Point Four EPoS Solutions Ransomware Attack by Qilin (Apr 2026)

Claim Summary

The Qilin ransomware group has allegedly claimed responsibility for a cyber attack against Point Four EPoS Solutions, a UK-based provider of electronic point-of-sale systems. The claim was posted on the group’s dark web leak site on April 24, 2026, according to threat intelligence monitoring. At this time, no data samples or specific evidence of exfiltration have been published by the threat actor. The claim remains unverified, and Point Four EPoS Solutions has not issued a public statement regarding the alleged incident.

Threat Actor Profile

Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) operation that has been active since mid-2022. According to available threat intelligence, the group has claimed responsibility for 1,617 victims to date, indicating a high-volume, opportunistic targeting strategy. Qilin is known for its cross-platform capabilities, targeting both Windows and VMware ESXi environments.

The group’s known toolset is extensive and includes:

• Mimikatz: For credential dumping from Windows systems
• EDRSandBlast: To evade endpoint detection and response solutions
• PCHunter and PowerTool: For process and kernel manipulation
• Nmap and Nping: For network reconnaissance and scanning
• EasyUpload.io and MEGA: For exfiltration of stolen data

Qilin’s tactics, techniques, and procedures (TTPs) have been documented by multiple research organizations, including Secureworks (tracking as GOLD FEATHER), Trend Micro, and Google Cloud’s Threat Intelligence team (tracking as UNC3944). The group has been observed using custom PowerShell scripts to propagate to vCenter and ESXi hypervisors, as well as SMS phishing and SIM swapping attacks for initial access.

Alleged Data Exposure

The Qilin leak site post for Point Four EPoS Solutions does not currently include any data samples, file listings, or volume disclosures. The threat actor has not specified what data, if any, was allegedly exfiltrated during the attack. This lack of evidence is notable and may indicate one of several scenarios: the claim is premature, the group is attempting to pressure the victim into negotiations before releasing proof, or the claim is entirely fabricated.

Given Qilin’s established track record of 1,617 victims, the group has a history of following through on data publication threats. However, the absence of any data in this specific claim warrants skepticism until further evidence emerges.

Potential Impact

If the claim is verified, Point Four EPoS Solutions could face significant operational and reputational consequences. As a provider of point-of-sale systems, the company likely processes sensitive transactional data for retail and hospitality clients. Potential impacts include:

• Client data exposure: Customer payment information, transaction histories, and business records could be compromised
• Operational disruption: Ransomware encryption could affect point-of-sale terminals, inventory management, and payment processing systems
• Regulatory scrutiny: As a UK-based company handling financial data, the organization may face investigations under GDPR and PCI DSS requirements
• Supply chain risk: Clients relying on Point Four’s systems could experience secondary impacts, including service outages or data breaches

What to Watch For

Security teams and affected parties should monitor for the following developments:

• Data publication: Qilin may release samples or full datasets if negotiations fail or if the victim refuses to pay
• Client notifications: Point Four EPoS Solutions may issue breach notifications to affected clients or regulators
• Technical indicators: Organizations using Point Four’s systems should watch for signs of lateral movement, credential theft, or unusual network activity consistent with Qilin’s known TTPs
• YARA rules: Detection guidance for Qilin ransomware is available through public threat intelligence feeds. Analysts should search for rules targeting Qilin’s custom PowerShell scripts, Mimikatz usage, and ESXi-specific payloads

Disclaimer

This report is based on unverified claims made by the Qilin ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the validity of these claims, the extent of any data compromise, or the identity of the victim organization. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into payment. All information presented here should be treated as preliminary and subject to change as more details emerge. No PII, download links, data samples, credentials, or access methods are included in this report. Organizations should verify any claims through their own incident response procedures before taking action.