Two newcomers have made their way onto the ransomware threat group stage, becoming the biggest threat to the energy and utilities sector in 2025.
According to the most recent data from Trustwave SpiderLabs’ Energy and Utilities Sector Deep Dive: Ransomware Threat Groups, Hunters International and Qilin (pronounced Chee Lin) displaced LockBit as the most active group attacking these sectors. Each emerged from LockBit's shadow in the second half of 2024 after law enforcement disrupted LockBit's operation in February 2024.
LockBit was a formidable ransomware-as-a-service (RaaS) provider and among the most active worldwide, measured by the number of victims claimed on its Dark Web site. The FBI has recorded about 1,700 attacks, netting around $91 million from its victims.
But with LockBit’s apparent demise, let's take a look at the newcomers.
Hunters International
Hunters International is a RaaS operator that first appeared in October 2023, not long after law enforcement took down the RaaS group Hive. Hunters denies any connection, but it does use Hive's source code and infrastructure, which it claims to have acquired on its own.
It has struck an estimated 250 targets as of December 2024.
The group operates widely and does not focus on specific industries, although it is a prominent player against energy and utility suppliers. The one area the group, which primarily communicates in English and Russian, is picky about is its avoidance of targets in the former Commonwealth of Independent States.
Be that as it may, Hunters now operates a mixed bag of ransomware attacks, sometimes conducting double extortion attacks and combining data theft with encryption, but more often just exfiltrating the data.
Hunters’ Rust-based malware targets Windows and Linux systems searching all available drives, including network drives, using the WIN32 API function GetLogicalDriveStringsW. It selectively excludes certain files, folders, and extensions from encryption, such as critical system files (e.g., boot.ini, ntldr), specific directories (e.g., Windows, System Volume Information), and non-essential extensions (e.g., .exe, .dll).
Qilin
Qilin, AKA Water Galura (Trend Micro) and GOLD FEATHER (Secureworks), is a highly sophisticated RaaS threat group that has established itself as a major player in the ransomware landscape.
Initially launched as "Agenda" in July 2022, the group rebranded as "Qilin" two months later. The unusual name may be derived from the mythical Chinese creature "Qilin," symbolizing strength and adaptability. However, the group is likely Russian as it exclusively advertises on the Russian-speaking forum Ransom Anon Market Place.
The Qilin RaaS will handle payload generation, the publication of stolen data, and ransom negotiations. Affiliates using the Qilin RaaS platform can receive up to 80% of ransom payments if the total is $3 million or less, while ransoms exceeding $3 million can increase the affiliate's share to 85%.
Like Hunters International, Qilin operates globally and does not discriminate, hitting targets through North and South America, Europe, APAC, and the Middle East. The group's activity level picked up late in 2023, but SpiderLabs saw a marked uptick in 2024. This increase in attacks was supported by a new version of the RaaS malware, Qilin.B, which security analysts first observed in October 2024.
Qilin.B is an advanced version of the Qilin ransomware family, built on previous iterations with enhanced encryption capabilities. It terminates services (T1489) associated with security tools, clears Windows Event Logs (T1070.001) to hinder forensic analysis, and deletes itself (T1070.004) to reduce traces of its presence, making detection more difficult.
The fact that two relative newcomers to the RaaS family emerged as the primary antagonists for the energy and utilities sector in 2024 is not surprising.
Over the years, ransomware groups have shown resilience and adaptability, often dismantled by law enforcement only to reemerge under new identities. As noted previously, LockBit's demise paved the way for Hunters International and Qilin, a pattern that will likely continue.
Please download the Threat Groups report for additional details on Hunters International and the other hazardous threat groups impacting the energy and utilities sector along with its companion reports:
