On 29 June, the Qilin ransomware group added two new names to its dark web leak site: Kunert Fashion, a well known German legwear and hosiery manufacturer, and KALIACT ANCHETA et Associes, a French legal services firm. Both listings follow Qilin’s standard double extortion script, encrypt the victim’s systems, exfiltrate sensitive data first, and threaten public release of that data if a ransom is not paid. Neither company has publicly confirmed the extent of the intrusion, which is itself typical of the early stage of a Qilin claim.
The most prolific ransomware operation of 2026
These two listings are not isolated incidents, they are the latest entries in what has become the busiest ransomware campaign of the year. Qilin has claimed more than 500 victims in 2026 alone, out of roughly 1,500 total claims since the operation launched in 2022, making it the single most active ransomware-as-a-service brand currently operating. Earlier in June, the group posted six new victims across five countries in the space of two days, a pace that reflects both an efficient affiliate model and a steady supply of exploitable entry points across corporate networks.
Manufacturing is Qilin’s preferred hunting ground, accounting for roughly 23 percent of all claimed victims, ahead of professional services, retail and hospitality, technology, and construction and engineering. Kunert Fashion’s position as a manufacturer fits that pattern precisely. Regional data from the prior quarter showed France, Germany, Spain, Italy, and the UK all among the most frequently claimed countries in Europe, and this week’s two victims, one German manufacturer and one French firm, sit squarely inside that established geography.
How Qilin gets in
Qilin’s affiliates rely heavily on stolen or brute-forced credentials for VPN and other remote access services, frequently against accounts that have no multi-factor authentication configured. That is not a sophisticated technique, it is a persistence and volume play against an authentication gap that remains common across mid-sized European organisations. Where credential theft alone is not sufficient, Qilin affiliates have also been linked to exploitation of unpatched remote access infrastructure, including a Check Point VPN authentication bypass, CVE-2026-50751, that CISA added to its Known Exploited Vulnerabilities catalog in early June after attacks against IKEv1-configured Remote Access and Mobile Access deployments.
The pattern across both the credential and the vulnerability route is the same: remote access infrastructure, the systems specifically designed to let legitimate users in from outside the network, is the door Qilin affiliates use most.
What this means for European organisations
A ransomware group claiming victims at a rate of roughly four per day across the year is not selectively targeting large enterprises with dedicated security operations centres. It is running a volume operation against whatever remote access surface presents the least resistance, and mid-sized manufacturers, professional services firms, and law firms without a dedicated security team are exactly the profile that fits. Kunert Fashion and KALIACT ANCHETA are not outliers, they are representative of the organisations Qilin’s affiliate network is built to find.
The defensive priorities that would have mattered for both this week’s victims and the hundreds before them are neither exotic nor expensive relative to the cost of a ransomware incident:
- Enforce multi-factor authentication on every VPN and remote access account without exception, including service and contractor accounts
- Patch remote access appliances on an accelerated schedule, particularly Check Point, Fortinet, and similar VPN gateways with a recent history of actively exploited vulnerabilities
- Maintain offline, tested backups that a ransomware operator with domain admin access cannot reach or encrypt
- Build and rehearse an incident response plan before an intrusion, not during one, including who makes the ransom decision and how data exfiltration is assessed
- Monitor for the credential stuffing and anomalous remote access login patterns that precede a Qilin intrusion, rather than relying solely on endpoint detection once encryption has already begun
If your organisation wants to assess its exposure to ransomware-as-a-service operations like Qilin, close the multi-factor authentication and VPN patching gaps that these groups depend on, or build an incident response capability before you need one, contact Excello Digital. We help European manufacturers, professional services firms, and mid-sized organisations close the remote access gaps that ransomware affiliates are actively exploiting.
