Ransomware Gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit

The ransomware threat landscape is undergoing dramatic upheaval. As legacy groups like RansomHub, LockBit, Everest, and BlackLock collapse under pressure, betrayal, or internal chaos, a new player—Qilin—is rapidly emerging as a dominant and technically advanced force.

A new report from the Cybereason Security Services Team reveals how “the ransomware landscape is undergoing a turbulent realignment,” triggered by unexpected takeovers, public defacements, and critical infrastructure leaks.

The most notable disruption occurred in March 2025, when RansomHub, one of the most active ransomware-as-a-service (RaaS) groups in 2024, abruptly disappeared. Known for its cross-platform malware and organized affiliate support, RansomHub vanished mid-negotiation with victims.

“Just as RansomHub was consolidating its dominance, its leak site vanished,” the Cybereason team reports.

In a surprising twist, rival group DragonForce claimed to have absorbed RansomHub’s infrastructure and affiliates. The move was marked by DragonForce branding that incorporated RansomHub’s logo, suggesting either a hostile takeover or a strategic merger. However, the exact nature remains unclear.

The report also details a mysterious actor—or group—called “XOXO from Prague” that defaced the leak sites of both LockBit and Everest in May 2025. The message left on both sites:

“Don’t do crime. CRIME IS BAD. xoxo from Prague.”

In LockBit’s case, the attackers also leaked a full database dump of internal communications and operational data. This breach, later verified as authentic, significantly undermined LockBit’s credibility.

“The attacker leaked a full database dump… severely damaging LockBit’s internal security reputation,” the report notes.

Another significant event involved BlackLock, also known as Eldorado or Mamona. Researchers from Resecurity exploited an LFI vulnerability to quietly extract internal files and warn victims in advance. Days later, DragonForce publicly defaced BlackLock’s site, leaking its builder code and configuration files.

The similarities in code between DragonForce and BlackLock point to a coordinated absorption.

“This points to either a soft handover or strategic absorption under DragonForce’s expanding umbrella,” the report speculates.

Qilin is positioning itself not merely as a ransomware gang—but as a full-service cybercrime platform. Active since late 2022, Qilin now has over 100 public victims and offers a mature RaaS model featuring:

• Rust- and C-based cross-platform malware
• Four encryption modes (normal, step-skip, fast, percent)
• Network propagation
• Ransom negotiation tools
• DDoS capabilities (as of April 2025)
• “Call Lawyer” function for legal intimidation
• PB-scale file hosting
• Built-in phone/SMS/email spam services

“Qilin is stepping in… to redefine the ransomware-as-a-service model for the next generation of affiliates,” the report highlights.

Affiliates are promised robust support, stealthy tools, and even legal guidance aimed at maximizing pressure on victims. For example, Qilin’s legal team offers:

“Classification of violations… legal evaluation of potential damages… and advice on how to inflict maximum financial damage if the company refuses to comply.”

The Cybereason team reverse-engineered both Windows (Rust) and Linux (C) variants of Qilin ransomware:

• The Windows variant uses PsExec for lateral movement, clears logs, deletes shadow copies, and even hijacks printers to deliver ransom notes.
• The Linux variant targets virtual infrastructure like VMware ESXi and Nutanix, resetting root passwords, enabling SSH, and executing ransomware payloads.
• Both variants require a password to launch, blocking automated analysis and enhancing operational secrecy.

“The malware ensures maximum disruption across both virtualized infrastructures and traditional Linux workloads,” the researchers conclude.

Related Posts:

• BlackLock Ransomware Disrupted: Resecurity’s Infiltration Exposes Operations
• Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
• Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• DragonForce Ransomware: A Legacy Crafted from Leaked LOCKBIT Black Code