Ransomware Wars: Qilin Reigns, But New Threats are Rising
Qilin continues to dominate the ransomware landscape, outpacing all rival groups in the sheer number of documented incidents. According to a recent report from Cyble, the gang struck 104 organizations in August alone, while its closest competitor, Akira, claimed just 56 victims. Yet, new contenders are emerging, whose rapid escalation could soon disrupt the balance of power in the ransomware ecosystem.
The total number of recorded attacks in August reached 467, marking the fourth consecutive month of growth in such incidents. February’s peak remains unsurpassed, but what alarms researchers most is the rising trend of software supply chain attacks—intrusions whose consequences can cascade across entire industries.
Following the sharp decline in RansomHub’s activity in early April, Qilin has consolidated its dominance, claiming 398 victims since then—roughly 70% more than Akira over the same period. Cyble analysts note that Qilin successfully absorbed many of RansomHub’s former affiliates and infrastructure partners by offering attractive terms and opportunities. As a result, Qilin has accounted for 18% of all ransomware attacks between April and August, compared to Akira’s 10.7% share.
The true sensation of recent months, however, has been the meteoric rise of Sinobi, a group that surfaced just two months ago and has already secured third place in attack volume. Of its 41 declared victims, the overwhelming majority are U.S.-based. Cyble researchers highlight striking similarities between Sinobi’s infrastructure and leaked data from other prominent collectives such as Lynx and INC Ransom. Yet, all three appear to continue operating independently—an indication of collaboration rather than rebranding.
It is worth noting that since 24 August, Sinobi has reported only one new incident. This may suggest either a tactical shift or the onset of an organizational ceiling, as rapid rises often collapse just as quickly.
Equally notable is the emergence of another newcomer, The Gentlemen, which has claimed responsibility for more than 30 attacks since early September. If this pace continues, its market share could rival that of today’s leading actors by the end of the month.
Adding further tension is the renewed activity of LockBit, once the largest ransomware group in operation. The release of LockBit 5.0 signals its bid to reclaim lost dominance. Whether this campaign succeeds will become clear only after September, but competition between established veterans and ambitious newcomers is already intensifying.
In conclusion, Cyble stresses that the constant evolution of ransomware groups and the rapid modification of their tools remain the foremost threat to corporate infrastructures worldwide. The fallout of such attacks extends far beyond financial loss—impacting critical infrastructure, supply chains, business operations, and organizational models.
Maintaining maximum readiness and continuous monitoring remain the only effective defenses in an increasingly aggressive and volatile cybercriminal landscape.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
