Qilin Tops Ransomware Charts With 74 Attacks in April

The Qilin ransomware group emerged as the most active cybercriminal collective in April 2025, launching 74 attacks globally, according to a new threat intelligence report. The group’s rise follows the abrupt decline of RansomHub, which had led activity earlier in the year but posted only three attacks last month before its leak site went offline.

Qilin’s operations spanned North America, Europe and Asia-Pacific, with a focus on high-value sectors such as software, manufacturing and critical infrastructure. Researchers observed a consistent pattern of data exfiltration preceding file encryption, a refined “double extortion” tactic. In April, Qilin claimed to have stolen more than 2TB of data from major firms in France and South Korea.

Despite a decline in total ransomware attacks to 450 in April from 564 in March, analysts attribute the drop to affiliate transitions rather than reduced threat levels. Qilin’s rise underscores ongoing volatility and sophistication in the ransomware-as-a-service ecosystem.