Qilin’s Evolving Attack Strategy Sparks Surge in Ransomware Operations

The ransomware landscape in June 2025 has shifted dramatically with Qilin, a notorious ransomware group, at the helm of a new, highly organized wave of cyberattacks.

According to the latest Deep Web & Dark Web trend report, Qilin has rapidly ascended to dominate ransomware operations, surpassing all its rivals thanks to a surge in new affiliates and the adoption of advanced attack tactics.

Their focus has broadened beyond traditional financial extortion, now encompassing government agencies and global brand enterprises, signaling a worrying trend toward attacks with political and strategic intent.

Qilin’s recent campaigns have targeted a diverse range of high-value audiences.

In the past month, sophisticated attacks were launched against the Spanish autonomous city of M***, C*** Health in the U.S., major multinationals across the U.S., the UK, and Japan, as well as leading manufacturers and energy companies.

Sources suggest that Qilin is leveraging advanced Ransomware-as-a-Service (RaaS) tools, coordinating with a growing network of subsidiaries, many of which are believed to be former affiliates of the now-defunct RansomHub, to execute highly targeted, rapid strikes.

Targeted Industries: Governments and Global Brands in the Crosshairs

In a marked departure from past incidents, June saw a spike in ransomware attacks targeting government entities.

U.S. federal agencies, city governments, and international organizations in Colombia, the UAE, and France all reported significant disruptions attributed to ransomware campaigns.

Security analysts believe these attacks are motivated by more than financial gain, aiming to sow public disruption and apply political pressure by crippling essential public services.

The report also highlights a new targeting trend: high-profile global brands.

Companies such as D*** Paris, a renowned theme park operator, and T***aster, a global ticketing platform, fell victim to attacks designed to maximize public visibility and reputational damage.

By paralyzing the core infrastructure of such giants, threat actors aim to increase the likelihood of ransom payments and simultaneously erode public trust in these brands.

Emergence of New Threat Actors and Evolving Tactics

The ransomware ecosystem is also undergoing rapid change with the emergence of new groups, including Team XXX, Warlock, Global, W.A., and Kawa4096, each displaying aggressive tactics and sophisticated technical capabilities.

Notably, APTiran, known for anti-Iran activities, shocked analysts by launching a geopolitically motivated ransomware attack against Israel’s critical infrastructure, a stark example of ransomware’s growing use as a weapon of cyberwarfare.

Meanwhile, established groups like Akira and Lynx are refining their focus on the manufacturing, energy, and healthcare sectors, with attacks on supply chain linchpins and medical services raising concerns about threats to public health and global commerce.

The June 2025 trend report portrays a ransomware landscape in upheaval, where financial motives are increasingly intertwined with political agendas, high-value targets are at greater risk, and the distinction between cybercrime and cyberwarfare continues to blur.

Security experts warn that a proactive, cross-sectoral response is urgently needed to counter the growing digital threats.