![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[Update] A renewed Pixel Watch 2 is a steal at under $80 on Amazon](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/10/Pixel-Watch-2-in-pocket-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Honor 400 series officially launching on May 22 as design is revealed [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/honor-400-series-announcement-1.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Beats Studio Pro Wireless Headphones Now Just $169.95 - Save 51%! [Deal]](https://www.iclarified.com/images/news/97258/97258/97258-640.jpg)
Qilin Has Emerged as The Top Ransomware Group in April with 74 Cyber Attacks
In a significant shift within the cybercriminal ecosystem, Qilin ransomware group has surged to prominence in April 2025, orchestrating 74 cyber attacks globally according to the latest threat intelligence report. This dramatic rise follows the unexpected disappearance of RansomHub, which had dominated the ransomware landscape since early 2024 but claimed just three attacks in April […] The post Qilin Has Emerged as The Top Ransomware Group in April with 74 Cyber Attacks appeared first on Cyber Security News.
In a significant shift within the cybercriminal ecosystem, Qilin ransomware group has surged to prominence in April 2025, orchestrating 74 cyber attacks globally according to the latest threat intelligence report.
This dramatic rise follows the unexpected disappearance of RansomHub, which had dominated the ransomware landscape since early 2024 but claimed just three attacks in April before its data leak site went offline.
The ascendance of Qilin represents a major realignment in the ransomware-as-a-service (RaaS) market, with many affiliates seeking new allegiances in the wake of RansomHub’s decline.
Qilin’s attacks have demonstrated remarkable geographic diversity, with significant presence across North America, Europe, and the Asia-Pacific region.
While the United States remained the most targeted country with 234 ransomware attacks overall in April, Qilin established itself as a formidable threat across multiple continents.
The group has particularly focused on high-value targets in the software, manufacturing, and critical infrastructure sectors, suggesting a sophisticated victim selection methodology designed to maximize ransom potential.
Cyble researchers identified a concerning pattern in Qilin’s operational tactics, noting the group’s particular emphasis on data exfiltration prior to encryption.
This “double extortion” approach has become increasingly refined in their recent campaigns, with the group claiming to have stolen over 1.1TB of data from a France-based transportation software provider and approximately 1TB from a major South Korean industrial conglomerate in April alone.
The global impact of ransomware attacks actually declined to 450 in April from 564 in March – the lowest level since November 2024.
However, analysts caution this temporary dip likely reflects the transitional period as affiliates realign with emerging RaaS leaders rather than any sustainable decrease in ransomware threat activity.
The long-term trend for ransomware attacks remains decisively upward.
Infection Chain Analysis
A deeper examination of Qilin’s infection mechanisms reveals a sophisticated multi-stage process.
The initial compromise typically begins with targeted phishing emails containing malicious document attachments that exploit known vulnerabilities in document processing applications.
Once executed, the first-stage loader, typically disguised as a legitimate system process, establishes persistence through registry modifications:-
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "SystemHealthMonitor" -Value "C:\Windows\System32\wscript.exe //B //E:jscript C:\ProgramData\svchost.js" -PropertyType String -ForceThis script enables the malware to survive system reboots, after which it begins comprehensive network reconnaissance to identify critical assets for encryption.
Qilin’s ransomware demonstrates advanced evasion capabilities, including detecting virtualized environments and terminating itself if analysis tools are present.
Before deploying its encryption routine, the malware exfiltrates data via encrypted channels to command and control servers, primarily located in jurisdictions with limited international cooperation.
Qilin’s attack chain from initial access to data encryption, highlights the critical 4-hour window typically observed between initial compromise and ransomware deployment.
This relatively short timeframe underscores the need for real-time detection and response capabilities to prevent successful attacks.
The emergence of Qilin as April’s leading ransomware threat signals the continued evolution of the ransomware landscape, with new actors quickly filling voids left by departed groups and demonstrating increasingly sophisticated technical capabilities.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Qilin Has Emerged as The Top Ransomware Group in April with 74 Cyber Attacks appeared first on Cyber Security News.
