analyst @ nohacky :~/threat-actors $
cat / threat-actors / qilin
analyst@nohacky:~/qilin.html
active threat profile
type ransomware
threat_level critical
status active
origin Russia (assessed)
last_updated 2026-03-26
QI
qilin

Qilin / Agenda

also known as: Agenda Ransomware Water Kryptik (Trend Micro) Qilin.B (2024 variant)

Qilin is a Russian-linked Ransomware-as-a-Service operation that became the highest-volume ransomware group by confirmed victim count in 2025, claiming over 800 victims across more than 50 countries. Its June 2024 attack on NHS pathology provider Synnovis shut down blood testing across seven London hospitals, contributed to 170 documented cases of patient harm, and is officially linked to at least one patient death — making it the most consequential ransomware incident in healthcare history by confirmed clinical impact.

attributed origin Russia (assessed — CIS exclusion in code)
suspected sponsor Financially motivated criminal enterprise; no direct state nexus confirmed
first observed August 2022 (as Agenda); rebranded Qilin late 2022
primary motivation Financial — double extortion via encryption and data theft
primary targets Healthcare, Manufacturing, Government, Education, Financial Services
known campaigns 800+ confirmed victims (2022–2025)
mitre att&ck group Unassigned (no formal G-number as of March 2026)
target regions United States (primary), United Kingdom, Canada, France, South Korea, global
threat level CRITICAL

Overview

Qilin emerged in August 2022 under the name Agenda — a Golang-based ransomware tool advertised on dark web forums. By late 2022 the group had rebranded as Qilin and rebuilt its encryptor in Rust, gaining the cross-platform capability to target Windows, Linux, and VMware ESXi environments with a single toolchain. The shift to Rust was significant: the language's performance characteristics enabled faster encryption and made the payload harder to reverse-engineer than comparable Go or C++ tools.

Qilin operates as a classic Ransomware-as-a-Service platform. The core team develops and maintains the malware, infrastructure, affiliate panel, and support tools, while recruited affiliates carry out the actual intrusions. Affiliates retain 80% of ransoms below $3 million USD and 85% of ransoms above that threshold. This split is competitive within the RaaS ecosystem and helped Qilin attract affiliates displaced by the FBI disruption of LockBit in February 2024 and the collapse of RansomHub's infrastructure in April 2025.

The ransomware deliberately excludes systems in Commonwealth of Independent States (CIS) countries — a hard-coded behavior consistent with Russian-speaking threat actor norms and assessed by researchers as a strong indicator of Russian origin or operation, though no state sponsorship has been identified. Infrastructure tied to Qilin's dark web onion site has been geolocated to the Russian Federation via FOFA searches prior to the group correcting the exposure.

A notable evolution in 2024 was the release of Qilin.B, a variant with enhanced encryption: AES-256-CTR with OAEP padding for RSA key wrapping, AES-NI hardware acceleration for near-instant encryption on modern CPUs, and ChaCha20 for certain communications. Qilin.B also introduced more aggressive defense evasion including Windows event log clearing, payload self-deletion post-encryption, and process injection to disable security tooling before encryption begins.

In Q3 2025, DragonForce ransomware announced a cartel-style partnership with both LockBit and Qilin, sharing infrastructure and backend tooling. This alliance mirrors the 2020 Maze-LockBit partnership that helped normalize double extortion, and signals that Qilin's operational tempo is unlikely to diminish in the near term.

Target Profile

Qilin affiliates select victims opportunistically, with a demonstrated preference for organizations where operational disruption creates maximum leverage for ransom payment. Sectors with high data sensitivity, low tolerance for downtime, or regulatory exposure are consistently overrepresented.

  • Healthcare: Hospitals, laboratory services, and pathology providers are a consistent focus. The Synnovis attack demonstrated a willingness to accept mass civilian harm as collateral damage. Healthcare organizations face immediate life-safety pressure to restore systems and are therefore more likely to engage in ransom negotiations quickly.
  • Government and Public Sector: Municipal courts, county governments, and public agencies have featured prominently. In Q2 2025, Qilin accounted for nearly a quarter of all ransomware attacks on U.S. state and local government entities. These organizations typically have aging infrastructure, constrained IT budgets, and significant public accountability that increases payment pressure.
  • Manufacturing and Professional Services: These are the most consistently targeted commercial verticals. Manufacturing operations cannot tolerate extended downtime without cascading supply chain impact, and professional services firms hold sensitive client data that amplifies extortion leverage.
  • Education: Universities and school districts are targeted for their large data repositories, complex networks, and limited security maturity. A September 2025 campaign — the "Korean Leaks" operation — hit at least 25 South Korean financial firms in asset management through a single compromised managed service provider, demonstrating the group's willingness to conduct coordinated sector-specific campaigns.
  • Financial Services: Banks, asset managers, and financial technology firms are targeted for their data sensitivity and the regulatory exposure that a public breach creates. Qilin's affiliate panel allows operators to deploy tailored "call a lawyer" pressure tactics during negotiations — a feature explicitly designed to exploit regulatory and legal anxieties.

