Executive Summary
In the endless chess game of cybersecurity, the Russian-speaking QILIN (formerly Agenda) group has just made a checkmate-worthy move. In 2025, it’s the most active ransomware operation worldwide. Like the mythical Chinese Qilin it’s named after, this malware is powerful, adaptable, and unfortunately—very real.
And yes—before diving into the weeds—let’s acknowledge the irony: naming your ransomware after a symbol of “peace and prosperity” is either top-tier trolling or some dark attempt at branding. Either way, it’s working far too well.
The Rise of the Dragon: QILIN’s Meteoric Ascent
QILIN didn’t stumble into dominance; it engineered it. The group began as Agenda ransomware in July 2022, then rebranded to QILIN in September that year with a full architectural migration from Golang to Rust. That move wasn’t cosmetic—it marked a technical revolution.
Key Milestones
$50+ million in confirmed ransom payments (2024)
1,700+ attacks with FBI-estimated revenue of $91M (likely underreported)
Operations spanning 25+ countries across six continents
Three consecutive months leading global ransomware activity (May–July 2025)
Like a Silicon Valley startup (albeit an evil one), QILIN runs a slick Ransomware-as-a-Service (RaaS) model:
Affiliate programs with 80–85% revenue sharing
24/7 “legal support” (yes, there’s a “Call Lawyer” button)
In-house “journalists” for extortion campaigns
Automated propagation and negotiation tooling
QILIN is less a ransomware gang and more a criminal SaaS company with a very dark business model.
The Numbers Don’t Lie: QILIN’s Market Dominance
2025 Landscape
Source: ransomware.live
QILIN is officially the dragon at the top of the food chain.
Industry Targeting
Geography
Source: ransomware.live
Technical Architecture: The Devil in the Rust
Core Variants
QILIN.A (2022 – Golang era)
Cross-platform (Windows/Linux)
Basic encryption, limited evasion
QILIN.B (2024–present – Rust era) A quantum leap in sophistication.
// Simplified Encryption Stack AES-256-CTR + ChaCha20 + RSA-4096 (OAEP padding)
Encryption Highlights:
AES-256-CTR for speed
ChaCha20 for modern stream cipher performance
RSA-4096 with OAEP for asymmetric key protection
Configurable modes: normal, step-skip, fast, percent
Evasion & Anti-Forensics Toolkit:
Process injection
Event log clearing & shadow copy deletion
Self-deletion post-execution
Chrome extension credential theft
Obfuscated APIs & dynamic loading
Tactical Innovations
Legal Warfare – “Call Lawyer” button weaponizes compliance and fines.
Fortinet Exploits – Automation of CVE-2024-21762 & CVE-2024-55591.
Linux Gunra Variant – 100 parallel threads, forensic resistance, stealth mode (no ransom note).
Attack Lifecycle: QILIN’s Playbook
Initial Access: spearphishing, RMM abuse, VPN compromise, public app exploits, MFA fatigue
Privilege Escalation: LSASS dumping, valid account abuse, SMB/RDP traversal, PowerShell AD enumeration
Data Exfil & Encryption: MEGA staging, FTP transfers (>700 GB observed), parallelized encryption (100+ threads Linux variant)
Case Study
In February 2024, QILIN crippled a known UK-based pathology provider:
$50M ransom demand
400 GB of medical data stolen
170 cases of patient harm, including one confirmed death
6,000+ cancelled procedures across NHS hospitals
Adding insult to injury, QILIN issued an apology:
“We are very sorry… Herewith we don’t consider ourselves guilty…”
Yes, the dragon apologized—sort of. A reminder that even cybercriminals know crossing into physical harm risks existential blowback.
