A rise in ransomware incidents linked to the Qilin ransomware group, one of the longest-running ransomware-as-a-service (RaaS) operations, has been observed by cybersecurity researchers.
According to S-RM’s latest intelligence, Qilin continues to exploit weaknesses such as unpatched VPN appliances, lack of multi-factor authentication (MFA) and exposed management interfaces to gain initial access to corporate networks.
In an advisory published on Monday, the firm noted that while major breaches, such as the 2024 Synnovis attack on UK healthcare systems, drew widespread attention, most of Qilin’s victims are small-to-medium-sized businesses in the construction, healthcare and financial sectors.
Growing Collaboration Among Cybercrime Groups
Although Qilin has been active for several years, it has largely avoided widespread publicity.
S-RM has now observed that affiliates of the Scattered Spider group are deploying Qilin’s RaaS platform, suggesting deeper collaboration between prominent cybercrime organizations.
Key findings from S-RM’s investigation show that Qilin has operated as a RaaS group since 2023, leasing its tools and infrastructure to affiliates.
The study also showed that initial access is typically gained through unpatched VPNs or single-factor remote access tools.
Additionally, S-RM noted that in 2025, 88% of observed Qilin cases involved both data theft and file encryption, with victims’ data published on dark-web leak sites if no ransom was paid.
Qilin had also begun experimenting with new extortion channels, including Telegram and public sites such as WikiLeaksV2.
Read more on ransomware-as-a-service trends: Ransomware Group Uses AI Chatbot to Intensify Pressure on Victims
A Tech Business, Not Just Hackers
“Qilin is part of a new generation of ransomware groups that operate more like tech businesses than hackers,” said Ted Cowell, head of cybersecurity UK at S-RM.
“Their affiliates rent the tools, share the profits and constantly test new ways to break into networks.”
Cowell added that Qilin’s quiet operations make it particularly dangerous.
“It doesn’t always grab headlines, but it’s increasingly being used by other threat groups, including Scattered Spider […]. That makes attribution harder and defense even more complex,” he explained.
S-RM also emphasized that many breaches still originate from basic security gaps.
To mitigate risks, the firm urges all organizations to:
-
Regularly patch and update VPNs and remote access devices
-
Apply MFA to all accounts
-
Limit or remove exposed management interfaces
-
Segment networks to isolate critical systems
-
Monitor proactively for lateral movement or signs of intrusion
S-RM’s findings highlight the growing professionalism of ransomware networks and the continued need for strong cyber-hygiene across all sectors.