Analysis

Cisco Talos has identified a significant evolution in the Qilin ransomware group's tactics, leveraging legitimate Windows utilities like MSPaint and Notepad for manual data reconnaissance. This sophisticated approach allows attackers to bypass traditional detection mechanisms, focusing on maximizing data exfiltration before deploying encryption. The group has maintained operations since July 2022, impacting over 40 victims monthly as of H2 2025, primarily in manufacturing (23%) and professional services (18%). Qilin's post-compromise workflow involves credential harvesting via tools like Mimikatz, data packaging with WinRAR, and subsequent manual file inspection. Exfiltration is facilitated by the open-source tool Cyberduck, uploading to cloud services such as Backblaze (BLZE), which further obfuscates activity within trusted domains. This Ransomware-as-a-Service (RaaS) model has a global reach, affecting countries like the US, UK, and Germany, with suspected Eastern European or Russian-speaking origins. The strongly negative sentiment (-0.75) surrounding this evolving threat underscores heightened cybersecurity risks for enterprises. While Backblaze (BLZE) faces negative sentiment (-0.4) due to its services being exploited in exfiltration, Cisco (CSCO) exhibits positive sentiment (0.5), likely reflecting its role in threat intelligence and potential for increased demand for its security solutions. Organizations are advised to implement robust network segmentation, multi-factor authentication, and immutable backups to counter these advanced evasion techniques.