Qilin
The Qilin ransomware group—also known by its earlier name Agenda—is a sophisticated Ransomware-as-a-Service (RaaS) operation that emerged in 2022 and has since evolved into one of the most active and adaptable cyber extortion threats, targeting critical sectors worldwide through double-extortion tactics, advanced customization, and a rapidly expanding affiliate network.
Background information on Qilin
The group originally operated under the name Agenda (first observed mid-2022). By September 2022 it rebranded as Qilin (after the mythical creature). “Qilin ransomware” is thus sometimes referred to as Agenda or Qilin/Agenda.
Qilin runs as a Ransomware-as-a-Service (RaaS), supporting affiliates who carry out attacks using its tooling, infrastructure, and leak site. Affiliate profit splits are reported: around 15–20 % cut for the operator in many cases. In some reporting, for ransoms over certain thresholds, affiliates may keep 80–85 % (i.e. operator takes smaller share) to incentivize larger attacks.
While there is no definitive attribution, evidence suggests the core operators are Russian or based in former Soviet / CIS states:
- The ransomware binary sometimes includes a “kill switch” or language-check to avoid execution on systems with Russian or Eastern European locales.
- Affiliate recruitment is observed on Russian-language underground forums.
- The policy of not attacking CIS / Russian (former USSR) organizations is consistent with many Russian-origin ransomware groups.
- Attack timing, code reuse, operational signatures, and language usage all align with Eastern European cybercriminal culture.
Qilin/Agenda initially had implementations in Golang; later versions have been observed in Rust and updated tooling. The ransomware payload and affiliate panel are customizable (i.e., affiliates can select which file types or directories to skip, encryption modes, processes to kill, and so on). The group has enhanced its offerings over time, adding features to its leak site / blog, “legal assistance” components for affiliates, automated negotiation, DDoS capabilities, and spam support.
Countries targeted by Qilin
The group’s operations are global, with victims in North America, Europe, Asia, Latin America, and more.
In May 2023, Qilin’s leak site had victims from Australia, Brazil, Canada, Colombia, France, Netherlands, Serbia, UK, Japan, and the US.
Many attacks avoid CIS / former-Soviet states, consistent with the group’s internal rules.
Industries targeted by Qilin
- Healthcare & medical services: Qilin has repeatedly targeted medical providers, diagnostic services, and blood test labs, which are high-value due to critical data and operational sensitivity.
- Manufacturing & industrial: attacked production facilities and parts manufacturers.
- Construction, engineering, infrastructure: several reports of construction consultancies and relevant firms attacked.
- Technology, software, IT services: because of their connectivity and access to other networks.
- Finance, professional services: occasionally targeted, especially when sensitive data or client data is available.
- Consumer goods / industrial goods: the recent claimed attack on Asahi Group (Japan, beverages/beer) is an example of expansion to large conglomerates.
Qilin's victims
Qilin has breached more than 895 victims worldwide.
Qilin's Attack Method
Use of exposed remote services (e.g. RDP, VPN), exploitation of public-facing applications / software vulnerabilities, phishing / spear-phishing campaigns, and sometimes use of exposed FortiGate devices.
Use of valid accounts / credentials (purchased, stolen, or lateral traversal), token theft / impersonation, process injection, possibly exploitation of vulnerabilities in software or OS.
Log deletion / clearing system event logs, disabling or terminating security/antivirus services, obfuscation of execution, selecting which directories/files to skip to avoid detection, periodic cleaning threads.
Extraction of credentials from memory, LSASS, credential dumping, reuse of leaked credentials, or exploitation of backup software configuration stores.
Network and host reconnaissance, identifying shares, domain controllers, discovering routing paths, mapping file servers and data stores.
Using valid credentials or remote services, replication across network; pivoting via SMB, RPC, remote command execution; spreading to high-value systems and backup servers.
Aggregating data of interest (e.g. databases, documents, sensitive files), staging exfiltration bundles, compression / encryption of exfil data.
Deployment of the ransomware payload. Often executed via command-line with parameters, use of custom executable (e.g. “w.exe”), possibly leveraging backup or VM infrastructure to propagate encryption.
Uploading stolen data to attacker-controlled servers, often before encryption (double extortion model). Use of encrypted channels or proxy tools, possibly via proxy/malware chains.
Encryption of data on victim systems (AES-256 + RSA-2048 hybrid encryption in many cases), deletion of backups, displaying ransom notes, threatening public data leaks, denial of access to systems.
Use of exposed remote services (e.g. RDP, VPN), exploitation of public-facing applications / software vulnerabilities, phishing / spear-phishing campaigns, and sometimes use of exposed FortiGate devices.
Use of valid accounts / credentials (purchased, stolen, or lateral traversal), token theft / impersonation, process injection, possibly exploitation of vulnerabilities in software or OS.
