Qilin Ransomware Group Emerges as One of the Most Active RaaS Operations in 2025

The Qilin ransomware group, also known by its aliases Agenda, Gold Feather, and Water Galura, has emerged as one of the most active ransomware-as-a-service (RaaS) operations in 2025. Since the beginning of the year, excluding January, the group has claimed over 40 victims each month, peaking at 100 cases in June. This surge in activity positions Qilin as a significant threat in the current cybersecurity landscape, highlighting the growing menace posed by RaaS operations. These operations provide cybercriminals with ready-made ransomware tools and infrastructure, thereby lowering the barrier to entry for conducting attacks.

The consistent monthly victim count and the significant peak in June suggest that Qilin has a well-coordinated and potentially expanding network of affiliates. This trend underscores the effectiveness of the RaaS model in scaling ransomware operations. Cybersecurity professionals should take note of Qilin's operational tempo and prepare defenses accordingly, as the group's high activity level indicates a substantial and ongoing threat.

Organizations must prioritize vulnerability management to address potential entry points for ransomware attacks. Network segmentation can help limit the spread of malware within an organization's infrastructure. Comprehensive backup strategies and well-defined incident response plans are essential to mitigate the impact of potential attacks. Regular testing of backup integrity and restoration procedures ensures that organizations can recover quickly in the event of an attack.

Employee training is critical, as phishing attacks are often the initial vector for ransomware infections. Regular security awareness training and simulated phishing exercises can help reinforce good security practices among employees. Additionally, organizations should implement robust endpoint detection and response (EDR) solutions to detect and respond to ransomware attacks quickly. These solutions can provide real-time monitoring and automated response capabilities, enhancing an organization's ability to contain and remediate threats.

Given Qilin's use of multiple aliases, it is crucial for cybersecurity teams to monitor for indicators of compromise (IOCs) associated with all known names of the group. Collaboration with threat intelligence sharing platforms can help organizations stay informed about the latest IOCs and tactics, techniques, and procedures (TTPs) associated with Qilin and its affiliates. Sharing threat intelligence within industry-specific information sharing and analysis centers (ISACs) can further enhance collective defense capabilities.

In conclusion, the rise of Qilin as one of the most active RaaS operations underscores the evolving threat landscape. Cybersecurity professionals must stay informed about the latest TTPs used by such groups and implement proactive defense measures to mitigate the risk of ransomware attacks. Regular threat intelligence updates and collaboration with industry peers can enhance an organization's ability to detect and respond to emerging threats effectively. By adopting a multi-layered defense strategy that includes technical controls, employee training, and threat intelligence sharing, organizations can better protect themselves against the growing threat of ransomware attacks.