In July, Qilin Ransomware has emerged as a significant threat, claiming over 70 victims.

The ransomware threat landscape experienced a troubling increase in July 2025, with the Qilin Ransomware Group solidifying its dominant position for the third time in four months. The group successfully claimed 73 victims on its data leak site, accounting for 17.3% of the month’s total 423 ransomware incidents. This trend signifies a notable consolidation of criminal operations under established threat actors, as the ransomware ecosystem continues to evolve following the decline of previously dominant groups like RansomHub. Qilin’s sustained leadership reflects its sophisticated operational capabilities and persistent targeting strategies. The Ransomware-as-a-Service operation has shown remarkable consistency in victim acquisition, surpassing its closest competitor, INC Ransom, which claimed 59 victims during the same period. The United States suffered the most, with 223 victims—eight times more than second-place Canada—underscoring the ongoing focus on high-value Western targets.

Cyble researchers identified 25 critical infrastructure ransomware incidents throughout July, with Qilin operations particularly affecting sectors such as government and law enforcement, energy and utilities, and telecommunications. An additional 20 incidents indicated potential supply chain implications due to compromised application software providers. Qilin’s targeting methodology demonstrates a calculated approach aimed at maximising both financial returns and operational disruption. The group’s success is partly attributed to its systematic exploitation of known enterprise vulnerabilities. It has weaponised seven critical security flaws, including CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClientEMS. This vulnerability allows attackers to execute arbitrary SQL commands through crafted HTTP requests. Additional attack vectors include CVE-2019-18935, targeting Progress Telerik UI for ASP.NET AJAX, and CVE-2025-5777, which exploits out-of-bounds read conditions in Citrix NetScaler ADC and Gateway implementations. Microsoft SharePoint environments face particular risk through four newly identified vulnerabilities. The persistence of these exploitation patterns highlights the critical importance of proactive patch management and vulnerability remediation programs. Organisations must prioritise securing internet-facing applications and implementing robust network segmentation to limit the blast radius of successful initial compromise attempts.