Geographically, the United States accounts for over half of all confirmed Qilin victims. Canada, France, the United Kingdom, Germany, and Japan follow. The September 2025 South Korean campaign showed capacity for highly targeted regional operations through supply chain compromise of a single MSP.

Tactics, Techniques & Procedures

Qilin affiliates employ a broad kill chain. Initial access is primarily credential-based, with a secondary emphasis on vulnerability exploitation of public-facing appliances. Post-compromise behavior is consistent across campaigns regardless of affiliate, suggesting the core operator provides standardized tooling.

mitre id technique description
T1078 Valid Accounts Primary initial access method. Affiliates purchase or harvest credentials from credential dumps, phishing campaigns, and dark web markets, then authenticate directly to VPN portals and RDP services lacking MFA.
T1190 Exploit Public-Facing Application Exploitation of unpatched vulnerabilities in VPN appliances and remote access services. Documented cases include exploitation of Cisco ASA and ScreenConnect administrator interfaces to reach downstream MSP customers.
T1566.002 Spearphishing Link AI-generated phishing lures used to harvest credentials. Qilin is documented as using AI tools to produce more convincing spearphishing content and believable digital twin personas for targets.
T1053.005 Scheduled Task Persistence mechanism. Malicious payload execution is configured via scheduled tasks to survive reboots and maintain access across extended dwell periods.
T1059.001 PowerShell Used extensively for reconnaissance, lateral movement staging, and payload deployment. PowerShell scripts execute network discovery, identify additional targets, and disable security tooling prior to encryption.
T1021.001 Remote Services: RDP RDP used for lateral movement after initial access. Combined with valid credentials obtained via Cyberduck or WinSCP for data staging and exfiltration before encryption.
T1219 Remote Access Software Legitimate remote administration tools including WinSCP and Splashtop are used to transfer payloads and maintain persistence without triggering signature-based detections.
T1562.001 Impair Defenses: Disable or Modify Tools Security processes and AV/EDR tooling are terminated before encryption. In documented BYOVD (Bring Your Own Vulnerable Driver) campaigns, a vulnerable kernel driver is loaded to kill endpoint security from the kernel level.
T1055 Process Injection Malicious code injected into legitimate system processes to evade detection. Used in pre-encryption staging to disable telemetry and security monitoring without triggering obvious alerts.
T1486 Data Encrypted for Impact Core ransomware function. Qilin.B uses AES-256-CTR with AES-NI hardware acceleration for near-instant encryption. ChaCha20 stream cipher used for certain communications. Golang and Rust variants support Windows, Linux, and ESXi.
T1490 Inhibit System Recovery Windows VSS (Volume Shadow Copies) are deleted to prevent recovery without paying the ransom. Veeam backup infrastructure is actively targeted for credential theft to disable backup recovery paths.
T1041 Exfiltration Over C2 Channel Sensitive data is staged and exfiltrated before encryption as part of the double extortion model. The threat to publish or sell data is the primary leverage mechanism when victims have functional backups.
T1070.001 Indicator Removal: Clear Windows Event Logs Windows event logs are cleared post-encryption to remove forensic artifacts and slow incident response. Payload also self-deletes to erase evidence of the ransomware binary from disk.
T1552.001 Credentials from Password Stores: Credentials from Web Browsers A documented 2024 campaign deployed a Chrome credential stealer against domain-joined machines, harvesting all stored passwords from browser profiles across the environment before encryption.
analyst note

A Q4 2025 Qilin campaign documented by SentinelOne and The Hacker News combined Windows Subsystem for Linux (WSL) abuse with BYOVD. The actor enabled WSL on compromised Windows hosts, then ran a Linux ELF encryptor inside the WSL environment — bypassing Windows-focused EDR tools that do not inspect ELF binaries. This technique makes Qilin detectable only by EDR solutions with agentless or hypervisor-level visibility across hybrid environments.

Known Campaigns

Selected confirmed and highly attributed operations. Qilin's affiliate model means individual attack specifics vary; the campaigns below represent the group's highest-profile and most consequential incidents.

