Qilin ransomware posted six victims across five countries over June 2–3, 2026: Nova Medical Products (US, healthcare and medical devices), Clinica Maitenes (Chile, healthcare clinic), JNP ENG (South Korea, manufacturing and engineering), MarketJoy (US, consumer services), Eat Salad (Brazil, food and agriculture), and MEISA — Sines (Portugal, energy sector). The multi-sector, multi-geography batch is consistent with Qilin’s operating model but reflects a threat actor with 1,888 total claimed victims since its first activity in October 2022.
Nova Medical Products and the High-Value Data Held by US Medical Device Companies
The US victim in this batch — Nova Medical Products, a healthcare and medical device supplies company — sits within a particularly sensitive data category. Medical device companies hold patient data, clinical validation records, and regulatory submissions filed with the FDA. That combination of protected health information and proprietary regulatory documentation creates a data profile that carries high extortion value: disclosure would implicate both HIPAA privacy obligations and the competitive sensitivity of FDA submission contents.
MEISA Sines: Qilin’s Claim at a Portuguese Energy Infrastructure Hub
MEISA — Sines is an energy sector company located at the industrial port of Sines, Portugal, one of Europe’s significant energy import and logistics hubs. Energy sector ransomware carries a risk profile that extends beyond data theft: port-adjacent and logistics-integrated energy infrastructure faces operational disruption potential that places it in a distinct threat category from general commercial victims. No operational disruption has been confirmed; Qilin’s posting initiates the double-extortion window.
Qilin’s 1,888-Victim Scale and Multi-Affiliate Global Reach
Qilin, also tracked as Agenda, operates as a ransomware-as-a-service platform with double-extortion tactics — encrypting victim systems and threatening to publish exfiltrated data if ransom terms are not met. The group has claimed 1,888 total victims since October 2022, establishing it as one of the most prolific active ransomware operations. That scale is produced by a global affiliate network without geographic concentration, enabling the kind of cross-continental diversity seen in the June batch.
How Qilin’s Targeting Across Healthcare and Energy in Three Continents Reflects Its Affiliate Model
The June 2–3 batch spans three continents: North America, South America, and Europe, with an additional Asia-Pacific victim in South Korea. No single sector accounts for more than two of the six postings. This diversity is a structural characteristic of Qilin’s RaaS model: affiliates operate independently and select targets according to their own access and negotiation calculations, while the core group provides the encryption and leak infrastructure. The result is a victim profile that looks random but reflects the aggregate of multiple independent affiliate operations.
The healthcare sector’s representation — two of the six victims — is consistent with Qilin’s documented pattern of healthcare targeting, where data sensitivity and operational disruption pressure create favorable extortion conditions.
