Dark Web Profile: Qilin (Agenda) Ransomware

[November 27, 2025] “Qilin’s Modus Operandi Before 2026’

[June 21, 2024] “Qilin Started Leaking Synnovis Data”

Qilin, also known as Agenda ransomware, represents a formidable threat in cybercrime. This ransomware, one of the known Ransomware-as-a-Service (RaaS) groups, is designed with adaptability in mind, allowing it to customize attacks based on its victims’ specific environments. Originating from a sophisticated background, Qilin leverages advanced tactics to extort organizations. In 2025, Qilin became the most active ransomware group in terms of attack counts.

Who is Qilin Ransomware

Qilin ransomware is a sophisticated cyber threat group that has emerged as a significant player in the ransomware landscape. Its name might be derived from the mythical Chinese creature Qilin, which symbolizes its strong and adaptable nature. However, the group is believed to be of Russian origin. This ransomware is distinguished by its advanced techniques, cross-platform capabilities, and targeted attacks, making it a formidable adversary for organizations worldwide.

Qilin ransomware first appeared on the cybercrime scene with a distinct approach and high level of sophistication. It has samples written in Go (Golang) and Rust, which are programming languages known for their efficiency and cross-platform compatibility. This allows Qilin to be easily compiled for various operating systems, including Windows and Linux, enhancing its versatility and reach.

The primary objective of Qilin ransomware is financial gain through extortion. It targets organizations across various sectors, with a particular focus on healthcare and education. These sectors are often chosen due to their reliance on critical data and the generally lower levels of cybersecurity compared to more financially-focused industries. By encrypting essential files and demanding a ransom for their decryption, Qilin aims to create significant operational disruptions, compelling victims to pay the demanded ransom to restore their systems.

Modus Operandi

Qilin ransomware has samples written in Go (Golang) and Rust, as we mentioned before these programming languages are known for their cross-platform capabilities and efficiency. This choice of language allows Qilin to be easily compiled for various operating systems, including Windows and Linux. The ransomware’s ability to customize attacks to individual victims’ environments makes it particularly dangerous.

Check out our blog post, “Why Ransomware Groups Switch to Rust Programming Language?”

The group showed that it was working like a classic Russian ransomware operator by excluding CIS countries from its targets and shared recruitment posts on hacker forums for affiliates.

Initial Infection

Qilin ransomware typically initiates its attack through several primary vectors. One of the most common methods is via phishing emails, which often contain malicious attachments or links. When these are opened by unsuspecting users, they download and execute the ransomware payload. Additionally, Qilin exploits known vulnerabilities in software or operating systems to gain entry. Remote Desktop Protocol (RDP) attacks are another favored tactic, targeting weak or exposed RDP configurations to infiltrate systems.

Payload Delivery

Once Qilin has gained initial access, it employs advanced obfuscation techniques to evade detection. The ransomware code is packed, disguising its true nature to avoid static analysis. Further, Qilin uses various code obfuscation methods, such as renaming functions, altering control flows, and encrypting strings, to complicate reverse engineering efforts. This also makes Qilin difficult to detect with IoCs located lower on the pyramid of pain.

Qilin incorporates anti-analysis techniques, such as detecting and disabling debugging and sandbox environments, making it difficult for security researchers to analyze its behavior. This includes checks for virtual machines and other common sandbox artifacts to prevent dynamic analysis. So, we are actually faced with a typical ransomware attack chain, but they are successful in putting it into practice.

Execution and Persistence

Upon successful deployment, Qilin seeks to escalate its privileges to gain administrative control over the infected system. This can involve exploiting system vulnerabilities or using legitimate tools like PowerShell or PsExec to achieve higher-level access. With elevated privileges, Qilin then scans the network for additional targets. It uses network enumeration to identify other systems, shares, and services within the network and employs credential dumping to extract passwords and other authentication details. This enables the ransomware to move laterally across systems, using compromised credentials to infect other machines within the network.

Data Encryption

Qilin ransomware employs a robust encryption mechanism that combines symmetric and asymmetric encryption to lock files. Initially, it uses symmetric encryption to encrypt files with a randomly generated key. This symmetric key is then encrypted with a public RSA key, ensuring that only the attackers, who hold the corresponding private RSA key, can decrypt it. Qilin targets a wide range of file types to maximize impact, including documents, databases, and backups, while avoiding critical system files to keep the system operational enough to display the ransom note.

Ransom Note and Extortion

After encryption, Qilin drops a customized ransom note on the infected systems. This note typically includes the demanded payment amount, usually in cryptocurrency, and instructions on how to contact the attackers for payment and decryption. The note often contains threats of data leakage or permanent data loss if the ransom is not paid within a specified timeframe.

Communication and Payment

Victims are directed to communicate with the attackers via Dark Web portals or encrypted messaging services, ensuring the attackers’ anonymity and complicating law enforcement efforts to track interactions. Payments are demanded in cryptocurrencies, such as Bitcoin or Monero, to maintain anonymity and complicate traceability. Even after payment, there is no guarantee that victims will receive the decryption tools required to recover their data.

