Ransomware Group: QILIN

VICTIM NAME: Rihatec[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 4, 2025, a ransomware leak post attributed to the group qilin concerns the Germany-based technology firm known as Rihatec[.]de. The page presents the victim as a technology company focused on automation of control systems and related solutions, noting its German base and a founding date of 1995 near Munich. The post frames the incident as a data-leak event rather than a traditional encryption incident, claiming that sensitive internal documents have been exfiltrated and may be released publicly or offered for download as part of a double-extortion tactic. While the excerpt does not reveal a specific ransom amount, the page indicates a publicly accessible claim URL and asserts that the attackers possess confidential materials related to the victim’s business relationships and operations.

The leak page includes a gallery of 31 images (screenshots) intended as evidence of the exfiltration. The exact contents of these images are not described in the excerpt, but their presence supports the attackers’ claim of stolen internal documents. The material referenced includes marketing reports showing declining sales, growing accounts receivable, contracts, and personal information about employees, including top managers, which the attackers say are available to be shared publicly. This framing aligns with ransomware operators’ emphasis on data disclosure rather than a pure encryption event, and it suggests the repo-like collection of documents is being used to pressure the victim.

The leak excerpt also notes several contact and data-exchange artifacts accompanying the post: a Jabber contact is listed, with the email address redacted, along with a TOX identifier and what appears to be an FTP credential snippet. These elements illustrate the attackers’ use of multiple communication channels and data-sharing vectors in conjunction with the post. The post date is clearly indicated as October 4, 2025; no separate compromise date is provided in the visible content. Taken together, the page presents a data-leak narrative centered on Rihatec[.]de, supported by a sizable image gallery and structured to warn of potential public disclosure of internal materials.