29 April 2026 Ransomware

Qilin Ransomware Is Now Australia's Most Active Threat: What Businesses Must Do in 2026

Qilin ransomware has become the world's most prolific ransomware-as-a-service operation in 2026, recording 31 confirmed victims in a single week in late April alone. Australian organisations — from Victorian courts to financial advisory firms — have been hit repeatedly, and the pace of attacks is not slowing. Here is what you need to understand and act on.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Qilin's Rise to the Top of Global Ransomware

Qilin — tracked by some vendors under the alternate name "Agenda" — is a ransomware-as-a-service (RaaS) operation first observed in mid-2022. For most of its early life it operated in relative obscurity, claiming dozens of victims per quarter. That changed dramatically in late 2025 and has accelerated into 2026: activity attributed to Qilin increased roughly 14-fold compared to 2023, bringing the group's confirmed victim count well past 900 organisations by the close of 2025.

In 2026 the group has not slowed. Ransomware activity trackers recorded Qilin as the most prolific threat actor in the week of 24 April 2026, with 31 confirmed victims in seven days — nearly double the tally of its nearest competitor, Akira, for the same period. The group has claimed more than 368 victims in 2026 alone as of late April, making it by far the dominant force in the global ransomware landscape this year.

The engine behind that growth is the RaaS model. Qilin's operators maintain the core infrastructure: the ransomware binary, the command-and-control framework, the darknet leak site where stolen data is published if ransoms go unpaid. Affiliated "franchisees" — vetted cybercriminals who pay to use the platform — carry out the actual intrusions. Affiliates keep the majority of any ransom paid; the operators take the remainder. This arrangement lets Qilin scale without being bottlenecked by a fixed team of skilled hackers. Any motivated criminal with the right credentials and a willingness to follow the operators' playbook can become an affiliate.

The group's technical foundation is modern and deliberately evasive. Its ransomware binaries are written in Rust and Go — languages that produce binaries with minimal overlap against legacy antivirus signatures. Qilin also adapts its initial access techniques rapidly when defenders publish detections: when one method appears in threat intelligence feeds, affiliates rotate to alternatives within weeks. This combination of organisational scale and technical agility is what separates Qilin from the dozens of smaller ransomware groups that cycle in and out of activity each year.

The group practices double extortion as standard: before deploying the encryption payload, affiliates spend one to three weeks inside the victim's environment silently exfiltrating data. That stolen data becomes a second lever — even if the victim restores from backups and declines to pay for a decryption key, the threat of publishing sensitive client or staff records on Qilin's darknet leak site creates separate reputational, regulatory, and legal pressure. For many smaller organisations, the data exposure threat is more damaging than the encryption itself.

Australian Organisations Already Targeted

Australia sits among the top five most targeted countries globally for Qilin attacks, and the list of confirmed Australian victims is already substantial. The common thread across these incidents is not sector or size — it is opportunity.

One of the most prominent early Australian victims was Court Services Victoria (CSV). In late 2023, Qilin affiliates gained access to CSV's audiovisual network, exposing recordings of sensitive hearings from the Supreme Court, County Court, Coroners Court, and Children's Court dating back to November 2023. The attack was first reported by Bleeping Computer and corroborated by The Record from Recorded Future News. CSV notified Victoria Police, whose cybercrime squad investigated the incident. Court operations were not ultimately interrupted, but the exposure of hearing recordings — many involving vulnerable parties — underlined the breadth of what Qilin affiliates will target.

The accounting and financial services sector has seen repeated targeting. MKA Accountants, a Victorian practice, confirmed a Qilin incident in May 2025 after the group posted approximately 185 gigabytes of stolen data as proof of access. Skeggs Goldstien, a New South Wales financial advisory firm, was listed by Qilin in June 2025; the group claimed roughly 500 gigabytes of data including client tax returns and signed confidentiality agreements, and made portions of that data public after negotiations did not proceed.

In early 2026, activity against Australian businesses intensified. Since late January 2026, at least four Australian organisations — three based in Western Australia and one in Queensland — appeared on Qilin's darknet leak site within a single month, according to reporting by Cyber Daily. In April 2026, Peuker & Alexander, an Australian building materials company, was listed on April 10 with the group threatening to publish data unless contact was made through specified channels.

