Qilin Ransomware Introduces “Call Lawyer” Feature to Boost Pressure on Victims
June 20, 2025
In a notable shift within the landscape of ransomware attacks, the Qilin ransomware-as-a-service (RaaS) group has recently added a new feature aimed at compelling victims to comply with ransom demands. The “Call Lawyer” functionality, as reported by Israeli cybersecurity firm Cybereason, allows affiliates of the Qilin operation to provide potential legal counsel to victims, thereby amplifying the psychological pressure to pay the ransom. This strategic move comes as Qilin seeks to capitalize on the recent disruptions faced by other ransomware entities, positioning itself as a dominant force amidst a backdrop of rival groups experiencing operational declines.
The group, also known under the names Gold Feather and Water Galura, has been active since October 2022 and has seen a resurgence in activity as previously prominent ransomware operatives such as LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered significant setbacks. Data gathered from dark web leak sites suggests that Qilin was the leading ransomware group in April 2025, reportedly claiming 72 victims. The following month showed a slight decrease in activity, with an estimated 55 attacks, maintaining a competitive presence behind Safepay and Luna Moth.
The introduction of the “Call Lawyer” feature serves not only as a tool for coercion but also reflects an evolving approach to extortion. By invoking the prospect of legal intervention, Qilin aims to instill a sense of urgency and fear, potentially maximizing the ransom amounts collected. This tactic aligns with broader trends in the ransomware landscape, where psychological manipulation becomes a key component of operational success.
Businesses that fall victim to ransomware attacks, particularly those in the United States, must remain vigilant as adversaries refine their strategies. The techniques employed by Qilin may encompass various stages outlined in the MITRE ATT&CK framework. Initial access could be gained through phishing tactics or exploitation of unpatched vulnerabilities, which illustrates the need for robust security measures to guard against unauthorized infiltration. Once access is achieved, the group may utilize persistence and privilege escalation techniques to maintain control over compromised systems, further complicating recovery efforts for impacted organizations.
As reported statistics indicate a surge in Qilin’s activity, the implications for business owners are profound. The growing sophistication of cybercriminal tactics underscores the necessity for organizations to fortify their cybersecurity postures. Companies must ensure that they are equipped with advanced threat detection, response capabilities, and employee training to mitigate the risks posed by ransomware and other cyber threats.
The evolving nature of Qilin’s operations not only signals increased challenges for potential victims but also highlights the dynamic environment in which cybersecurity professionals must operate. As Qilin and similar entities adapt their methodologies, the urgency for businesses to prioritize cybersecurity cannot be overstated. Failure to do so could leave organizations vulnerable to severe financial and reputational damage, emphasizing the critical need for ongoing vigilance in the face of an ever-changing cyber threat landscape.
