News + Resources

On 8^th June 2026 the news broke that Qilin, the prolific Russian-origin ransomware group, had successfully facilitated an attack on the Shipping Association of New York and New Jersey.  Qilin’s ransomware as a service has claimed to have been used to take data and threaten to publish as well as encrypting key data stores.

Why this matters

We have tracked Qilin over the last few years. This attack appears to be a new departure which is of concern to us. It is not just the attacked entity per se which is worrying, but also what it represents and the extent to which the data extracted can be used as a vector for onward attacks on the association’s membership.  Furthermore, the attack could not have come at a more piquant time, four days after the release of the USCG’s latest cyber instructions on June 4^th.

How they do it

Qilin uses several different techniques to get access. These attacks still rely on mistakes of individuals in clicking on bad links; IT errors such as failing to secure VPNs with MFA; or failing adequately to isolate and secure precious backups.

These attack methods include:

• Spearphishing
• Remote Monitoring & Management Software Exploitation
• Lateral Movement & Exploitation
• Multifactor Authentication (MFA) Bombing
• SIM Swapping

They seek valid credentials, preferably without MFA.

What/who is Qilin?

Qilin is a persistent and pervasive threat knocking at the door of every organisation, agnostic as to size of target. It is used to steal huge or small amounts of data, publishing if they are not paid, and there is no guarantee that the criminals deploying Qilin will provide decryption keys even if the ransom is paid. They have been known to leave back doors open for later attacks. They loiter prior to an attack, possibly for up to 18 days, observing and mapping your networks.  Given their widespread reach, methods of exploitation, and varied motivations, Qilin now ranks as a top-priority threat across both eCrime and nation-state threat models.  They are aggressive, applying multiple levels of pressure, and have a very easy to use infrastructure which attracts other OCGs to them.

Who are they attacking?

Qilin have a nasty track record. Responsible for over 1000 attacks, 2025 was a bumper year for Qilin, up from 191 in 2024. Mainly delivered as ransomware as a Service, their main targets have been organisations in US, UK, Canada, France, Germany and South Korea – other notable hits have been Japan (Nissan); Malaysia (Airports); Israel (Shamir Medical Centre).  Historically known for going after financial services, legal and manufacturing firms, they have also attacked state infrastructure and local government.  In 2025 the group has attacked 45 healthcare providers (14 confirmed); 40 government entities (22 confirmed), and 26 education establishments (7 confirmed). Businesses include 143 manufacturers, 108 service-based companies, 69 finance firms, 50 retailers, and 34 construction companies.  They demanded a $50m ransom from Synnovis. From the Shamir Hospital they exfiltrated 8TB of data and demanded $700,000 ransom.

Their penetration into maritime so far has been limited (NSS Nagasaki Shipping, Buffalo Marine Services; Atlantis Submarine (Hawaii) and Brodosplit (Croatia) have all been attacked in the last year. We hope this remains the case.

At Astaara, we can help you identify, manage, transfer or treat your cyber risks, through targeted advisory services and specialty cyber risk insurance. If you are concerned or want to know more, please get in touch with us.