The scale of the national problem is reflected in official data. The ACSC's Annual Cyber Threat Report 2024–25 documented 138 ransomware incidents to which Australia's cyber defence agencies directly responded during the financial year — and that figure captures only the subset formally reported to government. The report identifies ransomware as "the most disruptive cybercrime threat" facing Australian organisations, with double extortion now described as the dominant attack model. Insurance Business Australia reported in April 2026 that the sustained pace of Qilin attacks is already tightening cyber underwriting conditions for Australian businesses, with insurers adjusting exclusions and policy requirements in response to the group's activity.

These incidents span courts, accountants, financial advisers, electronics retailers, logistics firms, and building materials suppliers. No sector is categorically safe, and the ransom demands do not scale politely to business size — small and medium enterprises frequently face demands calibrated to what affiliates assess the business can afford, not to what a large enterprise would pay.

How Qilin Gets Into Your Systems

Affiliates rely on a small number of well-understood initial access techniques, almost all of which have known mitigations. This is not a group exploiting exotic zero-days — it is one systematically exploiting gaps that most organisations already know they should close.

Phishing and Credential Theft

Phishing remains the most common initial access vector for Qilin affiliates. Campaigns have ranged from broad credential-harvesting emails to targeted spear-phishing of IT administrators and managed service providers (MSPs). In one documented case, affiliates sent a fake security alert impersonating a ScreenConnect managed services notification to an MSP; when an administrator entered credentials, the affiliates gained access to that MSP's management console — and from there to every downstream client. Credential reuse amplifies the damage: even a password from a low-value service can open critical systems if reused on RDP portals or VPN gateways.

Exploiting Unpatched Network Edge Devices

Qilin affiliates have been documented actively exploiting known vulnerabilities in internet-facing network appliances, particularly Fortinet FortiGate SSL-VPN devices. Two FortiGate vulnerabilities — CVE-2024-21762 and CVE-2024-55591 — allow unauthenticated attackers to bypass authentication on FortiOS SSL-VPN interfaces. Both were added to the CISA Known Exploited Vulnerabilities catalogue, meaning they are confirmed to have been actively exploited in attacks against real organisations. Businesses running unpatched FortiGate firmware on internet-facing devices have provided a reliable entry point for Qilin affiliates throughout 2025 and into 2026.

The pattern extends beyond Fortinet: any internet-facing network appliance running end-of-support or unpatched firmware is a candidate. Qilin affiliates also purchase access from initial access brokers — criminal intermediaries who sell compromised network footholds — meaning a vulnerability exploited weeks earlier by another group can still lead to a Qilin deployment.

Post-Compromise: From Access to Ransom

Once inside, Qilin affiliates typically spend between one and three weeks in the environment before detonating the ransomware payload. That dwell time is purposeful. During it, affiliates use tools including Cobalt Strike beacons for persistent command-and-control, and in some cases employ a technique called BYOVD (Bring Your Own Vulnerable Driver), where a legitimately signed but exploitable driver is loaded to disable endpoint security software before the ransomware runs. Backup infrastructure is specifically targeted for deletion or encryption — removing the victim's primary recovery option.

Data exfiltration precedes encryption. Files are staged and transferred to attacker-controlled infrastructure to enable double extortion. The result is that even businesses that successfully restore from offline backups face a second threat: the imminent publication of client data, internal financial records, or staff personal information. For accountants, financial advisers, and healthcare providers — all of whom have appeared on Qilin's Australian victim list — the regulatory and reputational consequences of a public data dump frequently exceed the operational cost of recovery from encryption alone.

What Australian Businesses Must Do Right Now

The ACSC's Essential Eight mitigation framework directly addresses most of the vectors Qilin affiliates exploit. These are not theoretical hardening measures — they map precisely to the techniques documented in confirmed Qilin incidents, and each item below has a concrete connection to reducing exposure to this specific threat.

1. Patch Network Edge Devices Without Delay

Any FortiGate, Cisco ASA, Palo Alto, or similar VPN or firewall appliance sitting on the internet perimeter should be running current firmware. If your organisation is running FortiOS versions affected by CVE-2024-21762 or CVE-2024-55591 and has not yet patched, that remediation should happen this week rather than next quarter. The ACSC publishes updated advisories when known vulnerabilities are under active exploitation at cyber.gov.au; checking that page weekly takes two minutes and ensures you are not caught by advisories that your IT provider has not yet actioned.

