Home / Blog / Qilin Ransomware Remains a Major Threat to SMBs

Qilin Ransomware Remains a Major Threat to SMBs

Publication date: Feb 20, 2026

Last Published: Feb 20, 2026

Table of Contents
Read Time : 8 minutes

In 2025, a ransomware group called Qilin quietly rose to become the most active cyber threat on the planet when it claimed more victims than any other criminal operation. With attacks continuing to accelerate into 2026, understanding how this group operates and what makes your business a potential target has never been more important. 

How Qilin Became the World’s Most Active Ransomware Group 

Qilin first appeared in 2022 under the name “Agenda” and spent its early years as a relatively minor player. In 2023, the group was linked to just 45 attacks. By 2024, that number grew to 179. Everything changed in 2025, which is when Qilin claimed over 1,000 victims, more than any other ransomware operation in the world. 

So what happened? A big part of the answer is timing. In April 2025, a rival group called RansomHub, which had been one of the most active ransomware operations at the time, suddenly went offline. Qilin operates as a ransomware-as-a-service (RaaS) business, meaning the people who actually carry out attacks are freelance criminals known as “affiliates” who rent access to Qilin’s tools and infrastructure. When RansomHub disappeared, many of its affiliates migrated to Qilin, and they brought their skills and targets with them. The result was a 56% jump in Qilin’s monthly victim count almost immediately after RansomHub’s collapse. 

By October 2025, Qilin was responsible for 29% of all ransomware attacks globally, and the momentum hasn’t stopped. In the first two weeks of January 2026, Qilin posted over 55 new victims to its leak site, putting it ahead of its already record-setting 2025 pace. 

What Makes Qilin Dangerous for Small and Mid-Sized Businesses 

There’s a common assumption that ransomware groups go after big corporations with deep pockets. Qilin doesn’t operate that way. Their 2025 victim list is full of small and mid-sized organizations, from local courts and school districts to healthcare practices and water utilities. Here are three reasons the group is especially dangerous for SMBs: 

  • They target the IT providers that SMBs depend on: Rather than attacking businesses one at a time, Qilin has repeatedly gone after managed service providers (MSPs), the outsourced IT companies that many small businesses rely on to manage their networks, security, and day-to-day technology. When an MSP is compromised, every client connected to that provider becomes a potential victim. In one 2025 case in South Korea, a single MSP breach gave Qilin access to 28 downstream organizations simultaneously, with over 2 TB of stolen data across the group. In another incident, Qilin affiliates phished the administrator of a US-based MSP’s remote management tool and used that access to deploy ransomware across multiple client environments in one coordinated strike. 
  • They steal your data before encrypting it: Qilin uses what’s known as “double extortion.” Before encrypting a victim’s systems, their affiliates quietly extract sensitive data, including financial records, employee information, client files, and anything else of value. If the ransom isn’t paid, that data gets published on Qilin’s public leak site for anyone to download. For any business, this can mean exposed client records, regulatory penalties, and lasting reputational damage that goes far beyond the initial disruption of locked systems. 
  • They exploit the gaps that SMBs are most likely to have: Qilin’s most common way in is through VPN portals that lack multi-factor authentication or through unpatched vulnerabilities in widely used networking equipment like Fortinet firewalls and Citrix gateways. These are exactly the kinds of security basics that tend to slip through the cracks at smaller organizations, where IT resources are stretched thin and patching cycles are inconsistent. Once inside, Qilin affiliates move quickly to harvest additional credentials, delete backups, and exfiltrate data before launching encryption (sometimes within just a day or two of initial access). 

The good news is that Qilin’s playbook, while effective, is not unpredictable. The group relies on a well-documented set of tactics, and most of their successful attacks exploit gaps that are entirely preventable with the right measures in place. Here’s where to focus. 

Practical Defenses Against Qilin Ransomware  

Because Qilin affiliates frequently break into businesses through their IT providers, one of the most important steps you can take is making sure your own MSP has a strong cybersecurity posture. If your IT provider gets compromised, your business is exposed, regardless of how well you’ve secured your own environment. That’s why you should do the following: 

  • Ask your provider whether they enforce MFA on all remote management tools. 
  • Find out how they segment access between client environments so that a breach at one client doesn’t cascade to others. 
  • Ask whether they hold any third-party security certifications and what frameworks they follow (such as NIST CSF or CIS Controls). 
  • For government contractors specifically, verify that your MSP meets the CMMC certification requirements that went into effect in November 2025. MSPs handling controlled unclassified information (CUI) are now required to meet the same certification level as the contractors they serve. 

OSIbeyond was one of the first MSPs to achieve CMMC Level 2 certification and provides managed IT and cybersecurity services built around the security frameworks that directly counter threats like Qilin. 

In addition to your choice of IT provider, there are several high-impact defenses that map directly to Qilin’s known attack methods: 

  • Enforce multi-factor authentication on everything externally facing. MFA on VPNs, email, remote desktop, and cloud admin portals is the single most effective measure against Qilin’s preferred entry method. In multiple documented incidents, the initial compromise succeeded specifically because the VPN portal lacked MFA protection. This is a low-cost, high-impact change that should be treated as non-negotiable, but it’s important to implement MFA correctly to avoid creating a false sense of security. 
  • Patch internet-facing systems as a top priority. Qilin affiliates have actively exploited known vulnerabilities in Fortinet firewalls, Citrix gateways, and Veeam backup software, often months after patches were available. If your organization runs any of these products, confirm that the latest security updates have been applied. More broadly, any device that’s reachable from the internet should be on an aggressive patching cycle since unpatched software remains one of the most common and most preventable entry points for ransomware. 
  • Make your backups ransomware-proof. Qilin affiliates specifically target and delete backups before launching encryption. If your backups are connected to the same network as everything else, they will likely be destroyed alongside your production data unless sufficiently protected, which requires deliberate planning but can mean the difference between a painful week and a business-ending event. 
  • Segment your network to limit the blast radius. Qilin affiliates move laterally across networks using common admin tools like remote desktop and PowerShell. Network segmentation means that a single compromised machine doesn’t hand attackers the keys to everything. At a minimum, critical servers, backup systems, and administrative tools should be isolated behind additional access controls. 
  • Train your team to spot phishing. Several major Qilin incidents started with a single phishing email. In the MSP attack mentioned earlier, a convincing fake login alert was all it took to compromise an administrator’s credentials and MFA token. Regular security awareness training and simulated phishing exercises can significantly reduce the odds of that kind of mistake. 

None of these measures require a massive budget or a dedicated security team, but they do require consistency and follow-through, which is exactly where most SMBs struggle. If you’re unsure where your organization stands on any of the above, that’s a conversation worth having with your IT provider sooner rather than later. 

Conclusion  

Qilin’s rise from a small ransomware operation to the most active threat group in the world took less than three years, and their playbook is built around exploiting the kinds of gaps that are most common at small and mid-sized organizations. The good news is that every one of those gaps is fixable. The businesses that take action now will be in a far stronger position than those that wait for a reason to act. 

If you’re not sure whether your organization is prepared for threats like Qilin, schedule a meeting with OSIbeyond to discuss your cybersecurity posture and find out where you may be exposed. 

SCHEDULE A CALL

Related Posts:

Latest eBook

6 Critical Cybersecurity Policies Every Organization Must Have

DOWNLOAD

Top Resources

Top technology strategy examples

Benefits of aligning IT with business strategy

Importance of security policy in an organization

Information security policy template (Free Download)

Change management in cyber security

Pros & cons of cybersecurity as a service (CSaaS)

Recent Posts

How can we help?

Contact us to get started.