Qilin was the top ransomware group for the second time in three months in June, suggesting that the group may be strongly benefiting from the turmoil that knocked RansomHub offline at the beginning of April. 

RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage. Qilin took over the top spot in April, and after SafePay narrowly took the lead in May, Qilin returned to the top in June with a dominant showing. 

Cyble’s ransomware data for June is preliminary and will likely rise in the coming days as more data is processed, but Qilin has dominated the ransomware landscape for the month with 86 victims so far, more than 50 ahead of the group’s nearest rivals. 

Overall, preliminary data show that ransomware groups have claimed 377 victims as of late June, within range of the May final total of 401 victims (chart below), and a sign of potential stabilization following a three-month decline from February’s record attacks. 

Qilin’s Dominance

Despite being named after a mythical Chinese creature, Qilin is believed to have Russian ties, based on the group’s communications and avoidance of Commonwealth of Independent States (CIS) targets. The group operates a sophisticated RaaS program (Ransomware-as-a-Service) and has recently been observed offering affiliates legal guidance and other services. 

Among the group’s targets in June were high-value telecom, blockchain, healthcare, and transportation targets. 

The group claimed responsibility for an attack on a U.S.-based provider of mobile network solutions for government, commercial, and military clients. Data samples suggest that Qilin may have gained access to sensitive facility documentation, technical blueprints, and client agreements. 

Another claimed attack targeted a U.S.-based company involved in blockchain infrastructure and application development, posing potential supply chain risks to downstream partners and clients relying on its technology stack or innovative contract frameworks. 

Qilin also claimed responsibility for an attack on a major U.S.-based logistics and freight forwarding company in June. 

Like many top ransomware groups, Qilin has overwhelmingly targeted the U.S., claiming 50 of the 213 total U.S. attacks in June (chart below). 

Interestingly, unlike other ransomware groups that have overwhelmingly targeted the construction, professional services, healthcare, and manufacturing sectors, Qilin’s claimed victims have been more balanced across sectors, including a higher percentage of financial targets than rivals (June data below). 

It remains to be seen if Qilin has RansomHub-like staying power, but its desire to woo affiliates with sophisticated technology and services is paying off so far. 

Significant Ransomware Developments in June

Qilin’s rivals did not stand still in June, as several new ransomware groups and affiliate programs emerged. 

In the latest example of hacktivists moving into ransomware, the pro-Russian hacktivist group CyberVolk on June 26 announced the release of a new ransomware payload for upcoming cyberattacks, which was confirmed by the emergence of a Go-based ransomware sample first spotted in the wild on June 28. The ransomware encrypts files with the extension “.CyberVolk” and drops a ransom note titled “READMENOW.txt”. 

Threat actor (TA) RALord was observed actively seeking affiliates on the English language cybercrime forum DarkForums for their new Nova ransomware-as-a-service (RaaS) program. In the post, the TA highlighted their chat system for negotiations, a dedicated control panel for organizing attacks, affiliate attacks statistics, a ticketing system, lockers based on different operating systems, and a guide and documentation for affiliates. The TA offered a discount for the first few members and quoted USD $300 for lifetime access. RALord emerged in March 2025 and rebranded itself as Nova towards the end of April. They initially promoted their RaaS through Tor-based Data Leak Site (DLS), offering affiliates 85% of profits, a locker for €200 per operation, and 10% for decryptor sales. The locker is compiled in RUST to target Windows machines and appends a .RALord extension to encrypted files. 

A threat actor actively recruited affiliates on the RAMP forum for the Chaos ransomware-as-a-service (RaaS) operation. A post described Chaos as a fast, customizable, multi-platform (Windows/ESXi/Linux/NAS) locker offering features like individual file key encryption, customizable encryption paths/percentages, and fast speeds (1TB in 10 minutes). It supports stealthy execution, no dependencies, and simultaneous encryption across disks and networks. The control panel includes AI-generated builds, chat integration, detailed victim statistics, and ticket-based support. Entry requires a $10K deposit (returned after the first paid case). The group avoids targeting BRICS/CIS/Gov entities. Cyble began monitoring the Chaos group in early April, when their onion leak site surfaced with several victims. 

A newly identified ransomware group known as Kawa4096 has surfaced in the wild, with an OSINT investigation revealing active operations and a functional Tor-based data leak site (DLS). The group uses a ransomware strain that encrypts files with random extensions and directs victims via ransom note to contact them over Tox and visit their onion DLS for negotiations. Analysis of the DLS reveals five victims currently listed, with the names of four of them obfuscated. The group’s DLS closely mimics the Akira ransomware group’s DLS. 

In another significant ransomware development, the Scattered Spider group is suspected of being behind major attacks on U.S. insurers. The group has apparently pivoted from retail attacks. 

Conclusion

The enduring resourcefulness of ransomware groups and their affiliates reminds security teams that they can’t rest, either. 

Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. 

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.