Skip to main content
Emerging ThreatsMalware & Ransomware

Qilin Consolidates Lead in Ransomware Market

Modern office buildings with subtle network infrastructure in foreground.

"Over the last few months, what we have observed is that they are consolidating again and becoming major ransomware groups," Lotem Finkelstein, VP research at Check Point, told Infosecurity.

Qilin's market position and scale

Check Point's research, published in its 2026 Cyber Security Report and summarized to Infosecurity, places Qilin as a leading beneficiary of the recent consolidation in the ransomware-as-a-service (RaaS) market. The firm estimates Qilin holds around 16% of the cybercriminal market share. Qilin has been active since at least October 2022 and is described in the reporting as operating a technically mature infrastructure.

Sophos X-Ops Counter Threat Unit (CTU) data seen by Infosecurity offers a numerical sense of scale: "over the last 12 months, from July 2026, Qilin has listed 1496 victims on its data leak site." For context, Sophos reported Akira at 1205 victims and The Gentlemen at 763 victims over the same period.

The Gentlemen's June surge

Even as Qilin consolidates, Comparitech data showed a competing dynamic in June 2026: The Gentlemen "knocked Qilin off the top spot for the first time in many months," becoming that month's most prolific strain with 115 victims versus Qilin's 78. Rebecca Moody, head of data research at Comparitech, highlighted geographic differences in targeting: over half of Qilin’s targets tended to be US-based, while less than one in five of The Gentlemen’s June victims were from the US.

Check Point research and a subsequent leak of an internal database used by The Gentlemen in May exposed operational details about their infrastructure, affiliates and victims. The leaked screenshots from ransom negotiations showed a case where The Gentlemen received $190,000 after starting with an initial demand (an anchor) of $250,000.

Why affiliates are shifting toward Qilin

Sophos X-Ops CTU principal threat researcher Aiden Sinnott summarized the competitive dynamic: "Qilin has become dominant largely because it was the main beneficiary of ransomware market consolidation following major law enforcement activity.” Infosecurity's reporting attributes the group's appeal to affiliates to several concrete factors: high affiliate payouts, mature infrastructure, continuous technical innovation and expanded extortion services.

Check Point’s Finkelstein added that affiliates are being empowered with AI tools that lower the technical barrier to entry. That combination — attractive economics for affiliates plus easier tooling — helps explain the "rapid influx of experienced affiliates and a sharp increase in victim volume," as Sinnott put it.

Qilin's tactics and a targeted vulnerability against Check Point

Finkelstein noted Qilin’s creativity in tactics, including phishing campaigns and exploitation of vulnerabilities. On June 9, Check Point disclosed that a vulnerability in its Remote Access VPN and Mobile Access solution was targeted by Qilin; Check Point said the activity affected a single customer. Finkelstein called that impact "one too many."

In response to the accelerating, AI-driven threat environment, Check Point said it is using its Frontier AI Models Readiness Program to detect vulnerabilities across its product portfolio. As part of that program, the company reported it had conducted large-scale AI-driven code scanning, performed extensive security reviews, hardened components where needed, refined time-to-patch procedures, and accelerated protection development processes.

What this means for technologists and security teams, policymakers and law enforcement, and affected enterprises

  • Technologists and security teams: The reported use of AI tools by affiliates and Qilin’s technical maturity suggest defenders will need to monitor for both automated tooling in attack campaigns and exploitation of disclosed vulnerabilities — including those targeting remote access products.
  • Policymakers and law enforcement: Multiple sources in the reporting expect that consolidation around high-profile groups like Qilin will draw focused international law enforcement attention, mirroring past actions against other operators. Aiden Sinnott and Lotem Finkelstein both linked consolidation to increased law enforcement opportunity and risk for the groups.
  • Affected enterprises and procurement leaders: The geographic targeting differences noted by Comparitech — with Qilin skewing toward US targets and The Gentlemen toward fewer US victims in June — underscore the need for organizations to prioritize visibility into extortion services and affiliate-driven campaigns, and to ensure rapid patching and detection for remote access and VPN products.

Qilin's rise illustrates how quickly the ransomware landscape can pivot: fragmentation first, then rapid consolidation around a technically mature operator; and, concurrently, swift competitive moves by emergent groups such as The Gentlemen. The facts laid out by Check Point, Sophos X-Ops CTU and Comparitech point to a volatile marketplace where law enforcement action, affiliate incentives, AI tooling and targeted vulnerability exploitation will together shape who leads — and who becomes the next enforcement target.

https://www.infosecurity-magazine.com/news/qilin-dominates-ransomware-market/