Qilin ransomware activity is surging, with 100 victims listed in August

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Researchers at Cisco Talos report that a surge in Qilin ransomware activity has continued through the second half of 2025, with the group publishing more than 40 victim listings per month on its leak site.

The attacks have primarily targeted the manufacturing sector, followed by professional and scientific services and wholesale trade.

The sustained rate of publication underscores Qilin’s position as one of the most active and damaging ransomware operations worldwide.

Using a double-extortion model, the group encrypts data while threatening to leak stolen information if ransoms are not paid. Talos observed a sharp rise in data leaks, with peaks of 100 victim postings in both June and August 2025. 

Recent artifacts suggest that some of the attacker’s scripts used Cyrillic character encoding, possibly linking the operation to Eastern Europe or a Russian-speaking region.

In its latest report, Talos identified the use of the open-source file transfer tool Cyberduck for data exfiltration, leveraging trusted cloud services to conceal malicious traffic.

Investigators also noted unusual activity involving standard Windows programs such as notepad.exe and mspaint.exe, which were used to view sensitive files before exfiltration.

Qilin operators commonly deploy two encryptors during an attack, one spreading laterally across systems via PsExec and another running from a single host to encrypt multiple network shares. (Alessandro Mascellino / Infosecurity Magazine)

Related: Cisco Talos, Databreaches.net, Dark Reading, TechNadu, The Cyber Express, WebProNews

Sweden’s power grid operator, state-owned Svenska kraftnät, is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.

The power company, which operates the country’s electricity transmission system, said the incident affected a “limited external file transfer solution” and did not disrupt Sweden’s power supply.

“We take this breach very seriously and have taken immediate action,” said Chief Information Security Officer Cem Göcgören in a statement. “We understand that this may cause concern, but the electricity supply has not been affected.”

The ransomware gang Everest claimed responsibility for the attack on its leak site over the weekend, alleging it had exfiltrated about 280 gigabytes of data and saying it would publish it unless the agency complied with its demands.

The same group has previously claimed attacks on Dublin Airport, Air Arabia, and US aerospace supplier Collins Aerospace — incidents that disrupted flight operations across several European cities in September. The group’s claims could not be independently verified.

Svenska kraftnät said it is working closely with the police and national cybersecurity authorities to determine the extent of the breach and what data may have been exposed. The utility has not attributed the attack to any specific threat actor. (Daryna Antoniuk / The Record)

Related: SVK.se, EnergyWatch, Security Week, Tech Radar

Meta, Snap, and TikTok said they’ll comply with Australia’s looming social-media ban for under-16s, setting aside their opposition just weeks before it comes into force.

Representatives from the platform operators gave remote testimony to a parliamentary inquiry in Canberra on Tuesday. They said they plan to start barring underage users from Dec. 10, the day the world-first legislation takes effect.

Their declarations remove a potential headache for the Australian government as it prepares to police the ban. The testimonies leave Alphabet's YouTube as the legislation’s most defiant opponent. YouTube rejects its classification by the Australian government as a social media platform, arguing it’s a video-streaming operator.

The law introducing the ban was passed by Australia’s parliament in 2024 to shield children from the toxic elements of social media and online abuse. But the ban has raised privacy concerns around how age verification methods work and doubts about how they can practically be enforced.

Social media platforms will be held responsible for preventing under-16s from having or creating accounts or evading the restrictions. That’s been a significant cause for their pushback and a recurring complaint. Companies that breach the law face fines of up to A$50 million ($32 million). Neither children nor their parents will be penalized for breaking the rules. (Angus Whitley / Bloomberg)

Related: Reuters, Financial Review, Tech Policy Press, The Guardian, Meta Australia Policy Blog, The North West Star, SBS News

Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts.

This claim began over the weekend, with news stories claiming that millions of Gmail accounts were breached, with some outlets saying it affected the full 183 million accounts.

However, as the company explained in a series of posts, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years.

"Reports of a 'Gmail security breach impacting millions of users' are false. Gmail's defenses are strong, and users remain protected," reads a post on X.

"The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It's not reflective of a new attack aimed at any one person, tool, or platform."

"Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false," Google added.

This is just the latest such story that numerous news websites and cybersecurity companies have reported without verification in recent years.

This particular story stems from Have I Been Pwned (HIBP) creator Troy Hunt announcing he recently added a massive collection of 183 million compromised credentials to the data breach notification platform shared by the threat intelligence platform Synthient.

These credentials were not stolen in a single data breach, but rather through information-stealing malware, data breaches, credential stuffing, and phishing. Furthermore, these accounts are not for a single platform but for thousands, if not millions, of sites.

After loading the data into HIBP, Hunt says 91% of the 183 million credentials had previously been seen, illustrating that many of them have been circulating for years. (Lawrence Abrams / Bleeping Computer)

Related: Times of India, Forbes, Techzine, The Register, CyberInsider

Students and staff have had their sensitive information stolen in the latest of a series of cyberattacks plaguing Western Sydney University (WSU).

Last week, WSU told its community that a new round of personal information had been “impacted by a cyber incident”.

