Qilin Ransomware announced new victims

Resecurity’s new report details how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.

The following new report by Resecurity will explore the Qilin ransomware-as-a-service (RaaS) operation’s reliance on bullet-proof-hosting (BPH) infrastructures, with an emphasis on a network of rogue providers based in different parts of the world.

Qilin is one of the most prolific and formidable threat groups extorting organizations today. Most notably, they recently claimed responsibility for the September ransomware attack that crippled operations and manufacturing functions at Japanese brewing conglomerate, Asahi Group Holdings, for nearly two weeks. The investigators from Resecurity engaged in private conversations with Qilin operators and learned the threat actors are attempting to sell the stolen Asahi data for $10 million USD. These demands were received on October 11, following the Asahi operations disruption, what is likely one of Qilin’s tactics to exclude middlemen and accelerate pressure on the victim.

New targets and confirmed victims have been announced by Qilin today (October 15), including but not limited to:

• The Spanish Tax Administration Agency (Agencia Tributaria), the revenue service of the Kingdom of Spain
• Centurion Family Office Services LLC, USA
• Rasi Laboratories, a manufacturer and developer of nutraceuticals, specializing in dietary supplements like capsules, tablets, probiotics, and functional foods, USA
• Victory Christian Center, a community-focused church located in Tulsa, OK, USA
• Richmond Behavioral Health Authority (RBHA), a statewide organization dedicated to providing comprehensive mental health, mental retardation, substance abuse and prevention services to the residents of the City of Richmond
• Turnkey Africa, a leading provider of technology solutions for the insurance industry across Africa
• Charles River Properties, USA, a real estate brokerage based in Waltham, Massachusetts
• New Jersey Property-Liability Insurance Guaranty Association, USA
• Commune De Saint Claude, a municipal services body
• Ville-Elne, a commune in the Pyrénées-Orientales department in southern France.

Prior to that, on October 14, Qilin announced Volkswagen Group France, a subsidiary of Volkswagen AG; Texas’ San Bernard Electric Cooperative; and Karnes Electric Cooperative as compromised.

Targeting the automotive industry is particularly interesting, especially in the context of the past incident with JLR (Jaguar Land Rover) and the disruptive consequences of ransomware activity. It is possible that Qilin was inspired by the successful outcomes of the data breach or that they collaborated with initial access brokers (IAB) offering compromised access to such organizations for sale on the Dark Web.

The month of October could be considered one of the most “fruitful” for Qilin, given the number of victims published and new organizations targeted. It is also evident that the group is increasing its focus on the US, attacking local municipalities such as the City of Riviera Beach, Florida, and Cobb County earlier. The group has published over 50 new victims from various market verticals and geographies, including Croatia, Grenada, France, Germany, Hungary, Italy, South Korea, Pakistan, and Qatar.

A noteworthy aspect of the Qilin ransomware group is its close affiliation with underground bulletproof hosting (BPH) operators, who enable cybercriminals to discreetly host illicit content and infrastructure beyond the reach of law enforcement. For instance, since its emergence, the group has routinely cited multiple file-sharing hosts to retrieve victim data stored in complex legal jurisdictions.

The covert nature of BPH services makes it challenging for cybersecurity researchers and law enforcement agencies to identify their operators and dismantle their infrastructure. This complicates efforts to combat cybercrime and protect users from online threats. The identified bulletproof hosting linked to Qilin has gone into “private mode” and executed an exit scam within popular Dark Web communities. However, all of the legal entities (in Russia and Hong Kong) associated with the activity described in this publication continue their operations as of today (October 15, 2025).

The interconnection with ransomware groups like Qilin confirms the organized nature of this activity, which is characteristic of modern transnational cybercrime groups that operate for profit and exploit jurisdictional challenges to conceal their activities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Qilin Ransomware)