SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Qilin drives 43% rise in ransomware attacks
Ransomware Cloud Security Phishing

Qilin drives 43% rise in ransomware attacks

Fri, 1st May 2026 (Today)
Catherine Knowles
CATHERINE KNOWLES News Editor

Ransomware attacks linked to Qilin rose 43% between February and March, according to NCC Group, which identified the group as the most active ransomware operator in the first quarter.

Its latest quarterly analysis recorded 775 ransomware attacks in March, up 22% from February. The global total for the first quarter reached 2,112 attacks, 3% lower than the previous quarter despite activity remaining elevated.

Qilin accounted for 136 attacks in March, or 18% of the total. Across the quarter, it was linked to 340 attacks, representing 16% of all recorded incidents.

Akira was the second most active group in the quarter with 191 attacks, equal to 9% of the total. Two newer groups, The Gentlemen and NightSpire, ranked third and fourth with 149 and 136 attacks respectively.

North America remained the main target for ransomware activity, accounting for 51.74% of attacks in March and 52% across the quarter.

Industrials were the most affected sector in March, with 233 attacks, or 30.06% of all incidents. Over the full quarter, the sector recorded 643 attacks.

AI concerns

The report said artificial intelligence now poses the biggest threat facing Chief Information Security Officers, as criminal groups use it for deception, automation and other stages of the attack chain, while companies introduce internal risks through insecure use.

It cited AI-generated deepfake propaganda in the Ukraine-Russia war earlier in the year and warned that such tactics could spread more widely during a period of multiple elections around the world. In social engineering, threat actors are using tools such as Google Gemini to translate messages more accurately and make them appear more credible.

NCC Group also warned about internal security weaknesses tied to AI use. It highlighted concerns over "vibe coding", saying code produced through generative AI can be insecure, and said using generative AI platforms to create passwords could produce choices that appear strong but remain predictable.

"AI is accelerating cyber risk in both scale and complexity, and underestimating this shift will quickly leave businesses of all sizes exposed. Not only are CISOs facing AI-driven ransomware and social engineering threats, but internal risk from insecure AI platforms and practices is leaving the door open to attackers.

"CISOs need to be clear that truly resilient organizations get the security basics right and treat cyber security as a board-level priority," said Matt Hull, vice president of cyber intelligence and response at NCC Group.

Vulnerability trends

The quarterly analysis also tracked a rise in reported software vulnerabilities. It found that 15,178 CVEs were added to the National Vulnerability Database during the quarter, a 27% increase from the same period a year earlier.

Cross-Site Scripting, listed as CWE-79, remained the most common weakness. SQL Injection, or CWE-89, stayed among the three most frequent weaknesses, while Missing Authorization, or CWE-862, rose to second place in 2026.

Despite the volume of disclosed flaws, fewer than 1% of vulnerabilities disclosed this year were reportedly exploited in the wild. That suggests attackers continue to focus on a relatively narrow set of weaknesses that can be turned into practical campaigns.

Ransomware methods

NCC Group said a March incident involving the Interlock group underlined how ransomware actors are shifting towards more serious software flaws. It cited exploitation of a critical vulnerability in Cosco Secure Firewall Management Centre that allowed arbitrary Java code execution with root-level privileges.

The group is known for using double-extortion tactics, in which victims face demands linked to both system disruption and the threat of data exposure. The campaign suggested a move away from purely opportunistic attacks towards vulnerabilities with broader operational impact.

Hull said the slight quarterly decline in ransomware volume came alongside action by law enforcement agencies. "Ransomware attacks increased by almost a quarter in March, bringing the total in Q1 2026 to 2112. This 3% decline from Q4 2025 coincided with key government pressure, such as the FBI's Operation Winter SHIELD and Europol's disruption of the malicious proxy 'SocksExport'.

"AI might be reshaping how organizations operate, but too many businesses are still falling short at foundational hurdles - identity security, access controls, help desk processes and visibility across cloud and on-premises environments. Being prepared for how to respond makes the difference between weeks and months of recovery time - simulate incidents, test your plans, run exercises, check that back-ups actually work," Hull said.

Related stories
Google report warns identity is weak link in cloud
AI-driven cyber wars to reshape security in 2026
World Backup Day 2026: In the age of AI, what are you really backing up?
IBM warns AI & quantum threats will reshape cybercrime
AI-driven cyber threats grow as breakouts accelerate
Top stories
Outtake launches Recon Agent to trace AI attacks early
Intruder launches AI pentesting for faster validation
QueerTech report flags gaps in inclusive AI in Canada
Progress strategist warns on AI agent database deletion
PDQ adds software visibility & workflow integrations