Who Is the Qilin Ransomware Group and How Do They Operate?
Qilin ransomware attacks are a growing threat, with high-profile incidents and sophisticated tactics. This post breaks down how the group operates, recent breaches linked to them, and what practical steps you can take to reduce risk.
Published August 25, 2025
The Qilin (Agenda) ransomware group has steadily built a reputation as one of the more disruptive forces in the cyber threat landscape since emerging in 2022. Known for targeting a wide range of industries across different regions, their operations have caused major interruptions, exposed sensitive data, and pushed organizations into difficult decisions around ransom negotiations.
Their approach combines technical skill with strategic pressure, often involving system compromise, data theft, and public exposure of victims. As their list of targets grows, so does the urgency for organizations to understand how this group operates. In this blog, we will explore their tactics, recent attacks, and what security teams should take from Qilin’s evolving playbook.
» Get started for free with KELA and strengthen your cybersecurity
Origin and Background of the Qilin Ransomware Group
The Qilin ransomware group, also known as Agenda, is a ransomware group that first appeared in 2022. The Qilin collective, which may have its roots in Russia, uses the ransomware-as-a-service (RaaS) model, giving affiliates the infrastructure and tools they need to launch attacks in return for a portion of the ransom money.
The Qilin ransomware group started using Linux and VMware ESXi systems and used advanced methods to avoid detection.
» Discover how the Qilin Ransomware Gang’s shift to affiliate-led ransom payments could signal a new threat
Qilin Ransomware Group Targeting Overview
| Category | Details |
|---|---|
| Industries Targeted | KELA’s latest report observed a total of 622 victims across multiple sectors. The most affected industries include Professional Services (112), Manufacturing & Industrial Products (98), Healthcare & Life Sciences (67), Engineering & Construction (58), and Consumer & Retail (53). |
| Regions Affected | Qilin continues to target organizations across various continents, with North America being the most frequently attacked region due to its economic potential. |
| Organization Size | Qilin ransomware primarily targets large enterprises and high-value organizations. Ransom demands range from $25,000 to $7 million, with a median demand of $450,000, depending on the size and value of the targeted organization. |
| Victim Selection | The selection process involves affiliates who gain initial access to organizations, prioritizing high-value and potentially less secure targets, and then deploying customizable Qilin ransomware tailored to the victim’s environment. |
» Learn more: How scary is that data leak, really?
Worried About Ransomware?
KELA Cyber helps you stay ahead of evolving threats like Qilin—protect your business before attackers strike.
Timeline of Activity and Evolution Schedule
- August 2022: The operation is launched and is called "Agenda." This is the first time that Agenda samples have been found.
- September 2022: The group changes its name to Qilin.
- February 2023: Qilin starts its RaaS operations on secret forums.
- December 2023: A Linux version of Qilin is found, designed specifically for VMware ESXi servers. The group becomes more active at the end of 2023.
- June 2024: Qilin
is responsible for a major attack on Synnovis, a pathology service provider, causing major disruption to NHS hospitals in London. Qilin begins leaking information from Synnovis after the company fails to make a ransom payment. - August 2024: Reports indicate that Qilin is targeting information stored in Google Chrome browsers during attacks, suggesting a possible change in data theft tactics.
- October 2024: Qilin updates its payload to "Qilin. B," a new version written in Rust with improved encryption (AES-256-CTR with AES-NI, RSA-4096) and better evasion techniques, including terminating security/backup processes and data self-destruction.
Take Note: It looks like they might be changing how they steal data, as they have recently been collecting usernames and passwords that are stored in web browsers like Chrome. This tactic, together with the use of intermittent encryption, new programming languages, the ability to work across different platforms, and improved ways of evading detection, shows that they are always adapting and becoming more dangerous.
