Qilin posts ultimatum for U.S. manufacturer Pro‑Plastics, threatening full data leak

The ransomware group Qilin listed U.S. plastics manufacturer Pro‑Plastics on a dark‑web leak site on February 28, 2026, posting an ultimatum that it would publish a "full leak" unless company representatives made contact. Threat‑intelligence indexers captured the posting and associated leak screenshots and timestamps, signaling a potential extortion attempt against a firm described in index entries as a key player in American manufacturing.

DeXpose recorded the Qilin entry and reproduced the group's message: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” HookPhish captured microsecond‑level metadata for the incident, listing a date of breach at 2026-02-28 21:02:36.060651 and a discovery timestamp of 2026-02-28 21:03:26.290682. Ransomware.live also indexed the listing, marking it discovered on 2026-02-28 and noting a dataset update at 2026-03-01 06:54:58 UTC. The indexing pages display the Pro‑Plastics name alongside variants of the company domain — pro-plastics.com and proplastics.com — which appear inconsistently across monitors.

The indexed postings and screenshots do not provide independent confirmation that Pro‑Plastics had its systems encrypted or that specific volumes of data were taken. The aggregator sites include legal disclaimers stating they index publicly visible operator posts and do not host or possess stolen content. Those caveats underscore a gap between a threat actor's claim and forensic confirmation by the victim or an incident responder.

Security researchers and incident‑response teams say Qilin has become a prolific extortion actor that frequently targets manufacturers and government entities. Industry tracking by Industrialcyber Co shows that so far this year Qilin has claimed 701 victims, with 118 attacks confirmed, and lists 143 claimed attacks against manufacturers among 590 business targets. Industrialcyber Co cited high‑profile claims by Qilin, including more than 4 terabytes of data allegedly taken from Nissan Creative Box, and disruptions at companies such as Asahi Group Holdings and Alu Perpignan. “Manufacturers are Qilin’s favorite target,” Moody detailed in an industry analysis.

Formal incident‑response reporting paints Qilin as a mature operation with a pattern of data theft and network‑wide encryption. A September 11, 2025, CIS advisory based on an MS‑ISAC case described an intrusion chain that began with a phishing email, exploited a user account with weak credentials, and escalated via newly created admin accounts to encrypt servers; that case included a $500,000 ransom demand and a threat to post sensitive data on a leak blog. CIS warned Qilin had become one of the most active ransomware groups affecting U.S. state and local entities in mid‑2025 and that its operations pose a near‑term threat to critical networks.

At present, the public trail on the Pro‑Plastics posting is limited to the threat actor's message and indexer captures. The posting, the timestamps, and the group's history underscore both the immediacy of the threat and the uncertainty that surrounds leak‑site claims until forensic teams or the company itself confirm the scope of any compromise. Law enforcement, industry responders, or Pro‑Plastics representatives have not provided public technical details linked to the indexed listing in the material recorded by the monitors.