and community support organizations, though it also breached major insurers and hospital networks.

Qilin employs ransomware coupled with aggressive data exfiltration, frequently leaking stolen information on dark web platforms when victims refuse payment demands. The group exploited unpatched vulnerabilities for initial access in at least one confirmed incident involving a Dutch healthcare facility. They typically exfiltrate hundreds of gigabytes to over a terabyte of data before encrypting systems, as evidenced in attacks against a UK social enterprise (550 GB) and a U.S. healthcare provider (850 GB). Russian-language communications were observed in attacks against Cobb County, Georgia, though no confirmed state affiliation has been publicly established. The group demonstrates operational flexibility by targeting both Windows and Linux systems across diverse sectors, maintaining persistence to extract maximum data volume for leverage.

Notable operations include the June 2025 attack against a major European insurer subsidiary, which compromised sensitive project data linked to a stadium redevelopment, and a coordinated May 2025 campaign impacting nearly 500,000 patients across multiple U.S. healthcare providers. The group systematically escalates pressure by leaking passport scans, salary details, and medical records, as seen in breaches of Australia’s Meli organization and Poland’s automotive sector. Qilin’s repeated targeting of healthcare—including three separate incidents compromising over 1.5 million patient records in 2025 alone—highlights their focus on high-impact sectors where data sensitivity increases ransom likelihood. Their attacks consistently cause operational disruptions, including temporary system shutdowns at Covenant Health and manual process reversals at Dutch care facilities, though critical services like patient records often remain intact during recovery. The group continues to adapt its targeting while maintaining core extortion tactics centered on mass data compromise.