Clean-Up and Cover-Up

To cover their tracks, Qilin ransomware deletes logs and other artifacts that could aid forensic investigations. This includes clearing event logs and removing any temporary files created during the attack. In some instances, Qilin may also include functionality to remove itself from the system after completing its objectives, further complicating post-incident analysis and response.

Qilin’s Modus Operandi Before 2026

While Qilin keeps the classic ransomware playbook described above, its operations in 2025 looked more aggressive, more cross-platform, and more service-driven than before.

Scale and Targeting

By late 2025, Qilin has become one of the most active ransomware operations worldwide. Qilin has targeted more than approximately 800 victims across 50+ countries since January 2025, with a clear focus on manufacturing, technology, financial services, and healthcare.

Qilin now averages over 40 victims per month, with a spike to about 100 listings on its DLS in June 2025. Sector focus has also shifted in some campaigns. The “Korean Leaks” operation in September 2025 used Qilin to hit at least 25 South Korean financial firms in one month, almost all in asset management, through a single managed service provider.

Initial Access and Lateral Movement

In 2025, incident reports highlight three patterns in particular:

• Use of compromised valid credentials for VPN and other remote access, often without multi-factor authentication. Cisco notes Qilin cases where attackers used stolen accounts for entry, then moved laterally and exfiltrated data with tools such as Cyberduck.
• Supply chain attacks through MSPs. The Korean Leaks campaign relied on compromise of one upstream IT or MSP provider, then pushed Qilin to dozens of downstream financial institutions in South Korea in a short time window.
• Abuse of remote monitoring and management tools. 2025 investigations describe Qilin operators installing or piggy-backing on tools such as AnyDesk, ScreenConnect, Splashtop and other RMM platforms to gain persistence and interactive control across the network.

Once inside, Qilin still follows a familiar path: discovery of domain and shares, credential dumping, and lateral movement using tools like PsExec and RDP, now often wrapped inside these commercial RMM platforms.

Payload Delivery and Evasion

A key evolution in 2025 is Qilin’s use of Linux encryptors on Windows hosts.

Reports show Qilin enabling or installing Windows Subsystem for Linux (WSL) on compromised Windows systems, then running an ELF encryptor inside that environment. This bypasses many Windows-focused EDR tools that only inspect classic PE binaries.

In another documented campaign, Qilin used remote tools such as WinSCP and Splashtop to transfer and launch a Linux-based ransomware binary on Windows machines. The same attack combined this with a bring-your-own-vulnerable-driver (BYOVD) technique to disable defenses, and targeted Veeam backup infrastructure to steal backup credentials before encryption.

Across several 2025 cases, Qilin continues to:

• Pack and obfuscate its binaries
• Use loaders such as SmokeLoader and a custom NETXLOADER to stage payloads
• Wipe Windows event logs and delete shadow copies before or during encryption

These behaviors increase dwell time and hinder forensic work after an incident.

Ransomware-as-a-Service and Extortion Practices

Qilin has grown into a mature RaaS platform with a rich affiliate panel and constant feature updates.

Qilin today operates beyond a traditional RaaS group. With projects like “Wikileaks2,” ties to state-backed APT affiliates, and occasional political messaging, the line between cybercrime and state activity looks increasingly blurred. Qilin added support for spam campaigns, DDoS attacks, automated propagation inside victim networks, and even automated ransom negotiation logic directly in the panel. It also offers in-panel data storage for stolen data so affiliates do not need separate cloud storage.

In June 2025, Qilin advertised a “Call lawyer” feature that lets affiliates summon legal counsel inside the negotiation interface. That aims to increase psychological pressure on victims and push ransom amounts higher by introducing formal legal risk into the talks.

The Korean Leaks campaign shows how Qilin-driven operations now mix classic double extortion with information operations. Ransom notes and leak-site posts in that campaign used political and systemic messages about South Korea’s financial system, then later shifted back to standard financial extortion as the operators retired the Korean Leaks branding.

Despite these changes, the core impact on victims remains the same. Qilin continues to steal large data sets for extortion, encrypts files using strong hybrid cryptography, removes logs and backups wherever possible, and then pressures victims through its leak site and direct negotiation channels, usually over Tor and secure messengers.

Victimology

Right before 2026, Qilin has claimed more than 1000 victims on its leak-site showing that it operates at large scale and targets many regions and industries.

The group focuses most heavily on organizations in North America and Western Europe. The United States appears most often in victim listings, followed by countries such as Canada, the United Kingdom, France, and Germany. There are also many cases in other parts of Europe and a growing number of victims in Asia.

From an industry view, Qilin leans toward private companies in high value sectors. Manufacturing stands out as the most frequent target, with professional and scientific services close behind. Wholesale and logistics firms also appear often, which fits Qilin’s focus on disrupting supply chains and time sensitive operations.

Qilin does not ignore “soft” targets either. There is a steady stream of attacks on healthcare providers, financial institutions, educational organizations, construction, and retail. Government and public services show up as well, although less often than core commercial sectors.

Across time, victim numbers grow sharply through 2024 and 2025. Qilin now often publishes dozens of new names on its leak site every month, with some clear spikes where coordinated campaigns hit many organizations in the same country or vertical at once.

