Qilin ransomware claims it stole data from Germany’s Die Linke and threatens to leak it; the party confirmed the incident, but not a breach.

The Qilin ransomware group claims it stole data from Die Linke, a German political party, and is threatening to release it.

Die Linke is a left-wing political party in Germany. Its name means “The Left”, and it promotes policies focused on social justice, workers’ rights, and reducing economic inequality. Founded in 2007, it emerged from a merger of earlier leftist groups, including parties with roots in former East Germany.

The party disclosed the cyber incident on March 27, one day after the attack, but did not confirm whether threat actors had stolen data.

The party discovered the cyberattack on Thursday and immediately took parts of its IT systems offline to limit damage. It informed staff, alerted authorities, and promptly filed a criminal complaint.

As of the latest official data, Die Linke has about 123,126 members (end of 2025).

“According to current information, the perpetrators aim to publish sensitive data from within the party organization, as well as personal information of employees at party headquarters. It is impossible to assess whether and to what extent this will succeed or has already occurred. However, a corresponding risk exists.” reads a press release published by the German Party. “The party’s membership database was not affected. The perpetrators did not succeed in stealing any member data.”

The party confirmed that attackers did not access its membership database or steal member data. It linked the incident to the Qilin ransomware group, a Russian-speaking cybercrime organization that may pursue financial and political goals.

The party is taking rapid action to limit damage, working with authorities and IT experts to restore systems and resume normal operations as quickly as possible.

On April 1, Qilin announced the attack on Die Linke and added the party to its Tor data leak site, but shared no samples as proof of the breach.

Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June.

The group enables affiliates to deploy customized ransomware payloads against targeted organizations. Qilin uses double-extortion tactics, encrypting data while threatening to leak it via Tor-based portals. The group has targeted multiple sectors worldwide, including healthcare, manufacturing, and finance, leveraging phishing and known vulnerabilities.

In October 2025, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.

In early October, DragonForce, LockBit, and Qilin formed a ransomware alliance to boost attack effectiveness, marking a major shift in the cyber threat landscape. Ransomware groups DragonForce, LockBit, and Qilin formed a strategic alliance to enhance their attack capabilities, signaling an evolving cyber threat landscape. The alliance aims at sharing tools and infrastructure to enhance attack effectiveness. 

At the end of March, Qilin Ransomware group allegedly breached the chemical manufacturing giant Dow Inc. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Qilin ransomware claims a breach of Dow Inc., listing it on its Tor leak site, but no proof of the hack has been released yet.

Qilin Ransomware group allegedly breached the chemical manufacturing giant Dow Inc. The cybercrime group added the company to its Tor data leak site, but at this time, it has not published any proof of the hack.

Dow Inc. is a global chemical manufacturing giant headquartered in the United States. The company employs approximately 36,000 people worldwide and generates annual revenues of around $40 billion. It operates in more than 160 countries, supplying advanced materials, chemicals, and plastics to industries including packaging, infrastructure, mobility, and consumer applications.

Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June.

The group enables affiliates to deploy customized ransomware payloads against targeted organizations. Qilin uses double-extortion tactics, encrypting data while threatening to leak it via Tor-based portals. The group has targeted multiple sectors worldwide, including healthcare, manufacturing, and finance, leveraging phishing and known vulnerabilities.

In October 2025, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.

In early October, DragonForce, LockBit, and Qilin formed a ransomware alliance to boost attack effectiveness, marking a major shift in the cyber threat landscape. Ransomware groups DragonForce, LockBit, and Qilin formed a strategic alliance to enhance their attack capabilities, signaling an evolving cyber threat landscape. The alliance aims at sharing tools and infrastructure to enhance attack effectiveness. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dow Inc)

Ransomware attacks surged 52% in 2025, with supply chain breaches nearly doubling as groups like Qilin drive record monthly incidents worldwide.

The post Ransomware Groups Claimed 2,000 Attacks in Just Three Months appeared first on TechRepublic.

A May 2025 cyberattack on ApolloMD exposed the personal data of over 626,000 patients linked to affiliated physicians and practices.

