In an unprecedented move within the realm of ransomware attacks, the notorious Qilin cybercrime group has introduced a unique service aimed at assisting its victims in navigating the aftermath of a cyberattack. For the first time, a ransomware group is offering a ‘Lawyer on Call’ service. This service is designed to educate and guide victims through the legal and operational challenges they face following a breach. The Qilin gang, active since October 2022, is also extending an unusual offer: if the victim chooses to pay a ransom, they will receive legal negotiation assistance free of charge, after an agreed-upon reduction in the ransom amount.
This development marks a chilling new chapter in the evolution of cyberattacks, where the criminal underworld not only seeks to extort but also offers seemingly legitimate services to maximize their profits. The Qilin group, which also operates under the alias ‘Agenda’ and uses Go programming language in its ransomware code, has made waves in the cybersecurity community due to its growing sophistication and its ability to adapt to various platforms.
Ransom Demands and Targets
The Qilin ransomware group has been reported to demand extortionate sums, with some victims facing ransom demands as high as $50 million. These demands are typically targeted at organizations whose infrastructure is tied to critical services, such as energy, telecommunications, and healthcare. This focus on high-value targets underscores the group’s strategic approach: to attack businesses and government entities that are crucial to national and global operations.
As of 2025, Qilin has positioned itself as the third most feared ransomware group, trailing only Akira and Clop in terms of the damage and disruption caused. One of the group’s most alarming innovations is its cross-platform malware. Unlike traditional ransomware that targets primarily Windows-based systems, Qilin has developed malicious software capable of infecting a variety of environments, including Linux and VMware ESXi virtual machines. This makes their attacks far more versatile and difficult to defend against, as they are not restricted to any single operating system or environment.
A Mysterious and Strategic Approach
Cybersecurity experts from Cybereason, the company that first identified the sophisticated operations of Qilin, have revealed further insights into the group’s methods. One of the most concerning aspects of the Qilin ransomware is the way the group operates with a high degree of anonymity. Victims seeking assistance or support from the group can only do so via an anonymous network, making it almost impossible for law enforcement to trace their activities.
Furthermore, similar to other major ransomware groups like Lockbit, Qilin avoids targeting certain nations, notably Russia and Belarus. This raises suspicions that the group may be either directly funded or controlled by the Kremlin, or at the very least, may be operating with the tacit approval of Russian intelligence agencies. This speculation is fueled by the fact that Qilin has specifically avoided attacking Commonwealth of Independent States (CIS) countries, which suggests the group is following a political agenda or benefiting from state-backed protection.
Global Reach and Sectoral Impact
According to the Cybereason report, Qilin has launched attacks in over 25 countries, infiltrating a wide array of industries. Their primary targets include critical sectors such as manufacturing, legal and professional services, banking, and healthcare. These industries are particularly vulnerable to ransomware attacks because of the sensitive nature of the data they handle and the potential for significant disruption to public services and the economy.
In the healthcare sector, for example, a ransomware attack could potentially halt life-saving operations, while attacks on banking institutions could lead to widespread financial losses and loss of consumer trust. The group’s ability to infiltrate such a diverse range of sectors highlights their advanced tactics and their focus on high-value targets.
Conclusion: A Growing Threat
The emergence of Qilin as a dominant force in the world of ransomware attacks marks a worrying trend in cybercrime. With their innovative tactics, including cross-platform malware and legal services for victims, they are pushing the boundaries of what is possible in cyber extortion. As the group continues to target critical infrastructure and institutions, it is clear that organizations worldwide must take a proactive approach to cybersecurity, or risk falling victim to one of the most sophisticated cybercriminal enterprises to date.
Join our LinkedIn group Information Security Community!