» Don’t overlook the real threat—learn how infostealers put your data at risk
Qilin Ransomware: Key Tactics and Methods
The Qilin ransomware group gains access to systems using phishing emails, software or OS vulnerabilities, hacked RDP services, and stolen credentials from underground forums. Once inside, Qilin manually sets up its malware to ensure persistence and prevent its removal. Privilege escalation is achieved through weak system configurations or the use of legitimate admin tools.
- Evasion and lateral movement: Qilin avoids detection by obfuscating code, using anti-analysis techniques, removing indicators, applying registry commands, and restarting systems in Safe Mode. For lateral movement, they use network enumeration, credential theft, and legitimate software tools to spread across the network.
- Data exfiltration and encryption: Before encrypting data, Qilin uses a double extortion method. They exfiltrate sensitive information using tools like FreeFileSync, FileZilla, WinRAR, and WinSCP. Their encryption uses both symmetric and asymmetric techniques to block access. A custom ransom note is then sent to the victim.
- Ransom negotiation and cleanup: The ransom note directs victims to a dark web portal or encrypted chat platform to start a negotiation. Communication is controlled by Qilin, who may offer file decryption as proof. They also delete system logs and other evidence of the attack if the ransom is paid.
- Dark web presence: Qilin’s dark web infrastructure is private and supports both extortion and recruitment. They use Tor to leak data and rely on cybercrime forums to attract affiliates. Their use of double extortion and the RaaS model increases their attack reach.
- Comparison with other groups: Qilin’s tactics closely mirror those of other ransomware groups. Their methods are not unique but show moderate sophistication, including code customization, cross-platform capabilities, and targeted victim selection.
» Learn more about ransomware
Recent Cyber Attacks
The Qilin ransomware group has been behind numerous cyberattacks since emerging in July 2022. Recent attacks include:
- The Hamilton County Sheriff's Office attack: The Qilin ransomware targeted the Hamilton County Sheriff's Office, disrupting critical law enforcement systems and demanding a ransom for data recovery.
- GSL Electric: Qilin launched a cyberattack against GSL Electric, significantly affecting its operational technology and business continuity.
- Malaysia Airports Holdings Berhad: The ransomware group attacked Malaysia Airports Holdings Berhad, causing interruptions in airport services and compromising sensitive data.
» Read more: Ransomware groups are selling network access directly
Common Vulnerabilities and Exposures (CVEs) Frequently Exploited by Qilin Ransomware
CitrixBleed (CVE-2023-3519): This exploit for known vulnerabilities is frequently used by RansomHub affiliates, which security researchers with Microsoft reported have shifted to using Ransomhub and Qilin ransomware operations.
Fortinet FortiOS (CVE-2023-27997): This is another exploit frequently used by RansomHub affiliates, potentially linking it to Qilin through the reported shift in operations. Qilin operators also target remote access services, particularly within Fortinet devices, sometimes exploiting older software versions.
Confluence (CVE-2023-22515): This exploit is also frequently used by RansomHub affiliates.
Veeam Backup & Replication (CVE-2023-27532): This flaw lets attackers access encrypted credentials from exposed Veeam software, which can lead to backup system compromise. There’s no confirmed link to Qilin, but public exploit code exists.
» Make sure you understand the most targeted entry points by attackers
Strengthening Your Defense Against Qilin Ransomware
To protect your organization from attacks by the Qilin ransomware group, it’s vital to keep systems updated and use strong authentication like multi-factor authentication (MFA) to block unauthorized access. Network segmentation and least privilege help stop ransomware from spreading, while endpoint detection and response (EDR) tools monitor suspicious activity throughout the attack. Training users with phishing simulations and disabling unnecessary network access reduce entry points and the risk of compromise.
At KELA Cyber, we provide threat intelligence, dark web monitoring, and proactive defense tools that help you detect, track, and respond to ransomware groups like Qilin. Our platform supports your security operations to stay ahead of attacks and protect your critical data and infrastructure.
» Ready to get started? Contact us to learn more or try KELA for free