ApolloMD is a US-based healthcare services company that partners with hospitals, health systems, and physician practices. It provides practice management, staffing, revenue cycle, and administrative support services. The company works with affiliated physicians across specialties such as emergency medicine, hospital medicine, anesthesia, and radiology, helping providers manage clinical and operational functions.

ApolloMD disclosed a data breach after a May 2025 cyberattack. The security breach compromised the personal information of more than 626,000 individuals, impacting patients of affiliated physicians and medical practices served by the healthcare management provider.

According to data published by the US Department of Health and Human Services, the exact number of impacted people is 626,540.

Hackers accessed and stole sensitive data, prompting the company to notify impacted individuals.

The company detected unusual activity on May 22, 2025, and launched an investigation with the help of a forensic firm and notified law enforcement. Investigators found that an unauthorized party gained unauthorized access to its IT systems between May 22 and 23, including patient files. The exposed data varies by individual and includes names, birth dates, addresses, diagnoses, treatment details, insurance data, and in some cases Social Security numbers.

ApolloMD notified managed physician practices between July and September 2025.

“Our investigation determined that an unauthorized party accessed ApolloMD’s IT environment between May 22, 2025 and May 23, 2025. While in the IT environment, the unauthorized party may have accessed and/or acquired files that contain information for patients treated by ApolloMD’s affiliated physicians and practices. The information involved varied by patient and includes names in combination with one or more of the following: dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information. For some individuals, the incident may have also involved their Social Security numbers.” reads the notice of security breach published by the company. “On September 17, 2025, notification letters began being mailed to patients whose information may have been involved in the incident.”

ApolloMD did not publish technical details about the incident, however, the Qilin ransomware group claimed the data breach in June 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Romania’s national oil pipeline operator Conpet said a cyberattack disrupted its business systems and temporarily knocked its website offline.

Conpet is a state-controlled company that owns and operates the country’s crude oil, condensate, and liquid petroleum product pipeline network. Its main role is to transport oil from domestic production fields and import points to refineries across Romania.

A company press release states that it detected a cyberattack on February 3, 2026, which impacted the company’s business IT infrastructure.

CONPET clarifies that operational technologies were not affected, including the SCADA and telecommunications systems, and that the National Oil Transport System continues to operate normally without disruptions or safety issues. Oil and fuel transport activities remain fully functional.

As a consequence of the incident, the company’s website (www.conpet.ro) is currently inaccessible.

The company reports that its internal specialists immediately activated mitigation measures and are working closely with Romania’s national cybersecurity authorities to investigate the incident and restore affected systems as quickly as possible.

On the same day, CONPET also filed a criminal complaint with Directorate for Investigating Organized Crime and Terrorism (DIICOT), Romania’s organized crime and terrorism investigation directorate.

Finally, the pipeline operator emphasizes that the incident does not affect its operational activity, financial stability, or ability to meet contractual obligations.

“CONPET S.A. informs about the fact that, on 03.02.2026, there was a cyber attack that affected the business IT infrastructure of the company.” reads the press release published by the company.

“We mention that the operational technologies (SCADA System and Telecommunication System) have not been affected, thus the basic activity of the society, consisting of the transport of oil and gasoline through the National Oil Transport System, operates in normal parameters and there are no synchronization in its operation.”

The company did not provide technical details about the attack, however, the ransomware group Qilin added the company to its Tor data leak site on February 5, 2026. The extortion group claims the theft of 1TB of sensitive data and published images of stolen data as proof of the hack.

Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June. Recently, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.

In early October, DragonForce, LockBit, and Qilin formed a ransomware alliance to boost attack effectiveness, marking a major shift in the cyber threat landscape. Ransomware groups DragonForce, LockBit, and Qilin formed a strategic alliance to enhance their attack capabilities, signaling an evolving cyber threat landscape. The alliance aims at sharing tools and infrastructure to enhance attack effectiveness. 

Recently, other critical infrastructure operators in Romania have suffered ransomware attacks, including Romania’s largest coal-based power producer Oltenia Energy Complex and Romanian energy supplier Electrica Group. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – malware, Conpet)