Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Ransoms
The cybercriminal syndicate Qilin, known for its Ransomware-as-a-Service (RaaS) operations, has introduced a new tactic aimed at intensifying pressure on victims—its affiliates can now request legal assistance directly through the group’s internal control panel. This feature, aptly titled “Call Lawyer,” marks a significant upgrade in the platform’s capabilities, which have seen a surge in influence following the decline of major competitors such as LockBit, BlackCat, Everest, BlackLock, and RansomHub.
The update was disclosed by the Israeli cybersecurity firm Cybereason, which reported that legal consultation is now available upon request within the victim portal. The presence of a “lawyer” in negotiations is believed to exert additional psychological pressure on companies, nudging them toward paying higher ransoms to avoid potential legal entanglements.
According to intelligence gathered from darknet forums, Qilin ranked first in April 2025 with 72 successful attacks. Although its activity slightly waned in May with 55 incidents, the group remains among the top three most prolific threat actors of the year, trailing only Cl0p and Akira, and has been implicated in attacks on 304 organizations to date.
Analysts at Qualys attribute Qilin’s ascent to its mature infrastructure, robust affiliate support, aggressive marketing, and technically sophisticated toolkit, which collectively enable it to pursue high-profile targets and demand substantial ransoms. Notably, some former members of the now-defunct RansomHub collective are believed to have joined Qilin, further fueling its operational momentum.
Qilin’s technical arsenal includes ransomware strains developed in Rust and C, stealthy loaders capable of bypassing security systems, network propagation tools, log erasers, and even embedded modules for automating negotiation processes. In addition to malware, its affiliates have access to vast data storage (measured in petabytes), DDoS capabilities, spam delivery services, and mass messaging functions targeting corporate emails and phone numbers—transforming Qilin into a comprehensive cybercrime-as-a-service platform.
Alongside legal support, the affiliate interface now also boasts a dedicated team of journalists and expanded options for launching DDoS campaigns, underscoring Qilin’s ambition to evolve into a full-spectrum threat ecosystem far beyond conventional extortion.
Meanwhile, cybersecurity firm Intrinsec reported that a member of rival group Rhysida has begun deploying Eye Pyramid C2, an open-source command-and-control utility used to maintain access to compromised systems and deploy additional payloads. This same tool had previously been leveraged by RansomHub operatives in the final quarter of 2024.
These developments illustrate a sobering evolution: cybercrime is shedding its chaotic and opportunistic nature, transforming instead into a structured enterprise—where encryption, intimidation, and legal theatrics are bundled into one calculated service offering.
