Listen to this Post
In a concerning development, the threat intelligence firm PRODAFT has reported that the notorious Qilin ransomware group, also known as Phantom Mantis, has intensified its operations between May and June 2025. By exploiting multiple vulnerabilities in FortiGate products, including the CVEs CVE-2024-21762 and CVE-2024-55591, the group has successfully targeted several organizations, raising alarms for both cybersecurity professionals and business owners globally.
The Qilin group, known for its double extortion tactics, has been active since at least August 2022. However, it gained considerable attention in June 2024 following a high-profile attack on Synnovis, a UK healthcare service provider. This ransomware group encrypts sensitive data and threatens to leak it unless a ransom is paid. Although initially targeting Spanish-speaking countries, experts warn that Qilin may expand its scope and launch more attacks globally.
What PRODAFT Reports: A Coordinated Attack Campaign
PRODAFT’s warning highlighted that the Qilin ransomware group has launched an organized and ongoing campaign between May and June 2025, exploiting FortiGate vulnerabilities, including CVE-2024-21762 and CVE-2024-55591. These vulnerabilities allow the attackers to gain unauthorized access to FortiGate devices, which are widely used in enterprise networks to manage security settings, including firewalls, VPNs, and SSL connections. Through these flaws, attackers can elevate their privileges and manipulate network configurations to further their attacks.
The ransomware group typically employs a double extortion strategy, whereby they encrypt data and demand a ransom payment. If victims do not comply, the attackers threaten to release sensitive information, causing irreparable damage to the organization’s reputation. Although Qilin has mainly targeted organizations in Spanish-speaking regions, experts speculate that the group’s activities will soon expand to more regions worldwide. Despite the regional focus, Qilin’s victims seem to be selected opportunistically, rather than based on specific sectors or geographical areas.
In line with previous trends, experts suggest that ransomware groups, including Qilin, are becoming increasingly sophisticated. This evolution reflects a disturbing shift towards more targeted and highly coordinated attacks, fueled by vulnerabilities in widely used enterprise security tools. The increasing frequency of attacks exploiting FortiGate vulnerabilities suggests that organizations need to urgently patch these flaws and adopt comprehensive security measures to mitigate the risk of such sophisticated ransomware operations.
What Undercode Says: The Bigger Picture
The rise of ransomware attacks like Qilinās, exploiting critical vulnerabilities in FortiGate devices, paints a concerning picture for organizations globally. As businesses become more dependent on cloud-based security services and remote connections, the potential risks posed by such vulnerabilities grow exponentially.
The Qilin ransomware group, like other sophisticated cybercriminal organizations, is exploiting remote code execution and authentication bypass flaws to escalate privileges and gain unauthorized access to internal systems. As demonstrated by their earlier attacks and the growing number of victims between May and June 2025, this threat is likely to evolve further.
These types of attacks are indicative of a broader trend in the cybercrime landscape. Many groups are targeting widely used infrastructure, such as FortiGate and other VPN solutions, to create entry points into organizationsā networks. This strategy often leads to devastating breaches, where cybercriminals steal confidential data, encrypt files, and extort organizations for ransom. In some cases, the stolen data is leaked to the dark web, causing long-term damage to the victimās business.
Additionally, the use of ādouble extortionā tactics, where the ransom is demanded in exchange for both encryption and the threat of exposure, is becoming more common. This is not only a financial issue but also an existential one, as businesses risk losing customer trust and facing legal consequences for data breaches.
It is crucial for organizations to take immediate steps to protect themselves, including patching known vulnerabilities, upgrading firewalls, and training employees on recognizing phishing attempts. As the cyber threat landscape grows more complex, staying ahead of these threats will require a multi-layered cybersecurity strategy, vigilance, and proactive measures.
Fact Checker Results ā ā
CVE-2024-21762 and CVE-2024-55591 are indeed critical vulnerabilities that can be exploited to gain unauthorized access to FortiGate devices. This is confirmed by official advisories from Fortinet and cybersecurity agencies.
The Qilin ransomware group has been active since 2022, with its first major attack on Synnovis in 2024, aligning with the timeline provided.
Ransomware groups increasingly use vulnerabilities in widely used software, including FortiGate, to deploy attacks, which is supported by multiple cybersecurity reports and expert analysis.
Prediction š®
Looking ahead, the Qilin ransomware group is likely to expand its targeting beyond Spanish-speaking countries, potentially affecting global organizations. As the cybercriminal ecosystem grows more interconnected, we may see even more sophisticated methods of exploiting vulnerabilities in enterprise-grade security systems. Organizations worldwide must adopt a more proactive approach to cybersecurity, focusing on regular updates, vulnerability patching, and comprehensive threat monitoring to defend against evolving ransomware threats like Qilin.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
