Qilin emerges as the most-active healthcare ransomware brand of Q1 2026
Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provide…
Summary
Q1 2026 healthcare ransomware tracking attributed 23 claimed attacks (4 confirmed) to Qilin across U.S. and German healthcare providers — making Qilin the most- active brand against the sector for the quarter. Aggregate Q1 2026 healthcare-sector tracking recorded 120 ransomware attacks across all brands (a 14% decline from Q4 2025) but the average ransom demand surged to $16.9M, up from $577,800 the prior quarter — a strategic shift toward fewer, more-selective targets with higher capacity to pay. Qilin's persistent healthcare focus since the June 2024 Synnovis incident represents the clearest sustained vendor-style specialisation in the post-2024 ransomware market.