Qilin Ransomware Hit Kuala Lumpur International Airport — Malaysia Said No to $10 Million

The Facts

On a busy morning in March 2025, passengers at Kuala Lumpur International Airport encountered something unusual: check-in counters frozen mid-process, flight information boards cycling through error states, and airport staff reverting to manual procedures. Behind the scenes, KLIA was in the middle of a ransomware attack that would become one of Malaysia's most publicly visible cybersecurity incidents in years.

The threat actor was Qilin — a Russian-speaking ransomware group that has been escalating aggressively since its emergence in 2022. Qilin exfiltrated what it claimed was 2 terabytes of airport operational and passenger data, encrypted core systems, and issued a $10 million ransom demand to Malaysia Airports Holdings Berhad, the state-linked entity that manages KLIA and over 39 other airports across Malaysia.

Prime Minister Anwar Ibrahim's response was immediate and unambiguous. Speaking publicly, he stated there was "no way" Malaysia would capitulate to criminal extortion. MAHB confirmed the attack, acknowledged disruption to systems, and began restoration operations — but the government did not disclose whether the 2TB data exfiltration claim was verified or what data categories were involved.

The March timing placed the KLIA attack within the most intensive ransomware month on record globally. BlackFog documented 107 publicly disclosed ransomware attacks in March 2025 alone — an 81% increase from the same period the previous year. Qilin, alongside Clop and Akira, accounted for the highest attack volumes that month.

Technical Deep-Dive: How Qilin Operates

Qilin operates as a Ransomware-as-a-Service (RaaS) platform, meaning its operators sell attack capabilities to affiliates who then conduct the actual intrusions and split ransom proceeds. This business model separates the technical development of the ransomware from its deployment, making attribution and prosecution significantly more difficult.

Qilin's attack pattern at KLIA likely followed the group's documented playbook: initial access through phishing or exposed remote access services, extended dwell time for network reconnaissance and data exfiltration before payload deployment, and the use of double extortion — threatening both operational disruption and public data exposure — to maximise ransom pressure.

Airport operational technology systems present specific vulnerabilities. Flight information display systems, check-in infrastructure, and baggage handling systems are often running legacy software on network segments that were not designed with modern security controls. The convergence of IT (information technology) and OT (operational technology) systems in modern airports creates attack surfaces that traditional perimeter security does not adequately address.

Since its 2022 emergence, Qilin has been linked to 926 attacks, with 168 confirmed. The group has stolen approximately 116 terabytes of data in total. In 2025 alone, it claimed over 701 victims — with government entities experiencing a 344% year-on-year increase in targeting frequency.

The ASEAN Perspective

The KLIA attack sits within a broader deterioration of Malaysia's cyber incident environment. CyberSecurity Malaysia's Annual Report 2025 documented a 42% year-on-year increase in ransomware attacks on Malaysian businesses, with 67% of Malaysian SMEs affected in 2025 — up from 48% in 2024. The average cost of a data breach in Malaysia reached RM 3.2 million in 2025, and the average time to detect a breach extended to 187 days — attackers are becoming stealthier.

ASEAN's critical infrastructure sector is increasingly in the crosshairs of sophisticated ransomware groups that previously focused on Western targets. Malaysia's public refusal to pay the KLIA ransom sends an important regional signal: yielding to extortion funds further attacks on ASEAN infrastructure and emboldens groups like Qilin to escalate targeting in the region.

For regional airport and transport operators in Thailand, Indonesia, and the Philippines — all operating infrastructure of comparable complexity to KLIA — the attack provides a practical case study for their own cyber resilience planning.

RECATOOLS Verdict

Anwar Ibrahim's public refusal to pay was the right call, both for Malaysia and for the regional cybersecurity ecosystem. Every ransom payment funds the next attack. Every public refusal raises the expected cost of targeting regional critical infrastructure.

The harder work is the remediation and resilience investment that follows. Documented airport OT security programmes, network segmentation between passenger-facing systems and operational infrastructure, and tabletop exercises that include ransomware scenarios are the practical outcomes that the KLIA incident should drive.

Sources

• BlackFog State of Ransomware March 2025: blackfog.com
• Industrial Cyber — Qilin Ransomware 2025 Analysis: industrialcyber.co
• Security Quotient Malaysia Cyber Threat Landscape 2025: securityquotient.io
• CyberSecurity Malaysia Annual Report 2025

FAQ

Did Malaysia pay the KLIA ransom? No. Prime Minister Anwar Ibrahim publicly refused, stating there was "no way" Malaysia would pay criminal extortion demands.

Who is Qilin ransomware? A Russian-speaking Ransomware-as-a-Service group active since 2022, linked to 926 attacks globally, with a documented focus on critical infrastructure, healthcare, and manufacturing.

What systems were affected at KLIA? Flight information display systems and check-in counters were disrupted. MAHB confirmed operational impact but limited technical disclosure of affected systems.

Was passenger data stolen? Qilin claimed to have exfiltrated 2 terabytes of data. MAHB confirmed the attack without verifying or detailing the data exfiltration claim.

How can ASEAN airports protect against ransomware? Network segmentation between IT and OT systems, endpoint detection on all connected devices, offline backup systems for critical operations, and regular ransomware tabletop exercises are the baseline requirements.