Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Qilin leads ransomware a second month

1 min read
11:00UTC

BlackFog's June report kept Qilin at the top of ransomware activity for a second month, despite Europol's Operation Saffron hitting 25 gangs in May.

TechnologyDeveloping
Key takeaway

Qilin led ransomware activity for a second month running, undented by Europol's 25-gang takedown in May.

BlackFog, a cybersecurity firm that tracks ransomware activity, named Qilin the most active brand in its State of Ransomware report for June 2026, at 16% of undisclosed attacks and 8% of disclosed. The June ranking marks Qilin's second consecutive monthly lead, after it also led BlackFog's May tally , and it held even as Europol's Operation Saffron disrupted around 25 gangs in May . 1

Qilin's run through that enforcement pressure points at its affiliate-recruitment model. Affiliates are the freelance operators who carry out attacks using a brand's tooling in exchange for a cut. As takedowns strand affiliates from smaller crews, the largest recruiter absorbs them rather than shrinking. Saffron hit the infrastructure of two dozen operations; it did not touch the labour market they draw from, and that is the gap the June figures expose.

Deep Analysis

In plain English

Ransomware gangs sometimes act like criminal franchises: a core group builds the malicious software and negotiates with victims, while 'affiliates' actually break into networks and split the ransom. A cyber-security firm called BlackFog tracks which gang is most active each month, and for the second month running that gang is called Qilin. What makes this notable is that European police had just run a big operation the month before, called Operation Saffron, disrupting around 25 different ransomware groups {{EVREF:/t/cyber-threats-and-defences/6/europol-seizes-first-vpn-in-saffron-raid/}}. Qilin still came out on top, which suggests that arresting or shutting down rival gangs does not necessarily reduce total ransomware activity; the criminals doing the actual break-ins often just switch to whichever gang is still standing.

Deep Analysis
Root Causes

Qilin runs a ransomware-as-a-service affiliate model with an unusually generous revenue split, reportedly up to 85% to affiliates versus the 70% more typical among rival brands, which is why disrupted gangs' affiliates tend to migrate to Qilin rather than disappear when law enforcement takes a competitor offline.

Operation Saffron's roughly 25 gang disruptions in May targeted infrastructure and arrests rather than the affiliate marketplace itself. Removing a service operator's servers does not remove the freelance affiliates who did the actual intrusions, and those affiliates simply re-register under whichever brand offers the best terms.

What could happen next?
  • Meaning

    Qilin's second consecutive monthly lead despite Operation Saffron suggests law-enforcement disruption campaigns reshuffle which brand affiliates use rather than reduce total ransomware volume.

  • Risk

    If Qilin continues absorbing displaced affiliates, its higher-than-median ransom demands could become the market's new benchmark rather than an outlier.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

BlackFog· 4 Jul 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.