Skip to content

Ransomware group now lets you call a lawyer

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

An up-and-coming ransomware group dubbed Qilin is stepping up its game and has now started offering legal support to its affiliates. There’s now a “Call Lawyer” feature to help affiliates increase pressure during ransomware negotiations.

As reported by Cybereason, Qilin operates as a sophisticated ransomware-as-a-service. With major ransomware groups like Blacklock, DragonForce, Everest, and LockBit being out of action, at least temporarily, Qilin has stepped up to fill the void. The ransomware group has been active since at least October 2022 and operates by providing its ransomware tools and related infrastructure to affiliates, taking a 15 to 20 percent cut of the ransom as payment.

The ransomware is based on custom-built malware in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. It also offers customisable encryption modes, safe-mode execution log cleaning, network spreading, and negotiation tools “designed for affiliate ease and operational stealth.”

This is an image of ransomware 328998243

The legal assistance feature gets Qilin’s legal team to contact the affiliate privately and provide legal support. This includes:

  • Legal assessment of stolen data
  • Classification of violations in accordance with applicable laws in varying jurisdictions
  • Legal evaluation of potential damages, including lawsuits, legal costs, and reputational risks
  • Ability to conduct direct negotiations between the company and the lawyers
  • Advice on how to inflict maximum financial damage to a target company if ransom demands are refused.

Legal assistance isn’t the only unique service offered by Qilin, either. Its latest version offers a file storage system with up to one petabyte of space, tools for spamming corporate email addresses and phone numbers, and an in-house team of journalists who can help write text for blog posts in cooperation with legal experts and also assist with “pressure during negotiations.”

Qilin’s malicious activity has steadily been on the rise since its October 2022 emergence, with 2025 being its most active year so far. It made headlines in June 2024 for attacking Synnovis, a healthcare provider for the UK government. With its current arsenal of tools, Qilin is looking set to take the throne in an emerging wave of ransomware-as-a-service operations that cause more damage, are more prepared, and will likely extract even higher ransoms than before.

In the News: Oxford City Council data breach leaks two decades of data

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>