Atlantis Submarines hit by RaaS attack, Operational Files at Risk

By Jesse William McGraw

July 03, 2025

Yesterday, Qilin, the ransomware-as-a-service (RaaS) group, targeted one of the operational bases of Atlantis Submarines, located in Barbados, and subsequently released a sample consisting of nine images that appear to be part of a larger cache of private, exfiltrated data now exposed for public viewing.

Atlantis is a successful tourism company popular for its passenger-carrying submarine tours. They offer underwater expeditions in tropical destinations around the world. Since its founding in 1985, the company has carried out over half a million dives. This makes Atlantis a high-profile target in the hospitality industry.

Because this attack affects a component of the business sector, the incident is categorized under “Hospitality and Tourism”. Despite the reputation of being a world leader in tourist submarines, Qilin has not divulged very much about the scope of the attack itself or how much data was exfiltrated. It does appear, however, that the data breach involved operational files.

Atlantis Submarines hit by RaaS attack details — Screenshot from the Qilin’s Tor-based leak site, publishing screenshots of sample documents.

What the group released

The post featured on Qilin’s onion site lacks detailed specifics beyond what can be gleaned from the screenshots. There are no direct download links, file indexes, summaries of exfiltrated data, dump sizes, ransom notes, or ransom amounts. However, based on the uncensored images, it’s clear the attack highlights a potential risk to Atlantis’ operational systems.

However, scant publication isn’t unusual with Qilin’s methods, and aligns with the group’s double extortion modus operandi: push victim-specific leak pages with some screenshots or teasers to mount pressure against their targets.

What the Leak Contains

A careful examination of the exfiltrated documents reveals information that will immediately cause damage to the company. At the time of this writing, these images have been viewed 881 times and including the following:

An unredacted Visa Commercial card featuring the cardholder’s name, card number, and a sticker with activation instructions, along with a photo of the back displaying the 3-digit CVV number.
Billing information associated with a vendor.
Other internal financial data, such as emails and letters containing salary adjustments.

Who is Qilin

The RaaS group Qilin made its first public appearance in July 2022, under the name “Agenda”, although it is believed that earlier versions of its malware may have been detected months prior.

Regarding its malware, it is known for its customizable ransomware payloads and its ability to carry out multi-operating system targeting, such as Windows, Linux, and ESXi.

While the group does not exclusively encrypt data, it also exfiltrates it to extort its victims.