227/68 Tuesday, June 24, 2025
The Qilin ransomware group has escalated its operations by launching a new feature called “Call Lawyer”, offering legal advisory services to its affiliates to help pressure victims into paying ransom. According to cybersecurity firm Cybereason, Qilin is aiming to position itself as a major player in the Ransomware-as-a-Service (RaaS) ecosystem, filling the void left by dismantled cybercrime groups.
Active since August 2022, Qilin gained significant attention in June 2024 after its attack on Synnovis, a UK-based public health provider. The group employs a double extortion strategy—both encrypting and stealing data, threatening to leak it if the ransom is not paid. Qilin supplies its affiliates with tools, infrastructure, and retains 15–20% of the ransom payments. It also enforces a rule prohibiting attacks within CIS countries (former Soviet states), a common practice among ransomware groups linked to Russian-speaking regions.
Reports from Cybereason and Qualys indicate that the “Call Lawyer” feature goes beyond technical enhancement—it expands cybercrime into the legal domain. Lawyers are brought into ransom negotiations to assess legal risks, such as potential lawsuits, regulatory fines, and reputational damage, thereby increasing pressure on victims. They may even assist affiliates in crafting attacks that maximize legal and financial consequences if the ransom is refused. In some cases, the lawyer directly negotiates with the victim organization. This marks Qilin’s evolution from a simple malware provider into a full-fledged cybercrime service platform, now also incorporating DDoS attacks and network propagation tools, significantly raising the threat level to organizations worldwide.
