Pierluigi Paganini June 22, 2025

Qilin ransomware gang now offers a “Call Lawyer” feature to help affiliates pressure victims into paying, per Cybereason.

The Qilin ransomware group is now offering legal support to its affiliates through a “Call Lawyer” feature to pressure victims into paying. This move, reported by cybersecurity firm Cybereason, shows Qilin stepping up its operations and trying to take over space left by rival cybercrime groups.

The Qilin ransomware group has been active since at least August 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid. Qilin ransomware group provides affiliates with ransomware tools and infrastructure, taking a 15–20% share of the ransom payments.

Like other ransomware operation, Qilin orders its affiliates not to target systems located in CIS countries

Qilin is emerging as a major ransomware player, offering more than just malware. With advanced tools, legal help, spam services, and massive data storage, it’s positioning itself as a full-service cybercrime platform. As older groups fall, Qilin is stepping in to lead the next wave of ransomware-as-a-service operations.

“A notable feature is the “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations. Additionally, with network propagation capabilities and a DDoS option introduced in April 2025, Qilin enhances its adaptability for various attack scenarios.” reads the report published by Cybereason.

The “Call Lawyer” feature makes pressure to the victims by offering legal consultations during ransom talks. This tactic aims to intimidate companies by introducing legal risks, inflating potential damages, and even enabling direct negotiations. Combined with recent upgrades like network spreading and a DDoS option, Qilin shows growing sophistication, making it more effective and adaptable across various cyberattack scenarios.

Below is the translation of the text published by the ransomware group:

“A new feature has been added to our panel: legal assistance.

If you need legal consultation regarding your target, simply click the “Call lawyer” button located within the target interface, and our legal team will contact you privately to provide qualified legal support.

The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings. The benefits of working with the legal department include:

• Advice on how to inflict maximum financial damage on the company if it refuses to comply (and how to avoid similar situations in the future).”
• Legal assessment of your data;
• Classification of violations in accordance with applicable legal acts in different jurisdictions;
• Legal evaluation of potential damages (including lawsuits, legal costs, reputational risks);
• Ability to conduct direct negotiations between the company and the lawyer;

“Backed by a strong operational model, including legal support for clients (“Call Lawyer”), and incentives and technology for successful, unprecedented ransomware payouts.” reads the report published by Qualys.

The heatmap below reporting host compromises shows that Qilin is intensifying its activity and emerging as a growing threat.

“To stay resilient against sophisticated threats like Qilin ransomware, organizations need a proactive, well-rounded strategy.” concludes qualys.”From strengthening user awareness to validating incident response and hardening technical environments, the following measures help build confidence in your readiness and reduce exposure across the board.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)