Qilin ransomware recorded 131 confirmed victims in March 2026, making it the most active ransomware group tracked globally for the month. That number — 131 named victims on a public leak site, representing a fraction of total victims who paid without being named — does not describe a hacking group. It describes a production operation running at industrial scale.
The security industry has understood for several years that ransomware is a business. Ransomware-as-a-Service platforms have affiliate programmes with revenue sharing, onboarding documentation, technical support, and dispute resolution. Sophisticated groups have dedicated negotiation teams that operate on business hours, research victim financials before setting ransom demands, and provide decryption tools that actually work because a reputation for functional decryption is a competitive advantage in the criminal market. The business model is mature and highly profitable.
What has not kept pace is the enterprise response posture to a threat that is no longer best described as “cybercrime.”
The Strategic Mismatch
Most enterprise incident response plans were designed for a threat model in which an attacker breaches a perimeter, establishes persistence, and pursues a specific objective — data exfiltration, fraud, espionage. The response is detection, containment, eradication, recovery. The playbook is written for an adversary trying to remain hidden.
Ransomware operators are not trying to remain hidden. Their business model depends on being discovered. They need the victim to know they have been compromised, to understand that their data is encrypted and exfiltrated, and to believe that paying the ransom is the fastest path to recovery. The entire attack is oriented toward a negotiation outcome, not toward sustained covert access.
This changes what effective defence looks like in ways that many organisations have not fully internalised. The question is not just “how do we detect and eject the attacker?” — it is “how do we make ourselves an unattractive or unprofitable target, and how do we recover without paying if we are hit?”
The Affiliate Model and What It Means for Targeting
Qilin, like most mature ransomware groups, operates on an affiliate model. The core group develops and maintains the ransomware platform, manages infrastructure, and handles negotiation and payment processing. Affiliates — independent operators who have passed some form of vetting — conduct intrusions and deploy the payload in exchange for a percentage of ransom payments.
This structure has two significant implications for enterprise defenders.
First, the tactics, techniques, and procedures of individual Qilin attacks vary because they are carried out by different affiliates with different capabilities and preferred methods. Attribution to a ransomware brand does not predict how the attack will be executed in your environment. An affiliate with a preference for RDP brute-forcing will look different on the wire from one that specialises in phishing or VPN credential theft. Threat intelligence that focuses exclusively on the ransomware payload and negotiation style misses the initial access diversity that makes the group as a whole difficult to defend against with a single control.
Second, affiliate models mean that the group’s scale is not limited by its core team. Qilin can conduct 131 attacks in a month because it has dozens of affiliates operating simultaneously. The bottleneck is affiliates’ ability to gain initial access, not the group’s internal capacity. Initial access brokers — a separate criminal ecosystem that sells compromised credentials and established footholds to ransomware affiliates — further accelerate this model. An organisation’s exposed RDP server or stolen VPN credentials may be purchased by an affiliate months after the initial compromise, making the connection between initial exposure and ransomware deployment difficult to trace.
What the Industrialisation Requires in Response
If ransomware is an industrial-scale threat, the appropriate response is systematic rather than reactive.
Resilience over detection alone. Organisations that can recover from a ransomware incident without paying — because they have immutable, tested, offline backups and practiced recovery procedures — fundamentally change the economics of being targeted. Ransomware operators profile their victims before deploying. Indicators that recovery will be rapid and payment unlikely make a target less attractive. Detection matters, but resilience is the outcome that changes attacker calculus.
External attack surface reduction. The most common ransomware initial access vectors remain consistent: exposed RDP, VPN credentials obtained through phishing or credential stuffing, and exploitation of internet-facing applications. These are not novel. An honest external attack surface assessment — conducted from the attacker’s perspective, not the network administrator’s — identifies the footholds that affiliates will find before affiliates find them.
Tabletop exercises that reflect reality. Most ransomware tabletop exercises are organised around the question “what do we do when we discover ransomware running on our endpoints?” The more useful questions are: What do we do when we discover that data was exfiltrated three weeks ago? What is our response when the ransomware group threatens to release sensitive data publicly? What is the decision framework for whether to engage in negotiation? These are the decisions that will need to be made in a real incident, and they are the ones that most tabletop exercises do not reach.
Supplier and third-party exposure. Qilin’s 131 victims include organisations across sectors. Many ransomware victims are compromised through a supplier, a managed service provider, or a software vendor rather than directly. Understanding which third parties have access to your environment — and what their security posture is — is no longer optional for organisations that take ransomware seriously as a business risk.
The Uncomfortable Calculation
Qilin’s March numbers will be followed by April’s numbers, and May’s. The group will continue to operate, recruit affiliates, and refine its approach until the economics change or law enforcement successfully disrupts its infrastructure. Both outcomes are possible but neither is certain or imminent.
In the interim, organisations that have not reviewed their ransomware resilience posture in the past twelve months are operating against a threat model that is at least a generation behind the current threat. That gap is worth closing now.
Share this article