When you’re the top ransomware group, rivals and scammers can be counted on to try to take you down.
Reports that Europol is offering a $50,000 reward for information on two senior members of the Qilin ransomware group are false, the European law enforcement agency said today.
Australia’s Cyber Daily and other cybersecurity news sites had reported that Europol had posted on one of its Telegram channels a reward for information on two Qilin admins, who allegedly use the aliases Haise and XORacle.
A Europol spokesperson told The Cyber Express today, “This is a scam, this message doesn’t come from Europol.”
Qilin has been the top ransomware group in recent months by a significant margin, so it’s possible the scam message could be the work of a rival trying to do damage. It could also be fallout from internal conflict within the Qilin group.
Qilin Ransomware Group Claims 356 Victims Since April
Cyble threat intelligence researchers have documented 695 victims of the Qilin ransomware group since it first emerged in 2022.
However, more than half of those claimed victims – 356 – have occurred since longtime leader RansomHub went offline at the end of March in a possible act of sabotage by rival DragonForce.
Those 356 victims are 143 more than Akira, the second most active ransomware group since April (chart below) – and could be why some in the cybercrime world are taking notice.
NHS Ransomware Attack was Qilin’s Most Disruptive
Perhaps Qilin’s most notorious attack occurred in June 2024, when a ransomware attack on UK pathology services provider Synnovis caused service disruptions at major London NHS hospitals, an attack that one official called “one of the most unpleasant and impactful cyber incidents in the UK in recent years.”
One consequence of that devastating attack was a 96% drop in blood sampling in London hospitals in the weeks after the attack.
Healthcare ransomware attacks aside, part of Qilin’s staying power has been its ability to target a wide range of sectors and industries; the chart below, from Cyble, details the top sectors targeted by Qilin since April.
This article has been updated to reflect Europol’s comments that the Telegram message was fake.