Synnovis NHS Attack June 2024

On June 3, 2024, Qilin encrypted systems at Synnovis — the NHS pathology partnership serving Guy's and St Thomas' NHS Foundation Trust and King's College Hospital. Blood testing across southeast London dropped to approximately 10% of normal capacity. Seven hospitals canceled over 1,100 operations and 2,000+ outpatient appointments in the first two weeks alone. More than 900,000 patients are estimated to have had data stolen. Qilin demanded $50 million; Synnovis refused to pay on ethical grounds. On June 20 the group published 400 GB of data — including names, NHS numbers, blood test descriptions, and financial partnership records — on its dark web site. The South East London Integrated Care Board documented 170 cases of patient harm, including two classified as severe. King's College Hospital NHS Foundation Trust subsequently confirmed that delays in blood test results caused by the attack were among contributing factors in one patient's death. This is the first confirmed ransomware-linked patient fatality to be officially acknowledged by an NHS Trust.

Malaysian Airports Holdings Berhad March 2025

Qilin disrupted critical airport systems at Malaysia Airports Holdings Berhad and demanded $10 million in ransom, claiming to have exfiltrated 2 TB of sensitive operational data. Malaysian officials confirmed the attack and stated the organization did not pay the ransom. The incident highlighted Qilin's expanded targeting beyond healthcare into transportation and national infrastructure.

Cleveland Municipal Court February 2025

Qilin caused weeks of operational disruption at the Cleveland Municipal Court, demanding $4 million in ransom. The court refused to pay. Court operations were significantly impaired, delaying case proceedings and affecting the public administration of justice across the jurisdiction.

Korean Leaks — MSP Supply Chain Campaign September 2025

A coordinated sector-specific operation targeting South Korean financial services through a single compromised managed service provider. At least 25 South Korean asset management firms were hit in approximately one month. The campaign demonstrated Qilin's capability for deliberate geographic and sector targeting through supply chain compromise, rather than opportunistic affiliate-driven attacks.

Ciudad Autónoma de Melilla (Spain) June 2025

Qilin targeted the autonomous Spanish city of Melilla, demanding approximately $2.12 million and claiming the theft of 4–5 TB of sensitive governmental data. The attack disrupted municipal services and highlighted the group's continued targeting of European government entities.

MSP ScreenConnect Spearphishing Campaign April 2025

Documented by Sophos MDR, Qilin affiliates spear-phished a managed service provider's ScreenConnect administrator account, then pivoted through the RMM platform to deploy ransomware against multiple downstream customers simultaneously. This supply chain approach amplifies the impact of a single initial compromise by reaching all organizations managed through a shared tool.

Tools & Malware

Qilin's toolset combines a purpose-built RaaS platform with commodity post-exploitation tools used across its affiliate network.

  • Qilin Ransomware (Golang variant): Original encryptor written in Go, supporting both Windows and Linux targets. Highly configurable — affiliates specify which directories and file types to skip, which processes to terminate, and whether to exclude virtual machines. Appends custom file extensions set per-campaign.
  • Qilin.B (Rust variant): Rewritten in Rust for improved performance and cross-platform reach. Introduces AES-256-CTR encryption, OAEP-padded RSA key wrapping, AES-NI hardware acceleration, and ChaCha20 for communications. Released 2024. Includes enhanced evasion: event log clearing, self-deletion, process injection, and anti-sandbox checks.
  • Chrome Credential Stealer: Custom module deployed in documented 2024 campaigns that targets Chrome Local State files, terminates browser processes, decrypts stored login data, and exfiltrates the credential database. Confirmed to operate across all domain-joined machines in compromised environments.
  • WikiLeaksV2: Qilin's dark web data leak site. The group has been linked to its hosting infrastructure through BEARHOST Servers (also known as Underground and Voodoo Servers), a large bulletproof hosting provider. The leak site includes features enabling affiliates to manage victim blog posts and set data disclosure timelines.
  • Cobalt Strike: Used post-access for C2, lateral movement, and payload delivery. Consistent with standard RaaS affiliate operational tradecraft.
  • WinSCP / Cyberduck: Legitimate file transfer tools used for data staging and exfiltration. Selection of legitimate tools reduces signature detection risk during exfiltration.
  • Splashtop: Legitimate remote access tool used by some affiliates for persistence and interactive access without deploying purpose-built backdoors.
  • Affiliate Panel: Full-featured web panel providing affiliates with ransomware build configuration, victim management, negotiation tooling, a "Call a Lawyer" button that introduces legal pressure into negotiations, an integrated DDoS module for victim websites, an automated negotiation chatbot, and a "WikiLeaks journalist" module for writing public shame posts against non-paying victims.

