Redazione RHC : 25 June 2025 07:56
The developers of the Qilin ransomware (recently interviewed by us) offered their partners the help and advice of a team of lawyers, so that they could put pressure on the victims and force them to pay the ransom. The advertisement of the new service was noticed by specialists from the Israeli cybersecurity company Cybereason.
According to them, the option “Call a lawyer” has appeared in the ransomware partners’ panel.
It is also claimed that the group now has a team of full-time journalists who can work with the legal department to prepare publications aimed at increasing pressure on victims.
Furthermore, Qilin recently added 1 petabyte of disk space to its partner panel (in part to personal use of partners and partly for storing victims’ data), the ability to distribute spam via email and telephone, and tools for launching DDoS attacks, first recorded in April 2025.
Recall that the Qilin ransomware appeared in August 2022 and was initially called Agenda, before changing its name a month later. According to researchers, in April 2025 alone, the ransomware site recorded 72 new victims, and in May, experts linked it to 55 attacks. Experts have reason to believe that some of RansomHub’s partners have switched to Qilin, which has contributed to the increase in malware activity in recent months.
“In addition to a growing presence on ransomware forums and trackers, Qilin boasts a technically advanced infrastructure. It offers payloads written in Rust and C, loaders with advanced evasion capabilities, and a partner panel that offers safe mode execution, network propagation, log scrubbing, and automated negotiation tools,” write Cybereason analysts.
As for the new call-a-lawyer feature, this could be used to invite a legal advisor to speak with the victim, who will offer professional assistance on issues such as:
Yes believes that lawyers can also intervene in the negotiation process and engage directly with the victim, explaining to the damaged company that refusing to pay could lead to even greater losses. As researchers at Tripwire point out, it is likely that these claims are nothing more than a marketing ploy.
“Make no mistake. Their goal is to attract more partners, increase the rate of successful ransom attacks, and try to convince victims that they are dealing with experienced criminals,” they say experts. However, it goes without saying that Qilin is becoming one of the dominant ransomware groups in the ransomware-as-a-service (RaaS) space. Its former competitors, including LockBit, ALPHV, Everest, and RansomHub (rumored to have been acquired by DragonForce), have all lost influence in recent years for various reasons, most notably law enforcement.
Redazione