The Qilin ransomware group has claimed simultaneous attacks against two firms in different industries and continents: Ruhnau Clarke, a US-based architecture firm, and Biogel, a Swiss medical and biotechnology manufacturer. Qilin exfiltrated 1.6 terabytes of data across more than 300,000 files before deploying ransomware; a textbook double extortion operation. Stolen material includes architectural blueprints, client financial records, proprietary biotech formulas, and trade secrets. Neither firm has issued a public statement confirming or denying the attack. Qilin posted both victims to its leak site.

What Happened

Qilin listed Ruhnau Clarke and Biogel on its dark web extortion portal as part of the same operational cycle. The group exfiltrated data from both organizations prior to encryption, the standard double extortion playbook, giving them leverage to demand payment under threat of public release regardless of whether victims can restore from backup.

Ruhnau Clarke is a US architecture firm whose practice centers on design projects involving confidential client relationships, proprietary project specifications, and financial agreements. Biogel operates in the Swiss medical manufacturing and biotechnology space, a sector where intellectual property (formulations, process documentation, R&D data) represents core business value and is subject to strict regulatory frameworks in both Switzerland and the EU.

Qilin posted proof-of-life samples of the stolen data to its leak site and set a payment deadline. The attacks appear to be independent targeting decisions rather than a coordinated sector campaign, illustrating Qilin's indiscriminate operational posture: any organization with valuable IP and inadequate defenses is a viable target.

What Was Taken

1.6 terabytes across 300,000+ files, split across two organizations. Based on Qilin's leak site disclosures and the nature of both victims:

Ruhnau Clarke: - Architectural drawings and project blueprints; proprietary design documentation for current and past clients - Client financial records; billing, contracts, project budgets - Internal business documents; correspondence, operational records, potentially employee data

Biogel: - Proprietary product formulas and biotech process documentation; core trade secrets - R&D data and manufacturing specifications - Regulatory compliance documentation; potentially including submissions to Swiss and EU health authorities - Client and partner records

For Biogel specifically, the exposure of formulation and manufacturing IP represents existential competitive risk. Biotech trade secrets are not recoverable once disclosed; unlike financial data, you cannot change a formula the way you change a password.

Why It Matters

Two distinct risk profiles, one campaign:

For architecture and engineering firms: This sector has been systematically underinvesting in cybersecurity relative to its IP exposure. Architectural plans are valuable for competitive intelligence, construction fraud, and physical security reconnaissance. Firms holding designs for government buildings, critical infrastructure, or high-value commercial properties represent a target class that ransomware operators are increasingly recognizing.

For medical manufacturers and biotech: Biogel's exposure is the higher-consequence incident of the two. Proprietary formulations and process documentation represent years of R&D investment. In the wrong hands (a competitor, a state actor, a counterfeit manufacturer) this data has value that persists long after any ransom deadline passes. Regulatory filings in the stolen dataset could also expose compliance vulnerabilities.

Qilin's operational tempo is the broader concern. The group has been accelerating its victim count through 2025-2026, targeting mid-market enterprises across sectors with the consistent hypothesis that these organizations have more to lose from data exposure than from paying a ransom. Their leak site discipline and data exfiltration methodology suggest a mature, well-resourced operation.

The Attack Technique

Qilin's documented attack chain, consistent across its known operations, follows this pattern:

  1. Initial access via phishing, exposed RDP, or purchased credentials from initial access brokers. Qilin has been observed exploiting vulnerabilities in VPN appliances and public-facing services in previous campaigns.
  2. Persistence and privilege escalation: establishing footholds, moving laterally to identify high-value data stores and backup infrastructure.
  3. Data staging and exfiltration: methodical collection of target files prior to encryption, typically via cloud storage services or direct transfer to attacker infrastructure.
  4. Ransomware deployment: encrypting endpoints and servers after exfiltration is complete, maximizing leverage.
  5. Double extortion: posting victims to leak site with countdown timers, proof-of-life data samples, and escalating pressure.

The specific initial access vector for Ruhnau Clarke and Biogel has not been publicly confirmed. The 1.6TB exfiltration volume and 300,000+ file count suggest dwell time measured in days to weeks before encryption was deployed; consistent with Qilin's known methodology of thorough pre-encryption reconnaissance.

What Organizations Should Do

  1. Audit and close external attack surface immediately. Qilin consistently exploits internet-facing services; VPNs, RDP, public-facing web applications. Run an external attack surface scan. Patch or take offline any appliances with known vulnerabilities. Enforce MFA on all remote access without exception.

  2. Implement network segmentation to limit lateral movement. If an attacker lands on one workstation, they should not have a clear path to your file servers, backup infrastructure, and IP repositories. Segment networks by function and enforce least-privilege access between segments.

  3. Protect backups as a first-class security asset. Qilin targets backup systems before deploying ransomware. Offline or immutable backups that cannot be reached from the production network are mandatory. Test restoration regularly; a backup you've never restored is not a backup.

  4. Deploy endpoint detection with behavioral analytics. Signature-based AV does not catch Qilin. Deploy EDR with behavioral detection tuned to flag large-scale file access, unusual data staging behavior, and credential harvesting activity. Alert on bulk file reads from non-standard processes.

  5. Classify and protect your most sensitive IP explicitly. Architecture firms should identify which project files represent the highest-value targets (government contracts, critical infrastructure designs) and apply additional controls. Biotech firms should treat formulation and process documentation as crown jewels with access logging, DLP controls, and restricted network paths.

  6. Develop and test a ransomware-specific incident response plan. Know in advance who makes the containment decision, who handles law enforcement notification (FBI for US entities, NCSC for Swiss entities), who manages client communication, and what your negotiation posture is. The worst time to figure this out is after encryption.

Sources