- In 2025, a total of 134 ransomware incidents were reported in Japan, marking a 17.5% increase compared to 2024. Among these, 22 incidents were attributed to Qilin, representing 16.4% of the total.
- In 2025, Qilin ransomware was highly active. Looking ahead to 2026, unless there is significant external pressure or disruption, it is likely to further increase its impact. While there are some variations in tactics across affiliates, operations are expected to become more automated, with fewer trial-and-error steps and increasingly refined tradecraft.
- Evidence suggests that some Qilin affiliates may have ties to countries in the post-Soviet region, including the Baltic states.
- Rather than focusing on post-ransomware execution, this blog examines detection opportunities during the pre-ransomware phase.
Ransomware activity in Japan in 2025
In 2025, the number of ransomware incidents increased compared to 2024. Notably, it was a year in which attacks leveraging Qilin ransomware were observed most frequently. There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024. Figure 1 presents the monthly number of ransomware incidents. The data was compiled based on information obtained from data leak sites, official disclosures by affected organizations, and publicly available media reports. On average, approximately 11 incidents were observed per month.
Industry-based analysis, as shown in Figure 2, indicates that manufacturing accounts for the largest share of affected organizations (28%). This is followed by automotive-related industries (8%), trading companies (7%), IT (6%), and education (5%). The data suggests that manufacturing and automotive-related sectors continue to be heavily targeted, consistent with last year.
Small- and medium-sized enterprises (based on capital) remained the primary targets of ransomware attacks at 57% of victim organizations, compared to 17% for large enterprises (see Figure 3).
Figure 4 highlights which ransomware groups targeted Japan in 2025. Qilin accounts for the largest share at 16.4% of all incidents, representing approximately four times the number of cases attributed to Lynx, the second most active group. While Qilin caused the highest number of incidents, the data also indicates that many other ransomware groups are actively targeting organizations in Japan.
Factors behind Qilin’s growing attack activity
In 2025, Qilin became the ransomware group responsible for the highest number of victims worldwide. In October alone, the number of victim organizations listed on its leak site exceeded approximately 200 (see Figure 5).
Below, Talos examines the reasons behind Qilin’s significant increase in attack volume from three key perspectives.
First, Qilin primarily relies on stolen credentials to gain initial access. In the example shown in Figure 6, credentials were obtained through platforms such as Telegram, Breach Forums, and other online platforms. After successfully breaching a target environment, the group places considerable emphasis on post-compromise activities, allowing it to methodically expand its control and maximize impact.
Second, posts suggesting that the operators are mindful of penetration testers indicate a relatively high level of operational maturity. This awareness implies that Qilin likely maintains well-developed attack manuals that function as practical, step-by-step references for conducting intrusions efficiently.
Finally, 2025’s statistics show that Qilin most frequently targets industries such as manufacturing; professional, scientific, and technical services; wholesale trade; health care and social assistance; and construction. Among these, health care and social assistance stands out as a particular focus, suggesting that Qilin tends to prioritize sectors where ransomware-induced operational disruptions can cause especially severe consequences.
Qilin affiliate use of EDR killer malware
Talos recently discovered a Qilin affiliate leveraging malware specifically designed to disable EDR on victim endpoints. This tooling is intended to bypass endpoint security monitoring and enable attackers to operate with reduced visibility on compromised systems. A detailed technical analysis of this malware is available in the following article.
The final payload deployed by this malware is an EDR killer capable of disabling over 300 different EDR drivers across a wide range of commercial solutions.
The malware implements geo-fencing, specifically excluding systems configured for languages commonly used in post-Soviet countries. This check is performed at an early stage, and the malware terminates if a locale from the exclusion list is detected. This indicates that the threat actor is specifically attempting to avoid infecting systems in this region, a tactic commonly used by threat actors in this region to avoid encouraging law enforcement action against their operation(s).
Threat detection during the pre‑ransomware phase
Based on Talos’ investigation of multiple Qilin cases, ransomware execution occurred on average approximately six days after the initial compromise. This highlights the critical need to detect attacker activity at the earliest possible stage and to disrupt their operations before ransomware deployment. However, to detect attacker activity at an early stage, it is also necessary to monitor the standard commands attackers commonly use. This approach carries the risk of generating many false positives and therefore requires careful consideration. To help reduce false positives, we recommend the following three approaches:
• Trigger alerts based on the correlation of multiple events.
• Determine whether an account is deviating from its expected role.
• Whether the execution occurred outside of normal operating hours.
For example, attackers often create user accounts using commands such as the following, which makes it important to have a mechanism in place to verify whether these accounts are legitimate.
net user Attacker1 Password@123 /add
Figure 13 shows the detection points within the tactics, techniques, and procedures (TTPs) of the pre-ransomware stage of Qilin attacks. In this example, we define the pre-ransomware phase as the period prior to the execution of ransomware, covering the stages from Initial Access through the execution of SystemBC . For details on the attack chain from the initial intrusion to the execution of the Qilin ransomware, please refer to the following blog.
In this blog, we share a total of 12 Sigma rules, some of which are accompanied by correlation rules to help reduce false positives.
In the example shown in Figure 14, the rule is designed to detect the use of the net user command. However, if this rule is used on its own, it may also trigger alerts when the command is executed by legitimate administrators. The correlation rules are tuned based on analysis of log data. For the correlation rule associated with the net user command, an alert is generated only when the command is executed at least three times within a 15-minute time window (see Figure 15).
The Sigma and YARA rules are published here. Please adjust them according to your organization’s environment.
For more information on the defensive approaches discussed in this blog and Qilin's detailed TTPs, please refer to the related materials for more details.
Coverage
The following ClamAV signatures detect and block this threat:
Win.Malware.Bumblebee-10056548-0
Win.Tool.EdrKiller-10059833-0
Win.Tool.ThrottleStop-10059849-0
The following SNORT® rules (SIDs) detect and block this threat:
Covering Snort 2 SID(s): 66181, 66180
Covering Snort 3 SID(s): 301456
Indicators of compromise (IOCs)
The IOCs can also be found in our GitHub repository here.