🛡️ SecOps

Qilin Ransomware Posts Record 131 Victims in March — Third Consecutive Month Above 100

Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.

4 min read
#ransomware#qilin#threat-intelligence#healthcare#manufacturing#ras

The Numbers

March 2026 saw Qilin ransomware post 131 confirmed victims to its data leak site — the group’s highest monthly total and the third consecutive month above 100. Ransomware tracking services have not previously recorded any single group sustaining this cadence over a 90-day period. Overall March 2026 ransomware activity reached 808 confirmed victims across 65 active groups, with the US accounting for 404 of those — a 50% share that has remained stubbornly consistent despite years of law enforcement action.

Qilin is now estimated to have claimed approximately 1,800 total victims since its emergence as a ransomware-as-a-service (RaaS) operation in late 2022.

Who Is Being Hit

Healthcare has emerged as Qilin’s most targeted vertical after manufacturing, with 134 cumulative victims. The sector’s combination of high urgency to restore operations, sensitive patient data that increases ransom pressure, and historically underfunded security programmes makes it disproportionately attractive to ransomware operators. March saw multiple hospital systems and healthcare networks impacted across North America and Western Europe.

Manufacturing remains the top target overall with 198 cumulative victims. Production line disruption creates immediate and quantifiable revenue impact, shortening decision timelines for ransom payment. Just-in-time supply chain dependencies mean the blast radius of a single manufacturing firm’s compromise can extend to dozens of downstream customers.

Professional services (law firms, accountancy practices, consultancies) recorded 103 cumulative victims — a figure that likely understates the actual impact, as professional services firms are highly incentivised to avoid public disclosure of incidents involving client data.

How Qilin Gets In

Qilin’s initial access methodology is predominantly credential-based. The group relies heavily on:

  • Stolen VPN credentials purchased from initial access brokers or obtained via credential-stuffing attacks against internet-facing remote access infrastructure
  • Phishing campaigns targeting employee credentials for cloud portals, particularly Microsoft 365 and corporate VPN gateways
  • Exploitation of unpatched vulnerabilities in perimeter devices — Citrix, Fortinet, and Ivanti products have all appeared in Qilin incident reports

Once inside, Qilin operators are methodical. Typically 10 to 21 days elapse between initial access and ransom deployment — time spent establishing persistence, escalating privileges, harvesting credentials, exfiltrating data to attacker-controlled infrastructure, and identifying backup systems for destruction.

The BYOVD Escalation

Newly documented in early 2026, Qilin has incorporated the “bring your own vulnerable driver” (BYOVD) technique into its arsenal. Attackers deploy a malicious DLL that installs a legitimate but outdated and vulnerable kernel driver, which is then used to terminate security software processes at the kernel level. The technique can disable more than 300 EDR solutions from virtually every security vendor.

This capability directly undermines one of the primary defences against ransomware lateral movement and pre-deployment activity. Organisations that believe endpoint detection and response tools provide reliable protection against Qilin should review whether their EDR vendor’s driver is on the targeted list.

Handala Also Surging

March also saw Handala ransomware claim 23 victims — the most active month in the group’s recorded history, and accounting for more than half of Handala’s total 2026 victim count to date. Handala’s focus is predominantly Israeli organisations and is believed to be politically motivated rather than financially driven, with destructive intent (wiper functionality alongside ransomware) documented in several incidents.

  1. Audit remote access credentials. VPN and remote desktop accounts with weak or reused passwords remain the primary Qilin entry point. Enforce MFA on all remote access, rotate credentials that have not been changed in more than 90 days, and disable accounts for departed employees.

  2. Patch internet-facing devices immediately. Qilin actively exploits known vulnerabilities in Citrix, Fortinet, Ivanti, and similar perimeter products. Cross-reference all internet-exposed appliances against the current CISA KEV catalogue.

  3. Test backup integrity and isolation. Qilin specifically targets and destroys backup infrastructure. Verify that backups are stored in a network segment that cannot be reached from production systems, and test restoration procedures.

  4. Review EDR driver versions. The BYOVD technique used by Qilin targets specific known-vulnerable drivers. Consult your EDR vendor on whether your deployment is susceptible and ensure driver versions are current.

  5. Conduct tabletop exercises for ransomware scenarios. The 10–21 day dwell time before encryption gives defenders a window — but only if monitoring is in place to detect the preparatory activity. Simulate the attack path from initial credential use through to lateral movement detection.