Qilin ransomware_ stats on attacks, ransoms and data breaches

This week, Qilin claimed responsibility for its 700th ransomware attack of 2025, establishing itself as the most prolific ransomware gang of the last few years. Ten months into this year, the group already exceeded last year’s most dominant strain, RansomHub, which claimed 547 victims in all of 2024.

Qilin is a Russia-based group that first appeared in 2022, but it only really started to gain traction in 2023 when it made 45 attack claims. In 2024, its victim count rose to 179 before quadrupling this year.

Part of Qilin’s recent onslaught of attacks could be attributed to its ransomware-as-a-service business model. Under a RaaS scheme, third-party affiliates pay to use Qilin’s malware and infrastructure to carry out attacks and collect ransoms. After RansomHub went dark in April 2025, its affiliates are rumored to have flocked to Qilin. This coincided with a 280 percent jump in attack claims, from 185 at the end of April 2025 to 701 now.

Qilin’s key targets are manufacturers, finance companies, retailers, healthcare providers, and government agencies–crucial sectors where system encryption and/or data theft can be especially disruptive and put data subjects at risk.

Key findings for 2025:

So far this year, Qilin has claimed:

  • 701 victims (118 of these attacks have been confirmed)
  • 45 attacks on healthcare providers (14 confirmed)
  • 40 attacks on government entities (22 confirmed)
  • 26 attacks on the education sector (7 confirmed)
  • 590 attacks on businesses (75 confirmed):
    • 143 on manufacturers (11 confirmed)
    • 108 on service-based businesses (9 confirmed)
    • 69 on finance companies (27 confirmed)
    • 50 on retailers (2 confirmed)
    • 34 on construction companies (2 confirmed)
  • 788,377 records breached in the confirmed attacks
  • 116 TB of data stolen across all attacks (47 TB in confirmed attacks)
  • The US accounts for the most attacks (375), followed by France (41), Canada (39), South Korea (33), and Spain (26)

Qilin ransomware victims by sector & industry

Businesses account for most of Qilin’s claims, but the education sector witnessed the biggest increase in attacks from 2024 to 2025. Where businesses have seen a 307 percent increase in attacks, education has seen a 420 percent increase. Government agencies have also seen a large influx, rising by 344 percent, while healthcare has seen the lowest increase at 125 percent.

Qilin ransomware attacks on the education sector

Throughout 2025, we’ve noted:

  • 26 attacks on the education sector
    • 7 of these attacks have been confirmed
  • 2.4 TB of data stolen across all attacks (620 GB in confirmed attacks)

Six of the seven confirmed attacks on the education sector have been in the US, with one in Australia (Belmont Christian College). Most of these attacks disrupted systems, with Uvalde Consolidated Independent School District shutting its doors from September 15 to 18 and Mecklenburg County Public Schools taking a week to restore its systems. Neither Ulvade or Mecklenburg paid the ransom demands, but Mecklenburg did tell Comparitech it would need to see how its investigations went before deciding whether to succumb to Qilin’s demands.

Qilin ransomware attacks on government agencies

From January 2025 to present, we’ve noted:

  • 40 attacks on government agencies
    • 22 of these attacks have been confirmed
  • 9.8 TB of data stolen across all attacks (8.1 TB in confirmed attacks)

Qilin’s attacks on government entities appear to have increased over the last month or so, with seven of its confirmed attacks taking place in September and October. Among these are three US agencies (Orleans Parish Sheriff’s Office, the Town of Waxhaw, and Lakehaven Water & Sewer District), three French agencies (Ville de Saint-Claude, Region Hauts-de-France, and Commune d’Elne), and public utility company, N.V. ELMAR in Aruba.

System encryption and data theft are cited in most of these cases. For example, in the case of the Region Hauts-de-France, 80 percent of the region’s high schools were affected by system disruptions. Qilin said it stole 1.1 TB of data from the schools.

Qilin ransomware attacks on healthcare providers

2025 so far has seen:

  • 45 attacks on healthcare providers
    • 14 of these attacks have been confirmed
  • Over 596,000 records breached across the confirmed attacks
  • 11.8 TB of data stolen across all attacks (10.1 TB in confirmed attacks)

Just over half of Qilin’s confirmed attacks on healthcare providers (8) are in the US. But its biggest breach (by data affected) was on Japan’s Utsunomiya Central Clinic, where 300,000 people were affected. Recently, Qilin took credit for stealing a whopping 8 TB of data from the Shamir Medical Center in Israel. Reports said Qilin demanded $700,000 in exchange for deleting the data.

