From Malware to Court: Qilin Ransomware’s ‘Call a Lawyer’ Tactic

In this episode, we take a deep dive into the Qilin ransomware group — now regarded as the world’s leading ransomware-as-a-service (RaaS) operation — and explore how it’s reshaping the cybercrime landscape in 2025.Qilin, also known as Agenda, burst onto the scene in 2022 with a Go-based ransomware. It has since evolved into a highly evasive Rust-based malware platform targeting both Windows and Linux environments, including critical VMware ESXi servers. The group uses aggressive double extortion tactics — encrypting data while also threatening public exposure of stolen information — with ransom demands ranging from $50,000 to $800,000.But what truly sets Qilin apart is its transformation into a full-service cybercrime platform, offering affiliates advanced tooling, data storage, spam and DDoS services, and — most controversially — a “Call Lawyer” feature designed to pressure victims with legal consultation during ransom negotiations. While some experts dismiss this legal counsel angle as a mere recruitment stunt, it has proven effective in unnerving corporate victims, especially in sectors like healthcare, manufacturing, and energy.In 2024 alone, Qilin has amassed over $50 million in ransom payments from more than 60 attacks, shifting its targeting to critical infrastructure and operational technology companies worldwide. The group's high-profile assaults — such as the $50 million ransom attack on Synnovis, a major UK healthcare provider — have caused severe disruptions, even impacting critical patient care.We’ll unpack:Qilin’s evolution from a simple RaaS to a global cybercrime platformThe unique legal pressure tactic and why it’s alarming defendersHow Qilin’s affiliates, including groups like Scattered Spider, are exploiting the platformThe malware’s sophisticated TTPs mapped to MITRE ATT&CKThe shift toward targeting healthcare and critical OT systemsKey defense and mitigation strategies organizations must adopt to combat this growing threatIf you want to understand how ransomware has morphed into a professionalized business model — and what comes next — don’t miss this episode.

There are no comments yet.

Please log in to write the first comment.