Ransomware Group Qilin Provides Legal Support to Affiliates

The first half of 2025 has witnessed the decline and fall of multiple previously dominant ransomware groups such as LockBit, RansomHub, Everest, and BlackLock. This decline can be attributed to the impact of law enforcement operations, data leaks, and security breaches.

Despite this disruption, the ransomware landscape has become increasingly fragmented, showing a lack of dominant market leaders. Notably, one group is emerging with a significant presence: Qilin.

Active since October 2022, Qilin has been building a solid reputation through high-impact cyberattacks across various industries, as reported by Cybereason. This ransomware-as-a-service (RaaS) organization ranks as the third most active ransomware syndicate in 2025, with 291 claimed victims identified by ransomware tracking services, following only Akira (348) and Cl0p (404).

Research indicates that Qilin differentiates itself not only through its activity but also by offering a set of advanced features to its affiliates. These features include operational functionalities and more innovative services, including a “Call Lawyer” function aimed at enhancing pressure during ransom negotiations.

Qilin’s RaaS Operational Features

The Qilin group operates a technically sophisticated infrastructure, utilizing custom-built malware written in Rust and C, which allows for cross-platform attacks targeting Windows, Linux, and ESXi systems. Qilin provides its ransomware tools and infrastructure to affiliates, retaining a 15–20% share of ransom payments. Importantly, the group has instructed affiliates to avoid targeting systems in Commonwealth of Independent States (CIS) countries, including Russia and Belarus.

The RaaS program comprises several operational features, including:

– An affiliate panel offering Safe Mode execution
– Loaders equipped with advanced evasion capabilities
– Robust encryption algorithms (ChaCha20, AES, and RSA-4096)
– Four encrypting software operational modes: normal, step-skip, fast, and percent
– Machine reboot, file filtering, and service termination functions
– Network spreading capabilities
– Log cleanup
– Automated negotiation tools

Qilin’s Cybercrime-Enabling Features

In addition to operational capabilities, Qilin provides various cybercrime-enabling features that are unprecedented for a RaaS group. These offerings include:

– 24/7 phone call/SMS spam service
– DDoS capabilities
– PB-scale data storage
– Comprehensive support for negotiations
– Legal assistance aimed at intimidating victims during negotiations

The legal assistance feature has been actively promoted by Qilin, recently added to its RaaS program. A note posted on the group’s dark web forum elaborated on this feature, stating:

“If you need legal consultation regarding your target, simply click the ‘Call lawyer’ button within the target interface, and our legal team will contact you privately to provide qualified legal support. The mere presence of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies prefer to avoid legal proceedings.”

The advantages of collaboration with the Qilin legal department are outlined as follows:

– Legal assessment of the data involved
– Classification of infractions in accordance with applicable laws in different jurisdictions
– Legal evaluation of potential damages, including lawsuits, legal costs, and reputational risks
– Facilitation of direct negotiations between the victim company and the legal professional
– Strategic advice on inflicting maximum financial damage should the company refuse compliance, along with guidance to mitigate future incidents.

Cybereason’s researchers note that Qilin has developed these features to position itself as a full-service cybercrime platform. As older operations collapse under pressure, betrayal, or reorganization, Qilin has taken the opportunity to occupy the void while redefining the RaaS model for future affiliates.