2. Enforce Multi-Factor Authentication on All Remote Access

No RDP port should be directly internet-facing without multi-factor authentication in front of it. Where RDP is genuinely necessary for remote administration, place it behind a VPN that itself enforces MFA. If your managed service provider or IT contractor accesses your systems remotely, confirm they enforce MFA for that access — the ScreenConnect case described above shows a single compromised MSP account can cascade into attacks on every business that MSP services.

3. Test Your Backups — Not Just Create Them

Qilin affiliates specifically target backup infrastructure before detonating ransomware. Backups connected to the live network at the time of attack are typically deleted or encrypted, removing the organisation's primary recovery option. The ACSC's recommended baseline is the 3-2-1 rule: three copies of critical data, on two different media types, with at least one copy held offline or in an immutable, air-gapped location that cannot be reached from a compromised network account. Equally important: test recovery from that offline backup. If you have not performed and verified a full system restore in the last 90 days, you do not have a functioning backup strategy — you have an untested one.

4. Know Your Notifiable Data Breaches Obligations in Advance

Under Australia's Privacy Act, organisations that experience a data breach involving personal information — which includes client data posted on a Qilin darknet leak site — are required to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware of the breach. Pre-incident planning dramatically reduces the chance of a regulatory breach compounding the original security incident. That planning means having a documented incident response plan, knowing which legal counsel to contact, and understanding which categories of data your organisation holds that would trigger notification obligations. An incident response retainer with a specialist firm is significantly cheaper than an emergency engagement negotiated under pressure during an active incident.

5. Audit Your Cyber Insurance Coverage Now

Insurers are tightening Qilin-related exclusions in response to sustained claims activity across the Australian market. Reviewing your current policy's ransomware coverage — specifically whether it covers double extortion costs, legal fees associated with data breach notification, and business interruption — before an incident means you understand what you actually have rather than discovering coverage gaps when you need to make a claim. If your insurer requires evidence of specific controls such as offline backups, MFA, and patched perimeter devices, those requirements align with what reduces actual exposure. The insurance requirements and the security requirements are not in tension — they describe the same baseline.

Ransomware, Regulation, and Building Resilience

Qilin's dominance in 2026 reflects a broader structural shift in the cybercrime economy rather than any exceptional capability on the group's part. The RaaS model has made sophisticated ransomware deployment accessible to criminals who lack the technical skills to build their own tooling. The operational skill required from an affiliate is substantially lower than it was five years ago: mature automation handles much of the post-compromise activity, and initial access brokers sell pre-established footholds in compromised networks to any buyer willing to pay.

For Australian businesses, this means the threat is not going to self-resolve. Qilin will eventually decline as RansomHub did when law enforcement disrupted it, but successors always emerge. The structural conditions making Australian organisations attractive targets — well-capitalised businesses, English-language records that are easier to monetise, and historically lower security investment than comparable economies — will persist regardless of which RaaS brand dominates.

The regulatory environment is tightening in parallel. Australia's Privacy Act reforms have expanded civil liability exposure for organisations whose data is publicly leaked. The 30-day Notifiable Data Breaches window is not generous when an organisation is simultaneously managing incident response, legal counsel, stakeholder communications, and system recovery. Pre-incident planning — having a documented response plan and knowing which legal counsel to call — is the practical answer to that constraint.

On paying a ransom: the ACSC, CISA, and Europol collectively advise against it. Paying does not guarantee data recovery — decryption tools from affiliates are sometimes defective — and does not guarantee stolen data will be deleted. Multiple documented cases show ransomware groups publishing data after payment regardless of assurances. The point of offline backups, a tested recovery plan, and cyber insurance is that it expands leadership's options when that decision is forced — rather than leaving payment as the only practical path.

The ACSC's ransomware prevention and response guidance is freely available at cyber.gov.au, written for non-technical business owners as well as IT teams. The Essential Eight framework, ransomware response checklist, and small business security guide require no specialist budget — just the time to read and act on them. The world's most prolific ransomware group is targeting Australian businesses of every size — that time is well spent.