SAAM Towage Ransomware Claim by Qilin (Apr 2026)

Claim Summary

The Qilin ransomware group has allegedly posted maritime towage and logistics company SAAM Towage to its data leak site. The group claims to have compromised the organization on April 10, 2026. According to the post, the specific data allegedly stolen and the total volume of data remain undisclosed. The group has not provided a sample of the purportedly stolen data as proof of the claim at this time.

Threat Actor Profile

Qilin, also tracked by some researchers as Gold Feather or UNC3944, is a financially motivated ransomware-as-a-service (RaaS) operation with a significant history. The group’s leak site lists over 1,600 alleged victims, indicating a high operational tempo. Their known toolset is extensive and includes credential access tools like Mimikatz, defense evasion utilities such as EDRSandBlast, PCHunter, and PowerTool, and network discovery tools like Nmap and Nping. For data exfiltration, the group has reportedly used services like EasyUpload.io and MEGA. Research indicates Qilin actors are adept at propagating within virtualized environments like VMware vCenter and ESXi servers and have employed sophisticated initial access techniques, including SMS phishing (smishing) and SIM-swapping attacks.

Alleged Data Exposure

The nature and scope of the data purportedly accessed are currently unknown. The Qilin group’s post does not specify file types, categories, or a data volume. In previous attacks against other victims, the group has exfiltrated a wide range of sensitive information, including financial records, employee PII, and corporate intellectual property. Without a data sample or detailed list from the threat actor, the specific exposure risk to SAAM Towage cannot be assessed from this claim alone.

Potential Impact

SAAM Towage operates a fleet of tugboats across multiple countries, primarily in the Americas, providing essential services for port operations and ship maneuvering. A confirmed ransomware attack could disrupt port logistics, delay vessel traffic, and cause significant operational and financial damage. The theft of sensitive operational data, such as port schedules, client contracts, or vessel specifications, could pose long-term competitive and security risks. The lack of disclosed details in the claim makes it difficult to gauge the immediate severity.

What to Watch For

1. Proof of Claim: Monitor for updates on Qilin’s leak site, such as the publication of a data sample or a file directory listing, which would substantiate the claim.
2. Official Statement: Await any official communication from SAAM Towage or its parent company regarding a potential cybersecurity incident.
3. Operational Disruptions: Observe for reports of service disruptions or IT outages affecting SAAM Towage’s port operations.
4. Detection Guidance: Security teams in the transportation and logistics sector should review threat intelligence on Qilin’s TTPs. Defenders can reference YARA rules and detection logic published by security vendors tracking this group (e.g., under aliases like Gold Feather or UNC3944) to hunt for related indicators in their networks.

Disclaimer

This report is based on an unverified claim from a ransomware group’s data leak site. The information presented here has NOT been independently confirmed by Yazoul Security or external sources. Ransomware groups frequently exaggerate or fabricate claims to extort victims. This report is for situational awareness and threat intelligence purposes only. The mention of any tools, TTPs, or detection methods does not constitute an endorsement or confirmation of their effectiveness.