Ransomware Group Qilin Offers Operators Access to Legal Team

Red Dog Security

2 min read
Ransomware Group Qilin Offers Operators Access to Legal Team

The developers of the Qilin ransomware have offered their partners access to legal team consultations to pressure victims into paying ransoms. This new feature was spotted by researchers from Israeli cybersecurity firm Cybereason, who noted that the ransomware’s affiliate panel now includes a "Call Lawyer" option.

Additionally, the group claims to have an in-house team of journalists who can collaborate with the legal department to publish articles, further pressuring victims.

Qilin’s Expanding Criminal Toolkit

Recently, Qilin added several new features to its affiliate panel, including:

  • 1 petabyte of storage space (partly for affiliates’ personal use and partly for storing victims’ data)
  • Spam distribution tools (email and phone-based)
  • DDoS attack capabilities (first observed in April 2025)

Qilin’s Growing Threat

First appearing in August 2022 (originally named Agenda before rebranding), Qilin has significantly increased its activity. In April 2025 alone, its leak site listed 72 new victims, and in May, researchers linked it to 55 attacks. Some experts believe that former RansomHub affiliates may now be migrating to Qilin, contributing to its recent surge in activity.

Cybereason analysts note:
"Alongside its growing presence on cybercrime forums, Qilin boasts a technically advanced infrastructure. It offers payloads written in Rust and C, stealthy loaders with evasion capabilities, and an affiliate panel supporting Safe Mode execution, lateral movement, log cleaning, and automated negotiation tools."

The "Call Lawyer" Feature: Psychological Pressure or Marketing Gimmick?

The new "Call Lawyer" function allegedly allows affiliates to bring a legal consultant into negotiations with victims. These lawyers supposedly offer "professional advice" on:

  • Legal implications of the stolen data
  • Which laws the victim violated by allowing the breach
  • Potential financial losses if the ransom is not paid

The lawyers may even take over negotiations, warning victims that refusing to pay could lead to greater damages.

However, Tripwire researchers suggest this is likely just a marketing tactic:
"Don’t be fooled—their goal is to attract more affiliates, increase successful ransom payments, and convince victims they’re dealing with sophisticated criminals."

Qilin’s Rise in the RaaS Landscape

Cybereason warns that Qilin is becoming a dominant force in the Ransomware-as-a-Service (RaaS) market, as former rivals like LockBit, ALPHV, Everest, and RansomHub (reportedly absorbed by DragonForce) have lost influence—often due to law enforcement actions.

The new features in Qilin’s affiliate panel suggest the group is positioning itself as a full-fledged cybercrime platform, rather than just another ransomware provider.

Key Takeaways:

  • Qilin now offers legal and media pressure tactics to force ransom payments.
  • Its affiliate panel has expanded with storage, spam, and DDoS tools.
  • The group is growing rapidly, possibly absorbing competitors’ affiliates.
  • Experts debate whether the "legal team" is a real threat or just psychological manipulation.
  • Qilin is emerging as a leading RaaS operation, filling the void left by disrupted rivals.

Read more