The Qilin ransomware group has claimed responsibility for a cyberattack against Die Linke ("The Left"), a German left-wing political party, forcing an IT systems outage and threatening to publish stolen sensitive data. Die Linke has confirmed the incident, making it one of the more high-profile ransomware attacks against a European political organization in recent years.
Incident Overview
| Attribute | Details |
|---|---|
| Victim | Die Linke (The Left) — German political party |
| Threat Group | Qilin ransomware |
| Impact | IT systems outage, data theft |
| Data Threatened | Sensitive internal party data |
| Confirmation | Die Linke confirmed the attack |
| Source | BleepingComputer |
Die Linke is a left-wing political party in Germany with representation in the Bundestag and several state parliaments. The party confirmed that attackers had disrupted IT operations and stolen data, consistent with Qilin's double-extortion ransomware model.
Qilin Ransomware Group
Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) operation that has been active since 2022 and has accelerated its activity significantly in 2025–2026. The group is known for:
| Capability | Description |
|---|---|
| Double extortion | Encrypting systems AND exfiltrating data for leverage |
| Cross-platform ransomware | Versions targeting Windows, Linux, and VMware ESXi |
| Rust-based malware | Modern, difficult-to-detect ransomware written in Rust |
| High-profile targets | Healthcare, government, critical infrastructure, and now political organizations |
| Data leak site | Publishes stolen data to pressure victims into paying |
Qilin has previously claimed attacks against healthcare providers, law firms, and government entities across Europe and North America. The attack against Die Linke represents an escalation into targeting political institutions.
Attack Impact
Die Linke confirmed that:
- IT systems were disrupted — the attack caused an outage affecting internal party operations
- Data was exfiltrated — Qilin has threatened to publish internal party communications and documents
- Sensitive information at risk — political parties hold communications, donor information, internal strategy documents, and personnel records
The specific volume and nature of the stolen data has not been fully disclosed. Qilin has posted the party on their dark web leak site as leverage.
Broader Context: Ransomware Targeting Political Organizations
Ransomware attacks against political parties and government-adjacent organizations are on the rise across Europe. This incident follows several recent attacks against public sector and democratic institutions:
- Malaysia Airlines was targeted by Qilin in March 2026
- England Hockey faced a ransomware and data breach investigation in March 2026
- Foster City, California declared a municipal emergency after ransomware crippled city services
The targeting of Die Linke is significant because political parties hold sensitive communications and strategic planning data that could be valuable beyond financial extortion — either for intelligence purposes or to cause political embarrassment.
Response and Recommendations
Die Linke has not publicly stated whether they intend to pay the ransom. Security experts consistently advise against payment, as it does not guarantee data deletion and funds criminal operations.
Organizations facing similar threats should:
- Activate incident response immediately — engage a specialized ransomware IR firm
- Isolate affected systems to prevent further encryption or data exfiltration
- Notify relevant authorities — in Germany, the BSI (Federal Office for Information Security) and law enforcement
- Do not pay the ransom without consulting law enforcement and legal counsel
- Preserve forensic evidence for attribution and potential prosecution
- Audit backup integrity — verify offline backups are intact and not also encrypted
Political organizations in particular should review:
- Email and communication platform security — Qilin frequently uses phishing as initial access
- Endpoint protection on devices used by party staff and officials
- Network segmentation to limit lateral movement from initial access to sensitive systems
Indicators of Qilin Activity
Security teams should monitor for indicators associated with Qilin ransomware operations:
| Indicator Type | Description |
|---|---|
| File extension changes | Qilin appends random extensions to encrypted files |
| Ransom note | "README-RECOVER-[random].txt" dropped in encrypted directories |
| ESXi targeting | Qilin actively targets VMware ESXi hypervisors |
| Data exfiltration | Large outbound data transfers prior to encryption |
| Dark web leak site | qilinap...onion — victim listings with sample data |
Source: BleepingComputer — April 3, 2026