For students and staff, this meant a threat actor had gotten their hands on some of the most sensitive details possible, including tax file numbers, bank account details, passport and driver license details, visa information, health and disability information, and more.

Other personal information included contact information – namely addresses, email addresses, and phone numbers – along with names, dates of birth, ethnicities, and student and staff IDs.

“Attempts to gain unauthorised access to our systems have continued, including via external parties that supply IT services to the University,” said WSU vice-chancellor and president George Williams.

The university said it had identified two instances of “unusual activity” on 6 August and 11 August 2025 – both of which occurred on a student management system which had been hosted by a third-party provider using a cloud-based platform.

Investigations ultimately found a daisy-chain of suppliers had been exploited during the breach, starting at an additional external system, which itself was linked to the third-party cloud platform between 19 June 2025 and 3 September 2025.

“Unauthorised entry through these third- and fourth-party systems enabled personal information to be accessed and exfiltrated from the University’s Student Management System,” wrote WSU.

It is the fifth cybersecurity incident afflicting the university since 2023. (Leonard Bernardone / Information Age)

Related: Western Sydney University, Honi Soit

Iran's school for state-sponsored cyberattackers admits it suffered a breach exposing the names and other personal information of its associates and students.

The Ravin Academy was established in 2019, ostensibly to train individuals in all facets of cybersecurity and recruit the best to work on Iranian intelligence (MOIS) projects. In addition to being known as the training ground for some of Iran's cyberattackers, Ravin was also founded by two individuals with alleged ties to MOIS.

Founders Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi are also both sanctioned by the UK, US, and EU for their role in establishing Ravin Academy, and according to a PwC report on the school, both have been credibly tied to attacks carried out by MOIS-linked attack group Yellow Nix/MuddyWater/APT34.

As part of some broader actions against Iran, Ravin was sanctioned by the UK, US, and EU between 2022 and 2023 for its role in recruiting cyber specialists to carry out human rights violations.

In a statement posted to its Telegram channel on October 22, Ravin confirmed that the attack targeted one of the online platforms it hosts, and highlighted the timing as an attempt to undermine confidence in Iranian security.

"As a result of this attack, some of the public information of participants (including username and phone number) on this platform has not been recorded," the statement read, according to a machine translation from Persian that likely meant the data had been recorded.

"This incident, coupled with the repeated publication of false and misleading content in the past, has the goals of damaging the reputation of this academy, undermining security in Iran, and harming the standing of the National Olympiad in the field of cybersecurity.

"Given the media efforts over the past year to achieve the aforementioned goals, it is natural that the opponents and international competitors of this event seek to damage this great national achievement."

It acknowledged that details such as names, phone numbers, and usernames of some academy associates were compromised by whoever was behind the attack.

However, UK-based Iranian activist Nariman Gharib claimed to have been sent a copy of the data that was stolen from Ravin Academy and has made it publicly available via a dedicated website.

The data includes names, phone numbers, and Telegram usernames – as the academy acknowledged – but also, in some cases, national ID numbers.

Gharib said that he was supplied the data in the form of a spreadsheet, which also contained the details of the classes each individual attended, although he did not make this data publicly accessible. (Connor Jones / The Register)

Related: Nariman Gharib, Ravin Academy, DataBreachToday

At least 49 family members and colleagues of Afghans affected by the MoD’s mass data breach have been killed, according to research submitted to a parliamentary committee.

The first on-the-ground research into 350 affected people in Afghanistan, the UK, or elsewhere has found that, of the 231 respondents who received notification from the Ministry of Defence (MoD) that their data had been leaked, 49 responded that either a colleague or a family member had been killed as a result of the data breach.

The research, submitted to the Commons defense select committee inquiry into the data breach, found that, of those surveyed, 200 of the 231 notified (87%) reported threats made to themselves or members of their families, while 99 (43%) reported a direct threat made to their life as a result of the data breach. A total of 121 (52%) said that the Taliban had threatened family or friends in Afghanistan.

Olivia Clark, the executive director of Refugee Legal Support, which conducted the research in partnership with academics from Lancaster and York Universities, said: “This research lays bare the devastating human consequences of the MoD data breach. By centering Afghan voices and documenting their experiences, it fills a critical gap in understanding the real-world impact of the breach. (Diane Taylor / The Guardian)

Related: UK Parliament, UK Parliament, The Register, Arab News, Daily Mail, Khaama Press, UK Defence Journal

In remarks at the 2025 Meridian Summit in Washington, DC, National Cyber Director Sean Cairncross said the United States needs to counter China’s “attempt to export a surveillance state across planet Earth,” and instead push a “clean American tech stack” globally.

The Chinese threat promises to be a big focus for Cairncross, a message he’s been sending in his short tenure thus far.

“To date, I don’t think the United States has done a terrific job of sending the signal, in particular to China, that their behavior in this space is unacceptable,” he said. “It’s meant to do us harm. It sits on our critical infrastructure systems and threatens chaos.

“It tries to put us in strategic dilemmas that impact our decision-making,” Cairncross continued about Beijing. “And that is something that is scaling. It is something that is seen as cost-free, I think, across the ocean, and that is something that needs to be reset so that there is strategic stability in this domain.”