End-To-End MITRE Mapping & Detection Opportunities
Phase | MITRE Technique | Attack Details | Detection Method | Security Control Category | Detection Signatures / Telemetry |
INITIAL ACCESS | T1566.001/002 – Phishing (Malicious Attachments/Links) | Malspam with .zip, .scr, Office macros; links redirect via shorteners → exploit kits | Email header analysis, sandbox detonation, DNS sinkholing | SEG (Secure Email Gateway), CASB, DNS Security | Suspicious attachments (.exe, .scr, .vbs, .js, .iso); URL redirect chains |
T1190 – Exploit Public-Facing Application | Exploitation of Veeam CVE-2023-27532, exposed RDP/web servers | WAF logs, CVE-specific IOC matching, brute-force login monitoring | WAF, IPS, VM (Vulnerability Management) | Abnormal POSTs to /veeam/backup; CISA KEV IOCs; automated exploit headers |
|
T1133 – External Remote Services | VPN compromise with stolen creds, MFA bypass, session hijacking | VPN log correlation, UEBA login analysis | IAM, SIEM, UEBA | Impossible travel logins; concurrent sessions; multiple login failures |
|
T1078.002 – Valid Accounts (Domain/Admin) | MFA fatigue, SIM swapping, golden ticket attacks | Kerberos log analysis, privilege escalation monitoring | IAM, UEBA, SIEM | Event ID 4769; MFA push fatigue; new admin group memberships |
|
EXECUTION | T1059.001/003 – Command & Scripting Interpreter (PowerShell/CMD) | Discovery, AD enumeration, Safe-Mode persistence | Script block logging (Event ID 4104), Sysmon rules | EDR, SIEM | PowerShell -EncodedCommand; Get-ADUser, Get-ADGroupMember usage |
T1569.002 – System Services (Service Execution: PsExec) | Lateral propagation via PsExec | Sysmon Event ID 7045 (service install), network mapping | EDR, SIEM, NDR | Service name PSEXESVC; multi-host service creation/removal |
|
DEFENSE EVASION | T1055 – Process Injection | Injection into explorer.exe, svchost.exe | Memory forensics, Sysmon Event ID 8 (CreateRemoteThread) | EDR, Memory Forensics | Hollowed processes; mismatched PE headers; cross-process memory writes |
T1027 – Obfuscated/Encrypted Files/Information | Rust-packed binaries, API obfuscation, junk code | Sandbox detonation, static RE | Sandbox, Reverse Engineering | High-entropy binaries; API import hashing |
|
T1070 – Indicator Removal on Host | Log clearing, self-deletion | Event log tampering detection, forensic timeline analysis | SIEM, Forensic Tools | Event ID 1102 (log cleared); sudden log volume drop |
|
T1490 – Inhibit System Recovery (VSS Deletion) | vssadmin delete shadows, wmic shadowcopy delete | VSS auditing, registry monitoring | EDR, Backup Monitoring | CLI matches vssadmin & wmic shadow deletion |
|
CREDENTIAL ACCESS | T1003.001 – OS Credential Dumping (LSASS) | LSASS memory dumping (Mimikatz, derivatives) | Sysmon Event ID 10 (ProcessAccess), LSASS protection | EDR, Identity Protection | Handles opened to lsass.exe; unsigned processes accessing LSASS |
Browser Stealer – Chrome Credentials | Theft from Chrome profile, extension abuse | File integrity monitoring, extension whitelisting | EDR, FIM, CASB | Access to Login Data SQLite DB; modified manifest.json |
|
COLLECTION & EXFILTRATION | T1041 – Exfiltration over C2 Channel (FTP) | >783GB exfiltrated via FTP → 194.165.16[.]13 | NetFlow/DPI, anomaly-based DLP | DLP, NDR, IPS | Large FTP uploads; outbound traffic to blacklisted IP |
T1567.002 – Exfiltration to Cloud Storage (MEGA) | Data staged → ~30GB uploads to MEGA | CASB, API call inspection, proxy logs | CASB, DLP | mega.nz connections; cloud storage API overuse |
|
COMMAND & CONTROL | T1071.001 – Application Layer Protocol: Web (HTTPS) | Cobalt Strike beacons, SystemBC SOCKS5 proxies | JA3/SNI fingerprinting, beacon timing analysis | NGFW, NDR, Proxy | Known CS JA3 hashes; long-lived TLS with low throughput |
IMPACT | T1486 – Data Encrypted for Impact | Rust-based encryptor, 100+ threads, .qilin extension | File entropy monitoring, rapid file I/O | EDR, File Integrity Monitoring, DLP | Sudden entropy spike; mass file renaming; ransom notes (README.txt, .qilin, .agenda) |
Defense Digest:
Patch & Harden Systems – Regularly update OS, applications, and firmware to close exploitable vulnerabilities.
Zero Trust Access – Enforce least privilege, MFA, and segmentation to limit lateral movement.
Offline & Immutable Backups – Maintain encrypted, offline/offsite backups with regular recovery testing.
Email & Web Filtering – Block malicious attachments, links, and exploit delivery channels.
Network Segmentation – Isolate critical workloads and restrict SMB/RDP traffic exposure.
Endpoint Protection & EDR – Apply behavior-based defense with automated response capabilities.
User Awareness & Drills – Train employees on phishing/social engineering and conduct tabletop exercises.
Incident Readiness – Have a tested ransomware playbook with defined contacts, containment, and recovery procedures.
Conclusion: The Dragon’s Reign and Our Response
QILIN’s success blends technical excellence, startup-like business ops, and ruthless opportunism. But empires fall—especially when they attract too much light. Healthcare attacks invite nation-state retaliation, and affiliate models leave breadcrumbs.
For defenders, the path forward is clear:
Hunt proactively across the kill chain
Share intelligence to trace affiliates
Architect with resilience-first principles
Drill responses like lives (and businesses) depend on it—because they do
Track recent breaches, security incidents, and critical vulnerabilities—get the latest updates, impact analysis, and cloud-ready mitigation steps in one place. View Recent Breaches & Vulnerabilities.
Reference
https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/qilin-ransomware/
https://www.cybereason.com/blog/threat-alert-qilin-seizes-control
https://blog.barracuda.com/2025/07/18/qilin-ransomware-growing
