Uncovering Qilin attack methods exposed through multiple cases

Description

The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools like Cyberduck for data exfiltration and leverage notepad.exe and mspaint.exe to view sensitive information. The attack flow includes initial VPN access, reconnaissance, credential theft, lateral movement, and ransomware deployment. Two encryptors are often used: one spread via PsExec and another targeting network shares. The ransomware encrypts files, deletes backups, and leaves ransom notes. Persistence is achieved through scheduled tasks and registry modifications.