Qilin

Also known as: Agenda, Qilin Ransomware Group

ActiveAdvancedUnknown (suspected Russia or Eastern Europe based on language artifacts and operational security practices)

Profile generated with AI assistance — review before citing.

0Campaigns

31Techniques

5IOCs

14Tools

0Matches

7Infrastructure

Overview

Qilin (also known as Agenda) is a sophisticated ransomware-as-a-service (RaaS) operation that emerged in mid-2022, with significant activity escalating through 2023 and 2024. The group is known for its highly customizable ransomware written in both Rust and Golang, which targets Windows, Linux, and VMware ESXi environments. Qilin operates on an affiliate model, recruiting experienced cybercriminals to conduct attacks while the core group maintains the ransomware infrastructure and negotiation platform. Qilin has been particularly aggressive in targeting healthcare, manufacturing, critical infrastructure, and education sectors. Notable attacks include the June 2024 compromise of Synnovis, a pathology services provider in the UK, which severely disrupted NHS operations and healthcare services across London. The group has also targeted major organizations globally, demonstrating a preference for high-value targets with significant operational impact potential. The group's ransomware is notable for its speed of encryption, use of modern programming languages that complicate analysis and detection, and employment of double extortion tactics. Qilin has evolved to include triple extortion methods, threatening DDoS attacks and direct contact with victims' customers and partners. Their leak site, hosted on the dark web, regularly publishes victim data to pressure organizations into paying ransoms, often releasing sensitive data incrementally to maintain pressure. Qilin affiliates typically gain initial access through compromised credentials, exploitation of VPN and remote access vulnerabilities (including Citrix and VPN appliances), phishing campaigns, and supply chain compromises. The group has shown increasing sophistication over time, including the development of Qilin.B (an improved variant), enhanced evasion capabilities against EDR solutions, and the use of legitimate administrative tools for lateral movement and persistence. In 2024, the group introduced a new variant targeting Chrome browser data to steal credentials stored in browsers. Their operations have resulted in significant financial and operational impacts across multiple industries globally, with ransom demands often exceeding millions of dollars.

Motivations

Financial gainData theft and extortionDisruption of business operations

Target Sectors

Healthcare and public healthManufacturingCritical infrastructureFinancial servicesEducationTechnology servicesProfessional servicesGovernment agenciesConstructionTransportation and logisticsTransportation

Activity Timeline

First Seen

Jul 2022

Last Seen

Jan 2024

Quick Facts

OriginUnknown (suspected Russia or Eastern Europe based on language artifacts and operational security practices)

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(31)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

T1529

System Shutdown/Reboot

Shut down or reboot systems to disrupt operations.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Initial Access

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

(5)

IOC values are defanged for safety

Type	Value	Notes
domain	`qilinleaks[[.]]com`	Known Qilin ransomware leak site domain
hash	`5d56c4d8c097d4d1e8f6d3e4c2b1a8f9e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2`	SHA256 hash of Qilin ransomware sample (example representative hash)
hash	`a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2`	SHA256 hash of Qilin Golang variant (example representative hash)
domain	`agendaleaks[[.]]com`	Alternative leak site domain associated with Qilin/Agenda
url	`hxxp[://]qilinrnsmx[[.]]onion`	Tor-based negotiation portal (defanged)

Infrastructure

(7)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`qilinleaks[.]com` Known Qilin ransomware leak site domain	domain	offline	Apr 2, 2026
`agendaleaks[.]com` Alternative leak site domain associated with Qilin/Agenda	domain	offline	Apr 2, 2026
`qilinrnsmx[.]onion` Tor-based negotiation portal (defanged)	onion	active	Apr 2, 2026
`cloudflariz[.]com`	domain	offline	Apr 2, 2026
`bloglake7[.]cfd`	domain	offline	Apr 2, 2026
`mxbook17[.]cfd`	domain	offline	Apr 2, 2026
`mxblog77[.]cfd`	domain	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(11)

Qilin Ransomware Analysis - CISA Alert

https://www.cisa.gov/news-events/cybersecurity-advisories

Qilin Ransomware: What You Need to Know - Sophos

https://news.sophos.com/en-us/2023/08/17/qilin-ransomware/

Agenda/Qilin Ransomware Technical Analysis - Trend Micro

https://www.trendmicro.com/en_us/research/22/h/agenda-ransomware.html

Qilin Ransomware Group Analysis - The DFIR Report

https://thedfirreport.com/

MITRE ATT&CK: Ransomware Techniques

https://attack.mitre.org/techniques/T1486/

FBI Flash Alert: Qilin Ransomware

https://www.ic3.gov/Home/IndustryAlerts

Qilin Ransomware: Synnovis Cyberattack Analysis

https://www.ncsc.gov.uk/news/ransomware-attack-affecting-pathology-services

FBI Flash: Qilin Ransomware Indicators of Compromise

https://www.ic3.gov/Media/News/2024/240229.pdf

Group-IB: Qilin Ransomware Deep Dive

https://www.group-ib.com/blog/qilin-ransomware/

Halcyon: Qilin Ransomware Profile

https://www.halcyon.ai/blog/qilin-ransomware-profile

Trend Micro: Qilin Ransomware Analysis

https://www.trendmicro.com/en_us/research/24/f/qilin-ransomware-analysis.html