The Ransomware Group That Hired Lawyers and Caught North Korea's Attention
When a British pathology company called Synnovis fell victim to a cyberattack in June 2024, the immediate consequences rippled through London's healthcare system with brutal efficiency. More than 6,000 medical appointments and procedures were cancelled. Blood donation supplies dwindled. Emergency rooms struggled to process critical lab results. The attackers demanded $50 million and threatened to release 400 gigabytes of patient data.
The group responsible, Qilin ransomware, represented something new in the criminal ecosystem: a ransomware operation so sophisticated and profitable that it now offers its affiliates access to legal counsel for ransom negotiations. By 2025, the group has logged more than 700 victims and established itself as the most prolific ransomware operation in the world, surpassing last year's leader by a significant margin. More troubling for corporate security leaders, North Korea's state-sponsored hacking unit Moonstone Sleet adopted Qilin's tools in March, marking a dangerous convergence between profit-driven cybercrime and geopolitical warfare.
For chief information security officers at large enterprises, the implications are stark. Qilin represents an industrialization of ransomware attacks, complete with customer service features and automation tools that have lowered the barrier to entry for would-be criminals while simultaneously increasing the sophistication of attacks. The manufacturing sector has absorbed the heaviest losses, accounting for nearly a quarter of all Qilin attacks this year, followed by professional services and wholesale distribution. But no industry has proven immune. Healthcare organizations, financial institutions, and educational systems continue to appear on the group's leak site with alarming regularity.
The evolution of Qilin from its 2022 origins as "Agenda" ransomware reveals much about the broader trajectory of cybercrime. Written first in Golang and later reengineered in Rust, the malware gained early notoriety by targeting VMware ESXi infrastructure, the virtualization platform that many enterprises depend on to run their data centers. The Rust rewrite, released as Qilin.B, brought significant improvements in encryption speed and evasion capabilities. More critically, it demonstrated a level of software engineering discipline rarely seen in criminal operations.
The group operates as a Ransomware-as-a-Service business, developing the core technology and infrastructure while recruiting affiliates to conduct actual attacks. Qilin's operators take a relatively modest 15 to 20 percent cut of ransom payments, a pricing structure designed to attract high-performing criminals. The affiliate model has proven devastatingly effective. In 2024 alone, Qilin affiliates extracted more than $50 million from victims, not counting the many organizations that paid ransoms but never appeared on public leak sites.
What separates Qilin from competitors is the professionalization of its operation. The addition of legal advisory services allows affiliates to present victims with detailed analyses of regulatory violations they've incurred by allowing the breach. An affiliate negotiating with a healthcare provider can now cite specific HIPAA penalties, while one targeting a European firm can reference GDPR fines that dwarf the requested ransom. The group has also established internal media teams, essentially public relations operatives who craft narratives designed to increase pressure on victims and amplify reputational damage.
The technical capabilities backing these negotiations have grown increasingly sophisticated. Between May and June of this year, Qilin heavily exploited two critical vulnerabilities in Fortinet's widely deployed firewall products. The flaws, tracked as CVE-2024-21762 and CVE-2024-55591, allow attackers to bypass authentication and execute code remotely on unpatched devices. Cisco's Talos threat intelligence team observed that Qilin had automated the exploitation process to the point where affiliates need only select a target organization and click a button to launch an attack. Tens of thousands of vulnerable systems remained exposed months after patches became available.
Initial access methods have diversified beyond vulnerability exploitation. Incident responders have documented cases where Qilin affiliates purchased stolen VPN credentials from dark web markets, then conducted sustained authentication attempts until they successfully breached the network. In one particularly damaging attack, threat actors phished administrative credentials for ScreenConnect, a legitimate remote management tool used by managed service providers. The compromised MSP became a launchpad for downstream attacks against dozens of its clients, a supply chain compromise that multiplied the impact exponentially.
Once inside a network, Qilin affiliates move with practiced efficiency. They deploy Cobalt Strike, a commercial penetration testing tool that has become ubiquitous in criminal operations, to establish command and control. Lateral movement occurs through standard Windows protocols like Server Message Block and Remote Desktop Protocol, making the activity difficult to distinguish from legitimate administrative tasks. Credentials are harvested through NTLM authentication attempts and tools that extract passwords from memory. The attackers identify and access file shares, databases, and email systems, exfiltrating sensitive data to cloud storage services using legitimate file transfer applications like Cyberduck.
The sophistication extends to anti-forensics measures. Before deploying ransomware, Qilin affiliates systematically disable endpoint detection and response software, delete Windows event logs, and destroy Volume Shadow Copies, the backup snapshots that organizations might otherwise use for rapid recovery. In multiple incidents documented by Cisco researchers, the attacks progressed so thoroughly that victims required complete Active Directory rebuilds, essentially reconstructing their entire network authentication infrastructure from scratch.
The human cost of these technical capabilities became evident across multiple industries this year. A financial advisory firm lost 340 gigabytes of client data in July, potentially exposing confidential financial records and investment strategies. An airport in an undisclosed location suffered the exfiltration of more than two terabytes of operational data encompassing 22,000 files. Manufacturing companies, often running lean IT operations, found themselves unable to fulfill orders as production systems remained encrypted for weeks.
