Just four days into May 2025, the Russian ransomware group Qilin has already added two more victims to its list. Known for operating under a Ransomware-as-a-Service (RaaS) model, the group runs a well-organized and technically sophisticated operation. Their usual tactic involves stealing sensitive data first, then locking down systems — all to pressure victims with the threat of leaking the data if the ransom isn’t paid.

 

Large Suburban County Attacked

Qilin added Cobb County Georgia to its list of victims on its dark web leak site. The county has over three quarters of a million residents and is located outside the Atlanta area. Qilin claims to possess 150 GB of sensitive data, including autopsy photos, Social Security numbers, driver’s licenses, and other personal records, threatening to release it unless a ransom is paid. While a connection has not been directly confirmed, the county’s IT department detected suspicious activity on its servers on March 28 and shut down many of them for a week. On April 25, the county alerted 10 people of a possible compromise of their data. According to Qilin, however, the attackers hold more than 400,000 files. The group has posted 16 images of various files as proof of their file possession.

 

The Army Navy Country Club

The Army Navy County Club is a private, member-owned country club in Virginia that includes active duty and retired commissioned officers. The breach was discovered on May 2, 2025, and all signs point to the Qilin ransomware group. They reportedly made off with around 300 GB of data — and it’s not just random files. The stolen info likely includes names, home addresses, credit card numbers, login details, and other sensitive personal records.  No information on a ransom has been released.

 

Other Attacks in May

In addition to these two U.S. attacks, Qilin added Megachem Singapore, a chemical distribution company as well as a French IT services firm, HCI Informatique d’entreprise, to its victim list on May 2, 2025.

 

Qilin Attack Methodologies

The Russian ransomware group uses multiple methodologies in their attacks including social engineering, credential theft, and advanced evasion techniques to bypass defenses. Some of these include:

  • Malicious emails with weaponized attachments disguised as fake invoices or shipping notices
  • Leveraging credentials purchased from dark web markets or obtained via brute-force attacks on exposed services such as VPN and RDP
  • Targeting exploitable unpatched flaws in public-facing applications
  • Deploying malicious tools via Group Policy Objects to extract saved browser credentials

 

Prevention

To counter the multi-stage attacks of malicious organizations such as Qilin, organizations must adopt a layered defense strategy that includes measures such as the following:

  • Conduct a risk assessment by a third-party cybersecurity firm to identify vulnerabilities and evaluate existing controls
  • Enable and enforce MFA on all remote access points and critical systems to block unauthorized access using stolen credentials
  • Disable unnecessary ports and enforce strict access controls for public-facing application
  • Deploy advanced phishing detection tools to block malicious attachments and links, a common technique of many threat actors
  • Conduct data classification and mapping exercises to properly identify sensitive data throughout the enterprise to prioritize protection of sensitive data
  • Use Endpoint Detection and Response (EDR) tools to spot tools like Mimikatz, which is often used by Qilin and other threat actors for privilege escalation

 

READ MORE HALOCK BREACH BULLETINS