Travel Expert Ransomware Attack by Qilin (April 2026)

Claim Summary

On April 25, 2026, the Qilin ransomware group added Travel Expert to its dark web leak site. Travel Expert operates at www.travelexpert.com.hk and is a Hong Kong-based company in the hospitality and tourism industry. The threat actor claims to have exfiltrated data from the organization, though no specific data volume or sample files have been provided to substantiate the claim. As of this writing, the leak site entry contains only the victim’s name and domain, with no additional details about the alleged breach.

Threat Actor Profile

Qilin (also tracked as Agenda) is an active ransomware-as-a-service (RaaS) operation first observed in mid-2022. According to public threat intelligence sources, Qilin has claimed 1,617 victims to date, indicating a high-volume, opportunistic targeting strategy. The group is known for using a variety of tools to facilitate initial access, lateral movement, and data exfiltration, including:

• Credential theft: Mimikatz for extracting credentials from memory.
• Defense evasion: EDRSandBlast and PCHunter to disable endpoint detection and response solutions.
• System enumeration: PowerTool and Nmap for network reconnaissance.
• Data exfiltration: EasyUpload.io and MEGA cloud storage services.

Qilin has historically targeted organizations across multiple sectors, with a notable focus on healthcare, education, and manufacturing. The group’s ransomware payload is written in Rust and has been observed propagating to VMware vCenter and ESXi hypervisors via custom PowerShell scripts, as documented by Trend Micro. Google Cloud’s Threat Intelligence group has also linked Qilin to UNC3944, a threat cluster known for SMS phishing and SIM-swapping attacks.

The group’s credibility is moderate to high based on its extensive victim count and consistent operational tempo. However, the lack of data samples or proof in this specific claim warrants caution.

Alleged Data Exposure

Qilin has not published any data samples, file listings, or volume estimates for the Travel Expert incident. The leak site entry is minimal, containing only the victim’s name and domain. Without corroborating evidence, it is impossible to verify the scope or nature of the alleged data breach. Ransomware groups frequently exaggerate or fabricate claims to pressure victims into negotiations, and the absence of data here may indicate either a preliminary stage of extortion or a false claim.

Potential Impact

If the claim is substantiated, Travel Expert could face significant operational and reputational consequences. As a hospitality and tourism company, Travel Expert likely processes sensitive customer data, including personally identifiable information (PII), payment details, and travel itineraries. A confirmed breach could lead to:

• Regulatory scrutiny: Hong Kong’s Personal Data (Privacy) Ordinance requires prompt notification and remediation.
• Customer trust erosion: Leaked travel data could be used for phishing, identity theft, or targeted scams.
• Business disruption: Ransomware encryption could impact booking systems, customer databases, and internal communications.

What to Watch For

Security teams and partners should monitor for:

• Phishing campaigns: Threat actors may use stolen customer data to craft convincing phishing emails targeting Travel Expert clients.
• Data leaks: If negotiations fail, Qilin may release data samples or full archives on its leak site.
• Indicators of compromise: Analysts should review Qilin’s known toolset (Mimikatz, Nmap, MEGA) for any traces in network logs. YARA rules for Qilin’s ransomware payload are available in public repositories, such as those maintained by the YARA Project and various threat intelligence platforms.
• Detection guidance: Organizations should ensure endpoint detection and response (EDR) solutions are configured to block EDRSandBlast and PCHunter, and monitor for unusual MEGA or EasyUpload.io traffic.

Disclaimer

This report is based solely on unverified claims published by the Qilin ransomware group on its dark web leak site. Yazoul Security has not independently confirmed the breach, the extent of data exfiltration, or the validity of the threat actor’s assertions. Ransomware groups routinely exaggerate or fabricate claims to pressure victims. All information herein should be treated as intelligence leads requiring further verification. No PII, download links, or access credentials have been included in this report.