Log deletion / clearing system event logs, disabling or terminating security/antivirus services, obfuscation of execution, selecting which directories/files to skip to avoid detection, periodic cleaning threads.
Extraction of credentials from memory, LSASS, credential dumping, reuse of leaked credentials, or exploitation of backup software configuration stores.
Network and host reconnaissance, identifying shares, domain controllers, discovering routing paths, mapping file servers and data stores.
Using valid credentials or remote services, replication across network; pivoting via SMB, RPC, remote command execution; spreading to high-value systems and backup servers.
Aggregating data of interest (e.g. databases, documents, sensitive files), staging exfiltration bundles, compression / encryption of exfil data.
Deployment of the ransomware payload. Often executed via command-line with parameters, use of custom executable (e.g. “w.exe”), possibly leveraging backup or VM infrastructure to propagate encryption.
Uploading stolen data to attacker-controlled servers, often before encryption (double extortion model). Use of encrypted channels or proxy tools, possibly via proxy/malware chains.
Encryption of data on victim systems (AES-256 + RSA-2048 hybrid encryption in many cases), deletion of backups, displaying ransom notes, threatening public data leaks, denial of access to systems.
TTPs used by Qilin
How to Detect Qilin with Vectra AI
FAQs
What is Qilin’s principal motive?
Qilin is financially motivated. Its operations revolve around extortion via ransomware (encrypt + leak). There is no overt ideological or political messaging in their public leak sites or campaigns.
How does Qilin ensure affiliates comply with rules (e.g. not attacking CIS regions)?
The ransomware binary may include a language-based kill switch to prevent execution in Russian / Eastern European locales. They also enforce policies in their affiliate agreements (e.g. disallowing targeting of CIS / Russian entities).
Can Qilin be detected or blocked by modern EDR / XDR systems?
Many security vendors claim their tools can detect Qilin/Agenda behavior but detection is challenging because of the customizability, obfuscation, and log-cleaning tactics used by Qilin and affiliates. Thus, robust endpoints, anomaly detection, network segmentation, and security monitoring are crucial.
What are good early indicators or IOCs for Qilin infiltration?
Some useful indicators include:
- Unusual external connections to rare or new hosts (especially domains in .ru or rare TLDs).
- Sudden attempts to access or enumerate backup or domain controllers.
- Execution of unknown or renamed binaries (e.g. “w.exe”) with command-line arguments.
- Deletion / clearing of system event logs.
- Use of proxy or SOCKS malware (e.g. SystemBC) to tunnel traffic.
- Unusual scanning or lateral movement activity in the network.
How should organizations prepare to resist a Qilin attack?
Some defense strategies include:
- Strong authentication and credential hygiene (multi-factor, least privilege, credential vaulting).
- Patching and vulnerability management (especially for public-facing apps, backup software, VPNs).
- Network segmentation and isolation of critical systems (esp. backups).
- Monitoring for anomalous behavior (unusual connections, scanning, new binaries).
- Frequent, immutable backups (including off-network, air-gapped copies).
- Incident response planning and exercises (including tabletop drills).
- Use of a Threat Detection and Response solution with behavior-based detection rather than relying purely on signatures.
- Threat intelligence and threat hunting focused on indicators of Qilin affiliates.
What is the timeline of a typical Qilin attack from compromise to impact?
While timelines vary by victim and affiliate, the pattern often involves: initial compromise (via RDP / exploit / phishing), lateral movement & reconnaissance over hours to days, exfiltration of sensitive data, then rapid encryption of systems, followed by ransom demands. Some campaigns deploy encryption within hours after compromise, especially when automation is high.
Can victims negotiate or pay Qilin safely?
Negotiation is common in ransomware, including Qilin. However, paying carries risks: non-delivery of decryption keys, further extortion, leakage despite payment, or further compromise. Some affiliates or operators may honor deals, but there’s no guarantee. Victims should assess legal, reputational, and operational risks carefully, and ideally engage experienced incident response and legal counsel.
Is a public decryptor available for Qilin / Agenda?
As of currently published open sources, no public decryptor is known to reliably decrypt Qilin-encrypted data without payment.
How does Qilin compare to other ransomware groups (e.g. LockBit, Black Basta)?
Qilin is unique in its high degree of affiliate flexibility, promotional features (e.g. “call lawyer” in panel), and rapid growth. It has absorbed affiliates displaced by disruptions in other RaaS operations (e.g. after LockBit’s disruptions). It tends toward opportunistic targeting rather than highly tailored, state-level operations.
What are warning signs (red flags) in threat intelligence or dark web chatter?
- Affiliate recruitment posts for Qilin on underground forums.
- New blog posts or victim leaks published on a Qilin leak site.
- New versions of Qilin ransomware binaries (e.g. in Rust) showing up in malware repositories.
- Public reports of large-scale Qilin campaigns or claims of dozens to hundreds of victims.