Notorious ransomware gang Qilin has claimed responsibility for the 3 February attack on Lee Enterprises, an American media company.
On its data leak site, Qilin claimed to have stolen 350 GB of data, including “investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information.”
The attack disrupted many of the entity’s more than 70 newspapers and other publications, affecting operations, including distribution of products, billing, collections, and vendor payments.
In addition, the distribution of print publications across its portfolio of products experienced delays, and online operations were partially limited. The Company anticipates a phased recovery over the next several weeks,” the company said in an SEC disclosure filed on 12 February.
The company added it has implemented temporary measures, including manual processing of transactions and alternative distribution channels, to keep critical business functions up and running while systems are being restored.
Lee Enterprises has not verified Qilin’s claim but instead admitted that: “Preliminary investigations indicate that threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files.”
It added that it is “actively conducting forensic analysis to determine whether sensitive data or personally identifiable information (PII) was compromised. At this time, no conclusive evidence has been identified, but the investigation remains ongoing.”
Who is Qilin?
Qilin (also known as Agenda) operates as a Ransomware-as-a-Service (RaaS) affiliate program, using Rust-based ransomware to target its victims. The group customizes attacks for each victim, modifying file extensions and terminating specific processes to inflict maximum damage.
Initially, Qilin ransomware targeted organizations indiscriminately. However, its focus has since shifted to critical infrastructure, particularly healthcare and operational technology (OT) companies. The ransomware operators employ a double extortion strategy—encrypting data while also exfiltrating sensitive information. Victims are then pressured to pony up a ransom not only for the decryption key but also to prevent the release of stolen data.
With advanced customization capabilities and malware that is tricky to detect, Qilin has evolved into a significant cyber threat. Its tactics present a serious risk to industries worldwide, especially those in critical infrastructure and OT sectors.
An Alarming Number of Incidents
Rebecca Moody, Head of Data Research at Comparitech, says: “Since it started, Qilin has claimed 47 confirmed ransomware attacks compromising 1.5 million records. Also in 2025, Qilin has claimed responsibility for breaches at the city of West Haven, CT; the German Bishop’s Conference; and the Palau Ministry of Health and Human services.”
She says Qilin claimed another 56 unconfirmed attacks so far this year that have yet to be acknowledged by the targeted entities.
“Ransomware attacks can both lock down computer systems and steal data. If an attacked organization refuses to pay, it could face extended downtime, data loss, and put customers at increased risk of fraud,” she adds.
Moody says Comparitech researchers logged 18 confirmed ransomware attacks on US organizations so far this year, plus 1,235 unconfirmed claims by ransomware groups. That puts 2025 on an alarming track for nearly double the number of attacks as 2024.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.