Indicators of Compromise

The following represents a subset of publicly disclosed IOCs from documented Qilin campaigns. Qilin infrastructure rotates regularly; treat all indicators as time-sensitive and verify against current threat intelligence feeds before operational use.

warning

IOCs burn quickly after public disclosure. Qilin infrastructure rotates between campaigns. Cross-reference with live threat intel feeds (KELA, SOCRadar, Recorded Future) before implementing as blocks. The ESET, Sophos, Blackpoint, and CISA Qilin advisories contain more comprehensive and continuously updated IOC sets.

indicators of compromise — Qilin / Agenda (public record)
file ext .agenda (original); .qilin; custom per-affiliate — configured at build time
ransom note README-RECOVER-[EXTENSION].txt — dropped in every encrypted directory
mutex Unique mutex strings per build; deterministic ransom note filename format documented for some variants (e.g., e47qfsnz2trbkhnt.devman pattern in affiliated builds)
behavior vssadmin.exe delete shadows /all /quiet — VSS deletion before encryption
behavior wevtutil.exe cl — Windows event log clearing post-encryption
behavior WSL installation followed by ELF binary execution on Windows hosts (BYOVD + WSL evasion chain — documented Q4 2025)
infrastructure WikiLeaksV2 onion site — hosted via BEARHOST/Underground/Voodoo Servers bulletproof infrastructure
hash (sha256) See ESET Research GitHub IoC repository and Blackpoint Qilin Threat Profile (Jan 2026) for current sample hashes

Mitigation & Defense

Because Qilin's primary entry path is compromised credentials against VPN and RDP services, identity controls are the highest-value defensive layer. Backup integrity and EDR coverage of non-traditional endpoints are critical secondary controls.

  • Enforce MFA on all remote access: Qilin affiliates consistently exploit VPN portals and RDP services that lack multi-factor authentication. Enforce phishing-resistant MFA (hardware token or passkey) on all internet-facing authentication surfaces. Conditional access policies should require compliant devices and flag anomalous login geographies.
  • Disable or strictly limit RDP exposure: RDP should not be directly internet-facing. Where required, place behind a VPN with MFA. Implement network-level authentication and account lockout policies. Audit regularly for unexpected RDP listeners on non-standard ports.
  • Patch VPN and edge appliances promptly: Qilin affiliates exploit unpatched Cisco ASA, Fortinet, and ScreenConnect vulnerabilities for initial access. Treat VPN appliance updates as P1 patches and implement a maximum 72-hour remediation window for critical CVEs affecting edge devices.
  • Implement agentless or hypervisor-level EDR: The BYOVD + WSL evasion chain documented in late 2025 bypasses Windows agent-based EDR that does not inspect ELF binaries. Defend against this with EDR solutions offering agentless network-level detection, or hypervisor-based visibility for ESXi and WSL environments.
  • Protect and test backup integrity: Qilin actively targets Veeam infrastructure to steal backup credentials before encryption. Maintain offline or immutable backups on a network segment inaccessible from production. Test restoration quarterly. Store backup credentials in a privileged access workstation not reachable from the environment being protected.
  • Monitor for VSS deletion and event log clearing: Both vssadmin delete shadows and wevtutil cl are reliable pre-encryption behavioral signals. SIEM rules detecting these commands should trigger immediate tier-1 escalation, not queue for analyst review.
  • Restrict lateral movement paths: Segment networks to limit RDP, SMB, and WinRM reachability between zones. Implement tiered administrative access so a compromised endpoint account cannot authenticate to domain controllers or backup infrastructure.
  • Monitor Chrome credential stores on domain-joined machines: The documented Chrome stealer targets the Local State file. EDR rules should alert on unexpected processes reading Chrome's Login Data and Local State files, particularly outside browser process context.
  • Audit MSP remote access tools: ScreenConnect, Splashtop, AnyDesk, and similar RMM tools are consistently abused for persistence and lateral movement. Maintain an allowlist of authorized RMM tools and alert on any new remote access software appearing in the environment.
healthcare organizations

The Synnovis attack demonstrated that Qilin affiliates will accept mass civilian harm without modifying their extortion posture. Healthcare organizations in Qilin's target profile — particularly those providing pathology, blood banking, or diagnostic services to multiple downstream institutions — should treat a ransomware event as a mass casualty incident from a incident response planning perspective. Business continuity plans must include manual workflows for critical blood typing, transfusion services, and lab result relay that do not depend on any networked system.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — last updated 2026-03-26