Cairncross said the United States’ own national cybersecurity strategy under Donald Trump won’t be as explicit in its directions as past editions. He said it wouldn’t be 100 pages long, either.

“It will be setting the posture of the United States in this domain and things that we are driving toward, and we will have follow-on action items that will be in support of that strategy,” he told the audience at the event. (Tim Starks / CyberScoop)

Related: SC Media, ExecutiveGov, MeriTalk, Punchbowl News

In a filing with the SEC, Oregon-based fencing and pet solutions provider Jewett-Cameron Company said it was recently targeted in a cyberattack that resulted in disruption and the theft of sensitive information.

The company revealed that it detected an intrusion into its IT environment on October 15.

The investigation into the incident is ongoing, but Jewett-Cameron has determined that the hackers deployed “encryption and monitoring software” on corporate IT systems.

The attack has led to disruptions and the company's inability to access some business applications related to operations and corporate functions.

The company believes the intrusion has been contained, and it’s working on restoring impacted systems. There is no evidence to date that the personal information of employees, customers, vendors, or suppliers has been compromised.

The hackers appear to have obtained “images of video meetings and computer screens that may contain sensitive company information." (Eduard Kovacs / Security Week)

Related: SEC, SC Media, The Record

Researchers at Coveware report that the number of victims paying ransomware threat actors has reached a new low, with just 23% of the breached companies giving in to attackers' demands.

With some exceptions, the decline in payment resolution rates continues the trend that Coveware has observed for the past six years.

In the first quarter of 2024, the payment percentage was 28%. Although it increased over the next period, it continued to drop, reaching an all-time low in the third quarter of 2025.

One explanation for this is that organizations implemented stronger and more targeted protections against ransomware, and authorities are increasing pressure for victims not to pay the hackers.

“Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress,” Coveware says.

Related: Coveware, Security Week, Security Affairs, Help Net Security

Indian electrical and electronics circuit design specialist who goes by the name Harishankar N. noticed that his iLife A11 smart vacuum robot was constantly communicating with its manufacturer, transmitting logs and telemetry halfway around the world that he had never consented to share.

After blocking its data logging IP address—just the logs, not firmware updates or OTA channels- it repeatedly failed to power on. He discovered that the manufacturer disabled the unit by remote control and put the device out of warranty for blocking their data collection.

According to Harishanakar, the same hardware, the 3irobotix CRL-200S, powers devices from Xiaomi, Wyze, Viomi, and Proscenic, leaving potentially dozens of smart vacuums vulnerable to the same abuse. (Small World)

Related: Futurism

Donald Trump formally submitted the nomination of Adm. Kevin Lunday, an officer with deep expertise in cybersecurity, for Coast Guard commandant.

Lunday is a graduate of the US Coast Guard Academy, the National War College, the Naval War College, and George Washington University Law School, according to his official bio.

Notably, he has worked closely with the Defense Department’s cyber community.

“Experienced in operational and technical cyberspace operations, Admiral Lunday served as Commander, US Coast Guard Cyber Command, where he directed the operation, maneuver, and defense of the Coast Guard Enterprise Mission Platform as part of Department of Defense (DoD) networks. He also directed remote and deployable cyberspace operations to protect the US maritime critical infrastructure from cyberattack. Before this role, he served as Director of Exercises and Training (J7), US Cyber Command, where he directed the joint training and certification of the DoD Cyber Mission Force, the nation’s cyberspace warriors,” his Coast Guard bio states.

Lunday’s nomination comes as the service is pursuing a new modernization plan dubbed Force Design 2028, which was unveiled earlier this year and includes significant upgrades to the organization’s digital capabilities. (Jon Harper / DefenseScoop)

Related: Congress.gov, Military Times

F5 CEO François Locoh-Donou said during the company's fourth-quarter earnings call that the company is increasing its internal cybersecurity investments as it responds to its recent hack, which it expects to slow revenue growth over the next two quarters as many of its customers pause or slow down their buying decisions.

"We are disappointed that this has happened and very aware as a team and as a company of the burden that this has placed in our customers who have had to work long hours to upgrade" affected products, Locoh-Donou told investors on the call. (Sam Sabin / Axios)

Related: Wall Street Journal

Email security specialist Sublime Security raised $150 million in a Series C venture funding round.

Georgian led the round with additional funding from new investors Avenir and 01A, and existing investors Index Ventures, IVP, Citi Ventures, and Slow Ventures. (James Rundle / Wall Street Journal)

Related: PR Newswire

Best Thing of the Day: Putting a Cyber Acquisition to Good Use

Mastercard Threat Intelligence announced it will combine the company’s global fraud data with cyber threat intelligence from Recorded Future, resulting in a deeper level of visibility into how fraud originates and spreads across the payments ecosystem

Worst Thing of the Day: Too Few Infrastructure Providers Are to Blame

Signal President Meredith Whittaker argues that her company didn’t have any other choice but to use AWS or another primary cloud provider, after a prominent Amazon Web Services (AWS) outage took Signal along with it, because there are only 3 to 4 infrastructure players from which Signal could choose.

Closing Thought