One of the Biggest Threats to the Healthcare Industry

In a recorded incident, UK healthcare providers fell victim to Qilin, resulting in catastrophic following events. According to Ciaran Martin, the former chief executive of the National Cyber Security Centre, a Russian cyber hacking group is responsible for a ransomware attack that severely disrupted operations at three London hospitals. The attack targeted pathology services firm Synnovis, leading to a significant reduction in hospital capacity. Hospitals declared a critical incident, resulting in canceled operations, tests, and blood transfusions.

The group behind the attack was Qilin. The attack impacted various hospitals, including King’s College Hospital, Guy’s and St Thomas’, Royal Brompton, Evelina London Children’s Hospital, and primary care services in the capital. Thus, it should be noted that Qilin’s DLS website has not been accessible for a long time and there is no statement from the group.

Qilin Started Leaking Synnovis Data

Qilin was aiming to extort a substantial ransom from the company. Reports indicate that Qilin is demanding a staggering $50 million from Synnovis for decryption tools and a promise not to publish the data. However, in a series of media interviews, the Qilin ransomware gang has claimed that their attack on the hospitals was not financially motivated but rather a protest against the British government’s involvement in an unspecified war.

Unable to reach an agreement, the Qilin group initiated a massive leak on their Telegram channels. After the June 20 deadline passed, Qilin began sharing nearly 400GB of purported Synnovis data, divided into more than 100 parts, on their Telegram channel.

Mitigation and Protection

As cyber threats continue to evolve, organizations must adopt a multifaceted approach to cybersecurity, especially in defending against ransomware attacks like Qilin. Leveraging advanced security tools and implementing proactive strategies are imperative in fortifying digital defenses.

• Robust Anti-Malware Solutions: Implementing advanced anti-malware software is essential in combating Qilin ransomware. These tools use signature-based detection, heuristic analysis, and machine learning algorithms to identify and block known and emerging ransomware variants. Coupled with endpoint detection and response (EDR) solutions, organizations can enhance real-time threat detection and response capabilities.
• Regular Security Audits and Vulnerability Management: Conducting routine security audits and vulnerability assessments is critical to identifying and addressing potential security gaps within an organization’s infrastructure. By systematically evaluating network configurations, system settings, and application vulnerabilities, organizations can proactively remediate weaknesses exploited by Qilin ransomware attackers.
• Strong Authentication and Access Controls: Enforcing strong authentication mechanisms like Multi-Factor Authentication (MFA) and implementing stringent access controls significantly enhances user account security and mitigates the risk of unauthorized access. This adds an extra layer of protection against Qilin ransomware attacks targeting user credentials.
• Comprehensive Backup and Disaster Recovery Planning: Developing a robust Backup and Disaster Recovery (BDR) plan is essential in mitigating the impact of Qilin ransomware attacks and ensuring business continuity. Regular backup schedules for critical data, both onsite and offsite, along with backup testing and data recovery drills, validate the effectiveness of the BDR plan and ensure timely restoration of operations in case of an attack.

By integrating these security measures and proactive strategies into their cybersecurity framework, organizations can significantly enhance their resilience against ransomware threats and safeguard their sensitive data assets effectively. Adopting a proactive and holistic approach to cybersecurity is essential in mitigating the evolving threat landscape and maintaining a robust defense posture against ransomware attacks.

Conclusion

Qilin (Agenda) ransomware represents a significant threat due to its adaptability and sophisticated attack methods. Organizations must remain vigilant and proactive in their cybersecurity efforts to defend against such advanced threats. By understanding the tactics and techniques employed by Qilin, organizations can better prepare and protect themselves from this formidable ransomware.

MITRE ATT&CK TTP Table

How Can SOCRadar Help?

To stay resilient against a group like Qilin, organizations must move beyond basic defenses and adopt an intelligence-led security posture. Start by assessing exposure and monitoring both internal and external risks. Use SOCRadar Labs – Dark Web Report for a quick, free check of whether your domain appears in underground spaces.

Continuously monitor underground forums, ransomware leak sites and Tor portals for mentions of your organization. Because ransomware groups publish victim data to increase pressure, early detection of leaks matters for containment and response. SOCRadar’s Dark Web Monitoring keeps watch over those spaces and alerts you to emerging postings so you can act fast.

Identify and mitigate exposed services such as RDP, VPN endpoints and vulnerable web applications that ransomware actors frequently exploit for initial access. Proactive asset discovery reduces the chance of intrusion. That capability is available through SOCRadar’s Attack Surface Management, which helps map internet-facing assets and prioritize fixes.

Track your brand and digital footprint to detect impersonation, phishing campaigns or fraudulent domains that attackers use to trick employees and partners. Rapid detection of lookalike sites and credential-phishing infrastructure narrows the window for social-engineering attacks. Use SOCRadar’s Digital Risk Protection to spot these threats early.

With SOCRadar’s Ransomware Intelligence tab, defenders gain updated IoCs, YARA rules and contextual analysis that translate alerts into action. Combine these insights with active monitoring and attack surface reduction to detect, investigate and respond before an incident escalates.