Qilin ransomware attacks on businesses

2025 so far has seen:

  • 590 attacks on businesses
    • 75 of these attacks have been confirmed
  • 184,000 records breached across the confirmed attacks
  • 92 TB of data stolen across all attacks (28 TB in confirmed attacks)

As the table below demonstrates (and as we have previously mentioned), manufacturers are Qilin’s favorite target. Prime examples are Qilin’s attacks on Japan’s Asahi Group Holdings and France’s Alu Perpignan last month. Asahi continues to struggle to restore its systems. Alu Perpignan recently revealed that, after shutting down computer systems for three weeks, it lost three months’ worth of business.

Attacks on manufacturers can also lead to data breaches. While not often as vast as breaches in other sectors, e.g. healthcare, they can still have serious consequences. For example, Qilin recently claimed an attack on Nissan’s design agency, Nissan Creative Box Inc. Qilin says it stole more than 4 TB of data including design data that could lead to product information being leaked and Nissan’s business strategy being interrupted/impeded by competitors.

Qilin’s biggest breach (based on data affected) on a business was on US retail company, Crossroads Trading Co., Inc. Over 60,000 were notified of the breach following Qilin’s attack in February 2025. The retailer also noted technical issues with its POS and credit card terminals.

In September, Qilin also claimed attacks on 30 asset management companies in South Korea. 21 of these companies have confirmed their systems were impacted after Qilin gained access via a mutual IT provider.

Qilin’s most targeted countries

According to our data, the following countries have seen the largest number of attacks via Qilin this year so far:

  1. United States – 375 attacks (54 confirmed)
  2. France – 41 attacks (8 confirmed)
  3. Canada – 39 attacks (1 confirmed)
  4. South Korea – 33 attacks (22 confirmed)
  5. Spain – 26 attacks (3 confirmed)
  6. United Kingdom – 20 attacks (none confirmed)
  7. Italy – 19 attacks (1 confirmed)
  8. Germany – 18 attacks (3 confirmed)
  9. Singapore – 11 attacks (none confirmed)
  10. Australia – 9 attacks (4 confirmed)

Attacks in the US have already increased by over 271 percent from 2024’s total of 101. After reporting just two attacks in 2024, Spain saw a sharp 1,200-percent increase. Similarly, no victims were reported in South Korea in 2024, but 33 have been noted this year already. Most of those stem from the asset management attacks noted above.

Qilin’s biggest ransom demands

Qilin doesn’t reveal its ransom demands when making its claims, so data on them is limited. In 2025, the following demands from Qilin have been reported:

  • Malaysia Airports Holdings Bhd – $10 million demanded: In March 2025, Qilin targeted Malaysia’s Kuala Lumpur International Airport, causing disruption to systems and the alleged theft of 2 TB of data. Airport officials said the group demanded $10 million, which it refused to pay.
  • Cleveland Municipal Court, US – $4 million demanded: After being targeted in late February 2025, Cleveland Municipal Court faced weeks of disruptions. Qilin is also rumored to have demanded $4 million for stolen data, which the court refused to pay.
  • Ciudad Autónoma de Melilla, Spain – $2.12 million demanded: The Spanish city was hit by an attack in June 2025. It caused mass disruption with Qilin also alleging that it had stolen 4 to 5 TB of data. No ransom was paid.
  • Shamir Medical Center, Israel – $700,000 demanded: After allegedly stealing 8 TB of data from the Israeli healthcare provider, Qilin is said to have demanded $700,000 to delete it.
  • Hamilton County Sheriff’s Office, US – $300,000 demanded: Hit in April 2025, Hamilton County Sheriff’s Office refused to meet Qilin’s ransom demands. Later, it was revealed that the attack had cost $48,000 after an external cybersecurity company was hired to help restore systems.

The only other ransom demand we’re aware of from Qilin came in 2024. Here, a staggering $50 million was demanded from UK-based Synnovis. While the healthcare company refused to pay the ransom, the attack incurred around £33 million (USD $44 million) in costs and led to a data breach involving 900,000 people.

Qilin statistics from 2022 to present

Since it first originated in 2022, we’ve recorded:

  • 926 attacks via Qilin
    • 168 of these attacks have been confirmed
  • 2,302,433 records have been breached across the confirmed attacks
  • 53 attacks on government entities (31 confirmed)
  • 31 attacks on the education sector (7 confirmed)
  • 69 attacks on healthcare providers (28 confirmed)
  • 773 attacks on businesses (102 confirmed)

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here.