The adoption of Qilin by North Korean state hackers represents a troubling inflection point. Historically, nation-state actors and profit-motivated criminals operated in largely separate spheres. State-sponsored groups pursued intelligence gathering and strategic disruption, while ransomware gangs chased financial returns. The Moonstone Sleet group's operational use of Qilin suggests those boundaries are eroding. A tool designed for extortion can just as easily serve geopolitical objectives, whether disrupting a strategic industry or funding other state activities through cryptocurrency ransoms.
Security researchers tracking Qilin have noted patterns suggesting Russian connections, though definitive attribution remains elusive. The ransomware carefully avoids targeting organizations in the Commonwealth of Independent States, a hallmark of Russian-linked criminal groups operating with tacit state approval. Some scripts recovered from attacks contained Cyrillic character encodings, though sophisticated actors frequently employ false flags to misdirect attribution efforts. What matters for corporate security leaders is not the group's precise origin but the capabilities they've demonstrated and the trajectory they're following.
The challenge facing CISOs at large enterprises extends beyond defending against any single threat group. Qilin's success has spawned imitators and raised the baseline sophistication across the ransomware ecosystem. Competing operations have begun offering similar services and automation tools, creating a rising tide that threatens organizations regardless of which specific group targets them. The industrialization of cybercrime means attacks that once required significant skill and effort can now be launched by relatively unsophisticated criminals with access to the right tools and infrastructure.
Defense requires a fundamental rethinking of security architecture. Perimeter security alone has proven insufficient when attackers can exploit zero-day vulnerabilities in edge devices or simply purchase valid credentials. Network segmentation becomes critical to contain lateral movement once an attacker has gained initial access. Robust multifactor authentication must extend beyond executive accounts to cover all remote access points and privileged users. Backup systems need true isolation, preferably air-gapped or immutable storage that cannot be deleted by an attacker with network access.
The vulnerability management challenge has intensified as groups like Qilin move quickly to automate exploitation of newly disclosed flaws. The Fortinet vulnerabilities exploited this summer were patched in February, yet months later attackers found thousands of unpatched systems to compromise. For large organizations managing complex IT estates, the gap between patch availability and deployment represents an expanding window of exposure. The solution requires not just faster patching cycles but better visibility into internet-facing assets and risk-based prioritization that addresses the most critical exposures first.
Managed service providers face particular scrutiny after Qilin's successful supply chain attacks. The remote management tools that enable efficient IT support also provide attackers with powerful capabilities once compromised. MSPs serving multiple clients need to implement strict access controls, monitor for anomalous authentication patterns, and segment client environments to prevent a single compromise from cascading across their entire customer base. For enterprises relying on managed services, vendor security assessments must probe deeper than questionnaires and certifications to examine actual security controls and incident response capabilities.
The financial calculations around ransomware have shifted as groups like Qilin have professionalized their operations. The addition of legal advisory services means ransom demands increasingly reference specific regulatory penalties and business disruption costs. Attackers present payment as the economically rational choice compared to regulatory fines, remediation expenses, and reputational damage. Yet paying ransoms funds further attacks, incentivizes future targeting, and provides no guarantee that stolen data will be deleted or that decryption tools will actually work. Organizations need to make these decisions with full board awareness and in consultation with legal counsel, law enforcement, and experienced incident responders.
The regulatory landscape around ransomware payments continues to evolve. Federal agencies have increased pressure on organizations to report attacks promptly and cooperate with investigations. Some jurisdictions have considered prohibiting ransom payments altogether, though implementation challenges and concerns about forcing victims into impossible positions have slowed such legislation. What remains clear is that organizations paying ransoms should expect increased scrutiny from regulators, shareholders, and customers who reasonably question why security controls failed to prevent the attack.
Looking ahead, the convergence of nation-state capabilities and criminal operations portends a more dangerous threat landscape. As state actors increasingly blur the lines between intelligence gathering and profit generation, targets can expect more sophisticated attacks backed by greater resources. The industrialization of ransomware means the volume of attacks will continue growing even as the most sophisticated groups focus on high-value targets. For large enterprises, the question is not whether they will face a ransomware attempt but whether their defenses will prove adequate when it comes.
The Qilin phenomenon ultimately reflects a maturation of cybercrime into a structured industry with specialized roles, professional services, and continuous innovation. The group's success has raised the bar for what organizations must defend against while demonstrating that technical sophistication alone does not determine outcomes. Many Qilin victims had deployed security tools and employed cybersecurity staff, yet still fell victim to well-executed attacks. The difference between organizations that successfully defend against such threats and those that suffer catastrophic breaches often comes down to fundamentals: disciplined patch management, defense in depth, prepared incident response, and security cultures that extend beyond the IT department.
For chief information security officers presenting to boards and executive teams, Qilin provides a useful case study in modern cyber risk. The group combines technical capability, business acumen, and psychological manipulation to extract maximum value from victims. Their industrialized approach has proven scalable and profitable, ensuring the model will persist and evolve. Organizations that treat cybersecurity as a compliance checkbox or cost center rather than a business imperative will continue to appear on leak sites. Those that invest in robust security programs, maintain disciplined operational practices, and prepare for inevitable incidents position themselves to weather attacks and recover quickly.
The ransomware threat will not diminish on its own. Groups like Qilin have demonstrated that cybercrime can be highly profitable with manageable risk. Until the risk calculation changes through improved defenses, more aggressive law enforcement, and stronger consequences for attackers, organizations must accept that they operate in a hostile environment. The question facing every CISO is whether their organization is prepared for that reality or simply hoping to avoid becoming the next headline.
