Qilin ransomware surges into 2026

Qilin enters 2026 with rapid growth, heightened aggression, and mounting risk as scrutiny intensifies.

Takeaways

• Qilin is accelerating, not slowing down — already posting 55 victims in early 2026, putting it ahead of its 2025 pace.
• Unrestricted targeting raises its risk profile — including healthcare and public‑service organizations, increasing chances of catastrophic blowback.
• The group’s growth is fragile — history shows ransomware groups often collapse after high‑impact attacks, and Qilin’s aggressive strategy puts it at similar risk.

When I profiled the Qilin ransomware group in July 2025, it wasn’t clear whether the group would survive the year. In February Qilin gained access to a key provider in the London healthcare system, resulting in 170+ cases of patient harm, including two cases of long-term or permanent harm and one patient death. This level of disruption brings intense scrutiny and real operational risk to a threat actor. For example,

• Darkside succumbed to “unspecified pressure” from the United States after the Colonial Pipeline attack.
• ALPHV/BlackCat disappeared after the Change Healthcare attack, and although it’s widely considered an exit scam, you can’t help but wonder if the group was feeling the heat from delaying access to medication.
• Black Basta shut down shortly after one of its members attacked Ascension Health. Other Black Basta members expressed their concerns over this attack:
  • GG: “100% of the FBI and CISA are obliged to get involved, and all this has led to the fact that they will take tough tackle on Black Basta. … We will not wash off this now and most likely the software will fly to the trash,”
  • Tinker: “If someone, God forbid, dies… we will rake the problems on our heads – this will be classified as a terrorist attack. … I don’t want to go to hell if a child with a heart defect dies.”

It is not unusual for high-profile groups to go dark after causing a large disruption to public resources, whether it’s healthcare, fuel or some other critical resource.

Qilin also grew quickly. Affiliates leaving the RansomHub and LockBit ransomware‑as‑a‑service (RaaS) operations brought experience and momentum that strengthened the group. That was a nice boost for Qilin, but these weren’t loyal affiliates. They had already proven they would leave a RaaS operation at any hint of instability. So in July 2025, there were doubts as to whether Qilin would remain a relevant threat through the rest of the year. But wow, that group is thriving.

Qilin claimed over 1,000 victims on its leak site in 2025, listed at a rate of more than 40 victims per month in the second half of the year. Manufacturing was the most attacked sector, accounting for about 23% of all Qilin listings. The group claims to have stolen 31.2 petabytes from its victims, with the majority of that from one manufacturer. These claims have not been verified.

The group shows no signs of slowing down. We’re only a couple of weeks into 2026 and Qilin has already posted 55 victims to their leak site. These are unverified claims, though some of the posts have samples of (allegedly) stolen data. This puts Qilin on track to surpass its record-breaking numbers of 2025.

Qilin is a mature group with a sophisticated platform, and it’s shown it can adapt to changes in the threat landscape and industry defenses. They will probably remain a top ransomware actor through the first half of the year. However, any group can collapse under the right conditions. For example,  

• Internal divisions lead to leaks or law enforcement exposure
• High-profile attacks attract too much attention for the group to continue
• Major, sustained infrastructure disruptions can force affiliates to scatter

Qilin and affiliates are not disciplined to avoid healthcare providers, municipal services, infrastructure or any other entities that support public health and wellbeing. Those are the attacks that draw the most unwanted attention, and it only takes a single well-placed attack to disrupt services to an entire region or demographic. And since no sector is marked ‘safe’ from Qilin, the group is still its own worst enemy.