Qilin Ransomware Hits 5 Targets in 24 Hours Including Healthcare

Qilin ransomware operators claimed five victims on January 6, making them the most active ransomware group of the day. The attacks targeted organizations across the UK and US, including healthcare providers Medical Asset Management and Health Bridge Chiropractic.

Dark Web Informer tracked 17 total ransomware claims from 10 groups across a 24-hour period ending January 6. Qilin's five attacks represented nearly a third of all activity, continuing a pattern that made them the most prolific ransomware operation of 2025.

January 6 Victims

Qilin's claimed victims span multiple industries:

Victim	Country	Sector
Berkmann Wine Cellars	UK	Food & Beverage
USArt	US	Art/Hospitality
Secorp Industries	Unknown	Industrial
Medical Asset Management	US	Healthcare
Health Bridge Chiropractic	US	Healthcare

The healthcare targets are particularly concerning. Medical organizations hold sensitive patient data protected under HIPAA, and ransomware disruption can directly impact patient care. Two healthcare victims in a single day signals either deliberate targeting or complete indifference to the sector's vulnerability—neither option is reassuring.

USArt operates in the US hospitality sector handling art logistics and management. The company confirmed the breach, though the full scope of compromised data remains unclear.

Qilin's 2025 Dominance

Qilin surpassed all competitors in total victim count during 2025. Before the year ended, the group claimed over 1,000 victims on its leak site—evidence of large-scale operations that most ransomware gangs can't match.

Their targeting patterns reveal the scope:

Top Affected Sectors:

• Manufacturing: 152 victims
• Healthcare: 114 victims
• Technology: 110 victims
• Business Services: 92 victims
• Financial Services: 63 victims

Geographic Distribution:

• United States: 503 victims
• Canada: 61 victims
• France: 60 victims
• United Kingdom: 45 victims
• Spain: 37 victims

The US accounts for half of all Qilin victims, followed by Western European and Canadian organizations. This geographic focus aligns with financially motivated operations targeting economies where ransom payments are more likely.

What Is Qilin?

Qilin (also known as Agenda ransomware) operates as a ransomware-as-a-service (RaaS) platform. The core group develops and maintains the ransomware, then provides it to affiliates who conduct actual attacks in exchange for a percentage of any ransom payments.

This model explains the volume. Qilin isn't executing 1,000+ attacks with a single team—they're enabling dozens of affiliates who each target multiple victims. The RaaS approach scales in ways that traditional cybercriminal operations can't.

Technical characteristics include:

• Written in Go, enabling cross-platform deployment
• Adaptable configuration for customizing attacks to specific victim environments
• Both encryption and data exfiltration capabilities
• Sophisticated negotiation infrastructure with dedicated victim portals

The Covenant Health breach we covered last week demonstrated Qilin's healthcare focus—that attack exposed 478,000 patient records. January 6's healthcare victims suggest the group hasn't shifted away from the sector despite the attention.

Other Groups Active January 6

While Qilin led the day, other ransomware operations posted victims:

Play (3 victims): Autohaus Pichel GmbH (Germany), Due Doyle Fanning (US), Mill Brothers

Interlock (2 victims): Aero Fabrications and Apex Spine & Neurosurgery (US)

Single victims each: TheGentlemen (Romania energy company), Vect (South Africa), Rhysida (US steel services), Nova (France), Tengu (Mexico government), Brotherhood (Italy), Lynx (Austria)

The geographic spread—nine countries in 24 hours—shows ransomware as a truly global threat. Organizations anywhere with internet-facing infrastructure and valuable data face risk regardless of location or industry.

Defensive Recommendations

Defending against Qilin and similar groups requires layered security:

1. Patch aggressively - Most ransomware initial access comes through known vulnerabilities in VPNs, firewalls, and remote access tools

2. Enforce MFA everywhere - Particularly on remote access and privileged accounts. Qilin affiliates frequently use stolen credentials for initial access

3. Segment networks - Limit lateral movement so a compromised workstation can't reach backup systems or domain controllers

4. Maintain offline backups - Tested, isolated backups remain the ultimate ransomware defense. If you can restore without paying, the ransom demand loses leverage

5. Monitor for data exfiltration - Modern ransomware groups steal data before encrypting. Detecting exfiltration early may allow response before encryption begins

Healthcare organizations face additional pressure given HIPAA requirements and patient safety implications. Incident response plans should specifically address maintaining care continuity during ransomware events—something too many healthcare providers discover they need only after an attack begins.