Attack alert: qilin targets Yellow Cab of Columbus - US
Introduction
How Qilin Compromised Yellow Cab of Columbus, Transportation in the US
On December 4, 2025, the Qilin ransomware group claimed responsibility for a cyberattack against Yellow Cab of Columbus, an Ohio-based urban transportation company. This breach, classified as SIGNAL level according to the XC-Classify protocol, exposed sensitive data belonging to an organization that manages the personal information of hundreds of passengers daily: GPS coordinates of trips, bank details related to card payments, and customer information. For an SME with 10 to 50 employees operating in the transportation sector, this incident illustrates the growing vulnerability of urban mobility infrastructure to malicious actors specializing in double extortion. The attack comes at a time when traditional taxi services are accumulating considerable volumes of geolocation and financial data, transforming these small businesses into prime targets for cybercriminal groups.
Analyse détaillée
The intrusion highlights the specific risks faced by urban transportation companies, which, unlike large ride-hailing platforms, rarely have dedicated cybersecurity teams. The compromised data potentially includes travel histories revealing lifestyle habits, bank details used for contactless payments, and customer files containing addresses and phone numbers. This breach comes as the US transportation sector faces a surge in attacks targeting critical mobility infrastructure, as demonstrated by the recently published → Threats Analysis for the Transportation Sector. Blockchain certification of this incident via the XC-Audit protocol guarantees immutable traceability of the evidence, unlike traditional centralized verification systems that can be manipulated or challenged.
Qilin: Methodology, History, and Victims of the Ransomware Group
Qilin, also known as Agenda, is a cybercriminal collective operating under the Ransomware-as-a-Service (RaaS) model and active since 2022. This group is distinguished by its ability to recruit experienced technical affiliates, providing them with sophisticated encryption infrastructure and a dedicated leak site to maximize pressure on victims. Its modus operandi relies on systematic double extortion: encrypting critical systems and threatening to publish the exfiltrated data on its public platform accessible via the dark web.
The initial intrusion techniques favored by the malicious actor include exploiting vulnerabilities in services exposed to the internet, particularly poorly configured VPN remote access solutions and unpatched Microsoft Exchange servers. Once access is established, the collective deploys network reconnaissance tools to map the infrastructure, disables antivirus solutions, and wipes backups before initiating the encryption process. Persistence is ensured by the installation of backdoors, allowing for a subsequent return even after apparent remediation.
The group primarily targets the Healthcare, Manufacturing, and Transportation sectors in the United States and Europe, favoring medium-sized organizations (50-500 employees) with sufficient financial resources but limited cybersecurity defenses. Notable victims include US hospitals forced to suspend their emergency services, European manufacturing companies that suffered weeks of production shutdowns, and now urban mobility services like Yellow Cab of Columbus. The RaaS model allows Qilin to launch multiple simultaneous attacks through its affiliates, each receiving a share of the collected ransoms, generally between 70% and 80% of the total amount.
Analysis of previous campaigns reveals increasing sophistication in data exfiltration techniques, with volumes reaching tens of gigabytes transferred via encrypted channels before encryption is triggered. → To understand Qilin's detailed operating methods, our CTI analysts have documented the evolution of the group's TTPs (Tactics, Techniques, and Procedures) since its inception.
Yellow Cab of Columbus: Company Profile - Transportation (10-50 employees) - US
Yellow Cab of Columbus is a long-established player in urban transportation in Ohio's capital, operating for several decades in a market now facing competition from ride-hailing platforms. The company employs between 10 and 50 people, including drivers, dispatchers, and administrative staff, and manages a fleet of vehicles equipped with onboard GPS systems and electronic payment terminals. This digital infrastructure, developed progressively to meet modern customer expectations, accumulates sensitive data daily: geolocated and time-stamped trips, bank information for card payments, personal contact information for regular passengers, and booking histories.
The location in Columbus, a city of nearly 900,000 inhabitants and the administrative capital of Ohio, gives the targeted organization strategic importance for local mobility. Traditional taxi services like Yellow Cab provide critical transportation to hospitals, airports, and train stations, transporting vulnerable populations (the elderly, patients, travelers) who rely on these regular services. Unlike large technology platforms with dedicated cybersecurity teams, this family-owned SME likely relies on outsourced IT systems or systems managed by a local provider, with limited budgets for data security.
The potential impact of this breach extends beyond the company itself. The exposed customer data could reveal sensitive travel patterns: regular trips to medical facilities, nighttime travel, residential addresses, phone numbers, and payment information. For business travelers using Yellow Cab for work, the exposure of trip histories could compromise confidential business information. The small size of the organization (10-50 employees) also suggests limited incident response capabilities, lacking an internal Security Operations Center (SOC) team or a robust business continuity plan in the face of widespread system encryption.
The US transportation sector includes thousands of similar small businesses, often family-owned and multigenerational, which form the backbone of urban mobility in mid-sized cities. → Companies in the transportation sector must urgently strengthen their defenses in the face of the increasing threat of ransomware attacks targeting critical mobility infrastructure.
Technical Analysis: Exposure Level
The SIGNAL classification assigned by the XC-Classify protocol indicates a confirmed data breach with exposure, but the extent of the breach is still being thoroughly analyzed. This level, distinct from the MINIMAL, PARTIAL, or FULL classifications, indicates a situation where the malicious actor has publicly claimed responsibility for the attack on their leak website, confirming the exfiltration of sensitive files before any potential encryption of the systems. For Yellow Cab of Columbus, the likely exposed data includes customer databases containing names, addresses, phone numbers, and booking histories; GPS logs revealing thousands of geolocated trips with precise timestamps; and financial information related to credit card transactions.
The exact volume of compromised data was not publicly disclosed by the Qilin Group at the time of discovery on December 4, 2025, but metadata analysis suggests an exfiltration primarily targeting operational databases and dispatch systems. The exposed files could include internal administrative documents (driver contracts, supplier invoices, email correspondence) revealing the company's internal organization. The type of information obtained corresponds to a classic attack pattern against the transportation sector: maximizing pressure by exposing sensitive customer data while simultaneously compromising critical business continuity operational systems.
Questions Fréquentes
When did the attack by qilin on Yellow Cab of Columbus occur?
The attack occurred on December 4, 2025 and was claimed by qilin. The incident can be tracked directly on the dedicated alert page for Yellow Cab of Columbus.
Who is the victim of qilin?
The victim is Yellow Cab of Columbus and operates in the transportation sector. The company is located in United States. You can search for Yellow Cab of Columbus's official website. To learn more about the qilin threat actor and their other attacks, visit their dedicated page.
What is the XC protocol level for the attack on Yellow Cab of Columbus?
The XC protocol level is currently at XC SIGNAL status, meaning the attack on Yellow Cab of Columbus has been claimed by qilin but has not yet been confirmed by our community. Follow the progress of this alert.
Conclusion
Regarding the initial intrusion method, our analysis of previous Qilin campaigns suggests several likely vectors: exploitation of a poorly secured VPN connection used by IT service providers, compromise of an administrator account via targeted phishing, or exploitation of an unpatched vulnerability in dispatch or payment systems. The likely timeline begins with silent network reconnaissance lasting several days or weeks, followed by the gradual exfiltration of sensitive data through encrypted channels, before the actual ransomware deployment. The lack of early detection suggests shortcomings in monitoring and event log analysis capabilities.