Qilin Holds the Center While the Ecosystem Starts to Fracture
Ransomware activity this week didn’t spike, rather it settled into a rhythm. Multiple days crossed the 30-incident mark, not as outliers but as part of a steady operational pattern. That consistency says more than any single surge: ransomware groups aren’t scrambling anymore, they are running repeatable, reliable operations at scale.
At the center of it all is Qilin, still one of the most active players in the space. But what’s more interesting this week isn’t just its dominance, it’s what’s happening around it.
Key Trends Observed This Week
1. The Ecosystem Is Starting to Split
There are signs that the ransomware landscape is fracturing from within. A new group known as the “Gentlemen” has surfaced, reportedly formed after a fallout with a Qilin affiliate. What makes this notable isn’t just the split, but the fact that:
- The operator didn’t start from scratch
- They already had their own ransomware locker prepared
- The transition from affiliate to independent operator was immediate
This points to a deeper shift: affiliates are no longer just “partners.” They’re potential competitors in waiting. What used to be a centralized RaaS model is quietly turning into something more decentralized and unpredictable.
2. EDR Evasion Is Now Built-In, Not Optional
This new group isn’t operating at a beginner level either. Early activity suggests the use of BYOVD (Bring Your Own Vulnerable Driver) techniques to interfere with endpoint security tools before deployment. That’s a big deal!
It means attackers are:
- Disabling protections before execution even begins
- Targeting security tools directly, not just avoiding them
- Operating with a level of confidence typically seen in more mature groups
- This isn’t experimentation, it’s standardization of advanced evasion.
3. Attackers Are Getting Louder and More Calculated
Another subtle but telling shift is that threat actors are becoming more public facing.
There’s been an uptick in:
- Mockery of threat intelligence reporting
- Rebranding efforts and new identities
- Attempts to shape how they’re perceived
It’s less about noise and more about control. These groups are paying attention to how they’re tracked, discussed, and understood and they’re starting to push back on that narrative.
The Usual Targets Still Hold
Despite all the internal changes, some things haven’t moved:
- The U.S. remains the primary target
- High-value, disruption-sensitive industries are still the focus
- No dramatic shift in victim selection just refinement of what already works
Attackers aren’t chasing new ground; they’re getting better at exploiting the same ground.
What’s Really Changing?
What’s changing is the structure behind the attacks.
- Groups are splintering into smaller, independent units
- Capabilities that were once “advanced” are becoming baseline
- Operators are more aware, more vocal, and more deliberate
Ransomware isn’t just scaling; it is maturing into an ecosystem that can evolve on its own.
Recommendations
The growing number of active groups means defenders must:
- Monitor affiliate ecosystems, not just core groups
- Track TTP overlaps across groups
- Focus on early indicators (credentials, access brokers)
Conclusion
This week doesn’t point to a spike. It points to something more important:
- Qilin is still dominant, but it’s no longer the whole story
- New actors are emerging from inside existing ecosystems
- Advanced evasion is becoming standard practice
The threat isn’t just growing, it’s branching out, refining itself, and getting harder to predict.
.png)
.png)