The Switch Enterprises Hit by Qilin Ransomware (Apr 2026)

Claim Summary

The Qilin ransomware group has allegedly claimed responsibility for a cyberattack against The Switch Enterprises, a Finnish business services organization operating at www.theswitch.tv. According to the group’s leak site, the attack reportedly occurred on April 30, 2026. The threat actor has not disclosed specific data samples or volume of stolen information, which is atypical for Qilin’s usual operational pattern. Yazoul Security has not independently verified any of these claims, and the organization has not publicly confirmed a security incident.

Threat Actor Profile

Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) operation first observed in mid-2022. The group has allegedly claimed 1,617 victims to date, though this number may include duplicate or inflated entries. Qilin is known for targeting multiple sectors globally, with a particular focus on business services, manufacturing, and technology.

The group’s known toolset includes:

• Mimikatz for credential dumping
• EDRSandBlast for endpoint detection and response evasion
• PCHunter and PowerTool for process manipulation
• Nmap and Nping for network reconnaissance
• EasyUpload.io and MEGA for data exfiltration

Qilin’s tactics, techniques, and procedures (TTPs) have been documented by multiple research sources. Secureworks tracks the group as GOLD FEATHER, noting their use of custom PowerShell scripts for lateral movement. Trend Micro research highlights Qilin’s ability to propagate to VMware vCenter and ESXi hypervisors via custom PowerShell tools. Google Cloud’s Threat Intelligence team (UNC3944) has linked Qilin to SMS phishing and SIM-swapping campaigns for initial access.

The group typically employs double extortion - encrypting systems while exfiltrating sensitive data. Their leak site operates on a timer-based disclosure system, with data gradually released if ransom demands are not met.

Alleged Data Exposure

At the time of this report, Qilin has not published any data samples or specified the type of information allegedly stolen from The Switch Enterprises. The data volume remains undisclosed. This lack of detail is unusual for Qilin, which typically provides at least a sample or description of compromised data to pressure victims. The absence of such evidence may indicate:

• The claim is preliminary or unsubstantiated
• The group is still negotiating with the victim
• The attack may have been unsuccessful in data exfiltration

Yazoul Security analysts note that ransomware groups frequently exaggerate or fabricate claims to create urgency. Without verifiable data samples, this claim should be treated with heightened skepticism.

Potential Impact

If the claim is verified, The Switch Enterprises could face:

• Operational disruption from encrypted systems
• Regulatory scrutiny under EU data protection laws (GDPR)
• Reputational damage with clients in the business services sector
• Potential financial losses from ransom demands, recovery costs, and business interruption

The business services industry is particularly sensitive to data breaches, as clients often entrust these organizations with proprietary or confidential information. The Switch Enterprises’ Finnish operations may also attract attention from the National Cyber Security Centre Finland (NCSC-FI).

What to Watch For

• Official confirmation: Monitor The Switch Enterprises’ website and official channels for any security incident disclosure
• Leak site updates: Qilin may publish data samples or increase pressure in coming days
• Detection guidance: Organizations using Qilin-related IOCs should review the following research for YARA rules and detection signatures:
  • Secureworks GOLD FEATHER profile (https://www.secureworks.com/research/threat-profiles/gold-feather)
  • Trend Micro Agenda analysis (https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html)
  • Google Cloud UNC3944 report (https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/)
• Network indicators: Monitor for Qilin’s known tools (Mimikatz, EDRSandBlast, Nmap) in environment logs
• Phishing vigilance: Qilin’s known use of SMS phishing and SIM-swapping warrants heightened user awareness training

Disclaimer

This report is based solely on unverified claims published by the Qilin ransomware group on their dark web leak site. Yazoul Security has not independently confirmed any aspect of this alleged incident, including the attack date, data exfiltration, or victim notification status. Ransomware groups routinely fabricate or exaggerate claims to pressure victims into payment. Organizations should not take action based on this information alone but should await official confirmation from The Switch Enterprises or relevant authorities. No data samples, credentials, or access methods are provided in this report.