🛡️ SecOps

Qilin Claims ASB Saarland Attack — 72 GB Stolen From German Humanitarian Organisation

Qilin ransomware claimed responsibility for a cyberattack against ASB Saarland, a German humanitarian and social services organisation, alleging theft of 72 GB of data including employee records, applicant data, health-related information, and client data. The attack continues Qilin's record-breaking March 2026 activity, during which the group claimed 131 victims — their highest monthly total — driven by wide deployment of BYOVD techniques to defeat endpoint detection.

3 min read
#qilin#ransomware#germany#data-theft#humanitarian#healthcare#byovd#edr-bypass#social-services

The Attack

Qilin ransomware claimed responsibility for an attack against ASB Saarland — the Saarland regional chapter of the Arbeiter-Samariter-Bund, a major German humanitarian organisation providing social and welfare services including ambulance services, elderly care, childcare, and emergency relief. The group alleges theft of approximately 72 GB of data containing:

  • Current and former employee records including employment history and personal details
  • Applicant data for open and historical recruitment processes
  • Client data for the social and welfare services provided by the organisation
  • Health-related information from care service recipients

If confirmed, the stolen data would represent a significant personal data breach affecting vulnerable individuals in Saarland — including elderly care recipients, children in childcare programmes, and emergency services clients — with material GDPR notification obligations for ASB Saarland.

Qilin’s March 2026 Surge

The ASB Saarland attack is one of 131 claimed Qilin victims in March 2026 — the group’s highest single monthly total, maintained above 100 victims for three consecutive months. This sustained operational tempo reflects several developments:

BYOVD evasion capability: Qilin’s “Warlock” tooling uses Bring Your Own Vulnerable Driver (BYOVD) techniques to load known-vulnerable legitimate drivers and use them to terminate endpoint detection and response (EDR) agents before ransomware deployment. The technique has been observed disabling over 300 named security tools.

Affiliate recruitment: Qilin operates as a ransomware-as-a-service platform with an expanding affiliate network. The volume surge reflects both technical capability and operator scale-up.

European and healthcare targeting: The group has maintained a consistent pattern of targeting European organisations, particularly in healthcare, social services, and critical infrastructure — sectors where service disruption creates maximum pressure to pay.

Why Humanitarian Organisations Are Targeted

Organisations like ASB Saarland are attractive ransomware targets for several reasons that practitioners should understand when advising similar entities:

Data sensitivity creates pressure: Social services organisations hold highly sensitive personal data — health records, vulnerability assessments, financial information for benefits recipients — creating strong pressure to resolve incidents quietly to protect client confidentiality.

Limited security resources: Charitable and humanitarian organisations typically operate with constrained IT budgets and limited security staff, creating gaps in detection capability that ransomware groups actively exploit.

Service continuity obligations: Emergency and welfare services cannot tolerate extended downtime — the operational pressure to restore systems is intense and may drive ransom payment decisions even when the data risk is the primary concern.

Regulatory exposure: Under GDPR, breaches affecting vulnerable individuals’ data (health data, care records) require supervisory authority notification within 72 hours and potentially individual notifications — adding regulatory pressure on top of the attack itself.

  1. Organisations in social services, healthcare, and humanitarian sectors should prioritise endpoint protection review — verify that EDR solutions are current and test them against BYOVD evasion by consulting vendor guidance on driver block policies
  2. Apply Microsoft’s Vulnerable Driver Blocklist or equivalent for your endpoint platform — this restricts loading of known-vulnerable drivers used in BYOVD attacks
  3. Review backup integrity and isolation: ensure backups are offline or air-gapped and cannot be reached from corporate networks during a ransomware deployment
  4. Conduct a tabletop exercise for ransomware response — focus specifically on the GDPR notification clock (72 hours from discovery) and the operational continuity decisions that must be made during an active incident
  5. Verify GDPR notification procedures: know your Data Protection Officer’s contact information and your supervisory authority’s emergency notification process — the 72-hour window starts from the point of discovery