Qilin Ransomware Dominates July with Over 70 Claimed Victims

The Qilin ransomware group has solidified its position as the most active threat actor in July 2025, marking its third top ranking in four months following the downturn of former leader RansomHub.

According to cybersecurity intelligence from Cyble, Qilin claimed responsibility for 73 victims on its data leak site (DLS), representing approximately 17% of the month’s total 423 reported ransomware incidents.

This surge underscores Qilin’s aggressive ransomware-as-a-service (RaaS) model, which leverages sophisticated affiliate recruitment and operational enhancements to outpace competitors.

INC Ransom followed closely in second place with 59 victims, fueled by targeted assaults on critical infrastructure sectors and a notable increase in victim disclosures.

Persistent Leadership in Ransomware Landscape

The overall victim count for July reflects a third consecutive monthly rise in ransomware activity, rebounding from a three-month decline that bottomed out at 402 incidents in May still significantly higher than low points in previous years, such as 161 in January 2023 and 243 in January 2024.

This uptrend, while only half of February’s record 854 attacks driven by groups like CL0P and RansomHub, indicates a resilient long-term escalation in cyber threats, with attackers exploiting vulnerabilities in supply chains and high-value targets.

Geographically, the United States bore the brunt of these attacks, accounting for 223 victims eight times more than Canada, the second-most targeted nation.

North America dominated as the primary region, followed by Europe, where countries like Italy, the UK, Germany, France, and Spain reported the highest numbers.

In the Asia-Pacific (APAC) region, Thailand, Japan, and Singapore each saw six incidents, with India and the Philippines trailing closely, while in the Europe, Middle East, and Africa (EMEA) area, Turkey and Saudi Arabia endured the most assaults.

Australia remained the focal point in the Australia-New Zealand (ANZ) region with five reported cases.

Sector-wise, professional services and construction were the most heavily impacted, comprising over a quarter of all attacks, followed by manufacturing, healthcare, and information technology.

Cyble researchers identified 25 potential critical infrastructure incidents in July, spanning government, law enforcement, energy, utilities, and telecommunications, alongside 20 cases with supply chain ramifications due to compromised application software providers.

Evolving Threats

July also witnessed the emergence of nearly 40 new ransomware variants and several nascent threat groups, highlighting the dynamic evolution of the ransomware ecosystem.

Notable vulnerabilities weaponized in these campaigns included CVE-2023-48788, an SQL injection flaw in Fortinet FortiClientEMS; CVE-2019-18935, a deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX; CVE-2025-5777, an out-of-bounds read issue in Citrix NetScaler ADC and Gateway; and a cluster of Microsoft SharePoint flaws (CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706).

These exploits facilitated initial access and lateral movement, enabling attackers to deploy payloads efficiently.

Among major incidents, SafePay claimed a breach of a U.S.-based global technology provider, exfiltrating 3.5TB of data and disrupting distribution and API systems.

Akira targeted a U.S. defense contractor, stealing sensitive documents including passports and contracts.

INC Ransom hit entities in building automation, power transmission, underwater infrastructure, and managed service providers across the U.S. and Canada.

Warlock leaked data from an Indian manufacturing firm, while DevMan compromised a Thai government agency via Group Policy Objects and rebranded to DevMan 2.0 with new victims in Japan.

New entrants like BEAST, D4RK4RMY, Payouts King, and Sinobi launched DLS platforms, with models ranging from affiliate-driven to invite-only structures.

Variants such as AiLock, KaWaLocker, DeadLock, Crux, and Gunra’s Linux edition introduced advanced features like multithreaded encryption, hybrid schemes (e.g., ChaCha20 with NTRUEncrypt or RSA), anti-analysis tactics, and cross-platform capabilities, enhancing stealth and speed.

The relentless innovation by ransomware operators necessitates robust cyber resilience strategies, including network segmentation, zero-trust architectures, immutable backups, vulnerability management, and continuous monitoring.

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!