New Cisco Talos data shows that in the second half of 2025, the ransomware group Qilin continued publishing victim information on its leak site at a rate exceeding 40 cases per month, making it one of the most active and disruptive ransomware operations globally. The manufacturing sector remains the most targeted, followed by professional and scientific services and wholesale trade.
While attribution remains uncertain, some of the attacker’s scripts contained character encodings suggesting links to Eastern Europe or a Russian-speaking region, though this may represent a false flag. This year, Cisco Talos responded to multiple incidents related to Qilin ransomware.
Talos found that the attackers used the open-source tool Cyberduck to transfer stolen files to cloud servers, a method increasingly common in Qilin incidents. Artifact logs also revealed the use of notepad.exe and mspaint[dot]exe to view sensitive data, an unusual but deliberate choice to evade detection. In observed Qilin intrusions, Talos documented two distinct encryptors: encryptor_1[dot]exe, which spreads via PsExec across hosts, and encryptor_2[dot]exe, which runs from a single system to encrypt multiple network shares.
“The most heavily affected sector is manufacturing, which accounts for approximately 23% of all reported cases, significantly outpacing other industries. The second most impacted sector is professional and scientific services, representing around 18%. Wholesale trade ranks third, with about 10% of cases,” Takahiro Takeda, Jordyn Dunk, James Nutland, and Michael Szeliga, Cisco Talos researchers wrote in a recent post. “In the mid-range, several key sectors that form part of social infrastructure-healthcare, construction, retail, education, and finance-each report similar levels of impact, averaging around 5%. At the lower end, sectors such as services and primary industries show relatively fewer incidents, remaining below 2% on average.”
Earlier this week, Comparitech identified that in just ten months into the year, Qilin has already overtaken last year’s top ransomware strain, RansomHub, which recorded 547 victims in 2024. With its 700th attack logged in 2025, Qilin has firmly established itself as the most active and disruptive ransomware group in recent years.
The Qilin (formerly Agenda) ransomware group has been active since around July 2022. This group employs a double-extortion strategy, combining file encryption with the public disclosure of stolen information. “Over the past several years, Qilin has expanded its operations and now ranks among the most prolific and damaging ransomware threats on a global scale. The group adopts a Ransomware-as-a-Service (RaaS) business model, where it develops and distributes ransomware platforms and associated tools to affiliates. In turn, these affiliates attack organizations worldwide.”
The researchers added that the current reporting indicates that the countries most severely affected include the U.S., followed by Canada, the U.K., France, and Germany.
Cisco Talos identified that the manufacturing sector experienced the highest level of damage or impact from cyber incidents. It was followed closely by the professional, scientific, and technical services sector, and then wholesale trade. Other significantly affected industries include healthcare and social assistance, construction, and retail trade. The sectors experiencing relatively lower levels of impact include agriculture, forestry, fishing, and hunting, as well as management of companies and enterprises, and mining, quarrying, and oil and gas extraction.
It also noted that the number of victims associated with the Qilin ransomware group fluctuated over the months. The count began at a lower level in January and rose steadily through the first half of the year, peaking around June and again in August. Both peaks show that victim listings surpassed 80 cases during those months. After August, the number of new victims declined sharply in September.
The attack starts with initial access, where the threat actors authenticate to a customer VPN using credentials likely obtained from the dark web. Talos was unable to definitively identify a single, confirmed initial intrusion vector. However, in some cases, we assess with moderate confidence that attackers abused administrative credentials leaked on the dark web to gain VPN access, and may have also used Group Policy (AD GPO) changes enabling RDP to reach victim networks.
Once inside, they move to the reconnaissance and discovery phase, where they enumerate credential stores to identify users and passwords.
In the credential access stage, attackers dump Active Directory (AD) credentials from domain controllers using techniques such as Kerberoasting and tools like Mimikatz. This is followed by privilege escalation, where NTLM authentication is used against several accounts, including administrative ones, to gain elevated privileges.
During lateral movement, the attackers move to connected network shares to expand their access within the environment. Using the stolen credentials, the Qilin hackers proceed with privilege escalation and lateral movement.
“Talos has observed compromised accounts accessing multiple IP addresses and their network shares, as well as numerous NTLM authentication attempts against many VPN accounts, possibly using the leaked credentials,” the post added. “Additionally, to enable remote access, they modify firewall settings, execute commands to change RDP settings via the registry, and perform related activities such as using rdpclip.exe and similar mechanisms.”
In the defense evasion stage, they remove endpoint detection and response (EDR) and other security tools to avoid detection.
The impact phase involves data exfiltration, deployment of Qilin ransomware, and full compromise of Active Directory, often requiring a complete domain rebuild. Finally, the attackers perform inhibiting recovery actions by deleting Windows Event Logs and Volume Shadow Copy Service (VSS) snapshots to prevent restoration and forensic investigation.
Cisco Talos disclosed that the ransomware changes the Volume Shadow Copy Service (VSS) startup type to Manual, and deletes all shadow copies (volume snapshots) maintained by VSS.
The ransom note is created in each encrypted folder. The note primarily states that data has been compromised, includes a link to a leak site on a .onion address that requires a Tor connection, and provides a URL (specified by IP address) that can be accessed without Tor for victims who do not have a Tor environment. It also lists the types of data included and warns about the consequences of ignoring the demands.
Additionally, the ‘Credential’ section states that a unique company ID is assigned as a file extension for each victim company, and that by using the domain URL, which one can access the site with that unique login ID and password.
Last month, Cisco Talos detailed an ongoing campaign, active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia. The activity is assessed with medium confidence to be linked to Naikon, a Chinese-speaking threat actor operating since 2010. This attribution is supported by the PlugX configuration format observed in the campaign and an infection chain that mirrors Naikon’s earlier RainyDay malware.
