Ransomware activity this week continued to be driven by two well-established operators: Qilin and Akira. Both groups sustained a steady stream of victim disclosures, reinforcing their position among the most active ransomware operations currently operating in the ecosystem.
Rather than isolated spikes inactivity, the week reflected a consistent pattern: established ransomware groups maintaining operational momentum while continuing to expand their victim lists across multiple sectors.
Qilin: Sustained Momentum Through Affiliate Operations
Qilin remained one of the most active ransomware groups during the week, continuing to publish new victims on its data leak site. The group has consistently demonstrated the ability to maintain a high attack tempo, largely due to its ransomware-as-a-service (RaaS) structure.
Under this model, affiliates are responsible for gaining initial access and carrying out intrusions, while Qilin operators provide the ransomware payload, infrastructure, and extortion platform. This division of labor enables the group to scale operations efficiently and maintain a steady pipeline of victims.
Victims disclosed this week spanned multiple industries, highlighting the group’s opportunistic targeting strategy.Instead of focusing on a single sector, Qilin affiliates appear to prioritize organizations where operational disruption could increase the likelihood of ransom payments. The group’s continued activity reinforces its status as one of the most dominant ransomware operations observed in recent months.
Akira: Consistent Double-Extortion Operations
Alongside Qilin, Akira also maintained steady activity throughout the week, adding several organizations to its leak site.
Akira has developed a reputation for consistent and methodical campaigns. The group typically targets organizations where downtime can significantly impact business operations, including sectors such as manufacturing, professional services, healthcare, and education.
Akira continues to rely heavilyon double-extortion tactics. In these attacks, threat actors first exfiltrate sensitive data before deploying ransomware. Victims are then pressured to paynot only for decryption but also to prevent stolen data from being publicly released. This approach has allowed the group to sustain operations and maintain leverage during negotiations with victims.
Key Trends Observed This Week
Several patterns emerged fromransomware activity during the week
- Established groups dominating disclosures: Qilin and Akira continued to account for a significant share of newly listed victims.
- Affiliate-driven attacks remain central: The RaaS model continues to enable ransomware operators to scale quickly.
- Broad sector targeting: Victims were distributed across multiple industries rather than concentrated within a specific vertical.
- Persistent use of double extortion: Data theft combined with encryption remains a standard tactic for increasing pressure on victims.
Conclusion
The steady activity observed from Qilin and Akira suggests both groups will likely remain key drivers of ransomware incidents in the near term. Their ability to maintainconsistent victim disclosures indicates stable affiliate networks and matureoperational infrastructure. If current trends continue, these groups areexpected to remain prominent actors within the ransomware landscape in thecoming weeks.
.png)
.png)