Qilin
Ransomware-as-a-service group active in UK professional services sector; tracked in April 2026 leak-site posting data.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Why does Qilin keep targeting healthcare and what made it the busiest ransomware crew in May 2026?
Timeline for Qilin
Claimed 11 victims to lead all ransomware crews in May 2026
Cybersecurity: Threats and Defences: Ransomware tempo holds at 95 in May- What is the Qilin ransomware group?
- Qilin is a ransomware-as-a-service operation in which a core developer team leases ransomware tooling to independent affiliates, who conduct attacks and split ransom proceeds with the developers. It has been active since 2023 and targets healthcare, manufacturing and professional services globally, using double-extortion tactics that combine file encryption with threatened data publication.Source: BlackFog / cybersecurity reporting
- What did Qilin attack in the UK?
- Qilin attacked Synnovis, a pathology services provider for NHS Trusts in London, in June 2024. The attack disrupted blood testing services across King's College Hospital, Guy's and St Thomas' and other major NHS sites, forced thousands of appointment cancellations, and triggered emergency appeals for O-negative blood. It is one of the most disruptive ransomware attacks on UK healthcare infrastructure.Source: NHS / UK media reporting
- Why does Qilin target hospitals and healthcare providers?
- Healthcare cannot tolerate extended system downtime: patient care, diagnostics and drug dispensing depend on real-time IT access. Ransomware groups including Qilin target hospitals because operational pressure to restore services quickly makes healthcare organisations more likely to pay ransoms faster and at higher amounts than most other sectors.Source: BlackFog State of Ransomware May 2026
- How many victims did Qilin claim in May 2026?
- Qilin claimed 11 victims in May 2026, leading all active ransomware groups that month. BlackFog's monthly tracking recorded 95 publicly disclosed ransomware attacks worldwide in May, with 37 active groups and healthcare taking the heaviest sector hit at 28 incidents.Source: BlackFog State of Ransomware May 2026
- Is Qilin the same as Agenda ransomware?
- Yes. Qilin ransomware is also tracked under the name Agenda by some security vendors. It was initially written in the Go programming language before being rewritten in Rust, and both names refer to the same operator group and RaaS platform.Source: Trend Micro / cybersecurity research
Background
Qilin is a ransomware-as-a-service (RaaS) operation that rose to prominence from 2023 and became one of the most active crews in the global ransomware ecosystem. Operating on a commercial model in which core developers lease ransomware tooling to independent affiliates who conduct attacks and share ransom proceeds, Qilin targets organisations across healthcare, manufacturing, professional services and education.
In May 2026, Qilin led all ransomware crews with 11 claimed victims, according to BlackFog's monthly tracking of publicly disclosed attacks. That month saw 95 total disclosed attacks from 37 active groups — a tempo that held firm despite the Europol Operation Saffron seizure of First VPN's infrastructure. Healthcare was the hardest-hit sector overall with 28 incidents, consistent with Qilin's known targeting profile in which hospitals and care providers are prioritised because care delivery cannot tolerate downtime, driving faster ransom payment decisions.
Qilin gained particular notoriety in mid-2024 when it attacked Synnovis, a pathology service provider for NHS Trusts in London, causing widespread blood test disruption across King's College Hospital, Guy's and St Thomas' and other major NHS sites. The attack forced thousands of appointment and operation cancellations and resulted in emergency appeals for O-negative blood. The Synnovis incident established Qilin as a crew willing to attack healthcare critical infrastructure, a targeting posture it has maintained.