Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Qilin Ransomware

150
Global rank
110 infographic chevron month
Month rank
105 infographic chevron week
Week rank
0
IOCs

Qilin ransomware (predecessor known as “Agenda”) is a rapidly evolving ransomware-as-a-service (RaaS) operation targeting organizations worldwide. Known for double extortion tactics (encrypting files while also threatening to leak stolen data) Qilin has quickly gained notoriety for its customization, flexibility, and impact on critical infrastructure.

Ransomware
Type
Unknown
Origin
1 July, 2022
First seen
4 September, 2025
Last seen

How to analyze Qilin Ransomware with ANY.RUN

Type
Unknown
Origin
1 July, 2022
First seen
4 September, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 476
comments 0
post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 1165
comments 0
post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 1123
comments 0

What is Qilin Ransomware?

Qilin operates as a Ransomware-as-a-Service (RaaS) platform, providing criminal affiliates with sophisticated tools and infrastructure to conduct ransomware attacks. Gained popularity by late 2023 and has since become increasingly sophisticated in its operations. Amassed over $50 million in ransom payments in 2024 alone. Ranked as the most prevalent ransomware in public threat intelligence reports by 2025.

Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B. This newer variant demonstrates enhanced capabilities in terms of encryption speed, evasion techniques, and payload delivery mechanisms. What sets Qilin apart from other ransomware families is its focus on operational efficiency and stealth. Once Qilin has gained initial access, it employs advanced obfuscation techniques to evade detection. The ransomware code is packed, disguising its true nature to avoid static analysis.
The group has also demonstrated remarkable adaptability, quickly capitalizing on disruptions to competing ransomware operations to expand their affiliate base and market presence.

Qilin is written in Rust and Go, enabling cross-platform attacks against both Windows and Linux environments. Qilin’s modular design allows attackers to customize payloads, set encryption methods, and configure ransom notes. The ransomware has a professionalized infrastructure, including a data leak site where stolen information is published if victims refuse to pay.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Qilin Malware Victimology

Qilin targets a diverse range of organizations across multiple sectors, with a particular focus on high-value targets that are likely to pay substantial ransoms. In June 2025, the United States remained the primary target of ransomware attacks, recording 235 victims, far surpassing other nations. Canada (24), the United Kingdom (24), Germany (15), and Israel (13) also experienced notable activity.

The threat actors behind Qilin demonstrate a clear preference for:

  • Healthcare Organizations: Hospitals and medical facilities are frequent targets due to their critical nature and limited tolerance for downtime
  • Financial Services: Qilin Ransomware Attack hit a U.S. financial advisory firm on July 1, 2025. The attackers allegedly exfiltrated approximately 340 GB of sensitive data, potentially including confidential financial records, client information, and internal communications.
  • Manufacturing and Industrial Facilities: Critical infrastructure targets that cannot afford extended operational disruptions
  • Educational Institutions: Universities and school districts with valuable research data and personal information
  • Government Agencies: Local and regional government entities with sensitive citizen data
  • Professional Services: Law firms, consulting companies, and other service providers handling confidential client information

The targeting strategy appears to prioritize organizations in developed economies where cyber insurance coverage is common and ransom payment capabilities are higher. The geographical distribution reflects this focus, with North America and Europe representing the majority of victims.

Qilin Ransomware Attack Chain and Technical Details

One of Qilin’s features is the requirement to input a unique password, passed as a command-line argument when launching the executable file, which enhances its protection against analysis.

The community of about half a million users of ANY.RUN’s Interactive Sandbox has submitted and analyzed a number of Qilin’s samples featuring this password input. Let’s view an analysis with a correctly entered password.
View Qilin detonated in the Sandbox

Qilin analysis in Interactive Sandbox Qilin sample analysis in the Interactive Sandbox

Qilin employs commands to manipulate symbolic links in Windows, altering the system's behavior regarding the handling of symbolic links. The commands used are:

fsutil behavior set SymlinkEvaluation R2R:1
fsutil behavior set SymlinkEvaluation R2L:1

Qilin link commands Qilin link commands in the process tree in the Interactive Sandbox

To conceal the traces of its activity, Qilin clears system logs, making it difficult to detect and analyze the attack, using a PowerShell script:

Qilin PowerShell script Qilin log wiping PowerShell script

Subsequently, the malware destroys Volume Shadow Copies (VSS) to prevent data recovery without paying the ransom. To do this, the ransomware executes a sequence of commands that manipulate the Volume Shadow Copy Service and deletes all existing snapshots. The commands used are:

net start vss wmic service where name='vss' call ChangeStartMode Manual vssadmin.exe delete shadows /all /quiet net stop vss wmic service where name='vss' call ChangeStartMode Disabled

Qilin also uses commands to prevent failures in cluster services and to propagate through a domain environment via Active Directory (AD). These commands include:

Stop-Cluster -Force

Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName

ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~0.0.1.0'

Qilin encrypts files, appending an extension composed of a unique set of random characters for each attack. This extension is also included in the name of the ransom note file left in the infected directories.

How Qilin Ransomware Generally Functions

Qilin operates through a sophisticated technical architecture designed for maximum effectiveness and stealth. Adversaries operating the Qilin ransomware adopt a multi-pronged strategy to breach target networks, relying on both misconfigurations and software vulnerabilities.

Common Entry Points:

  • Vulnerability exploitation
  • Exploitation of unpatched VPN appliances and firewalls
  • Compromise of Remote Desktop Protocol (RDP) services
  • Phishing campaigns targeting employee credentials
  • Supply chain compromises through trusted vendor access
  • Exploitation of public-facing web applications
  • Abuse of legitimate remote access tools

Lateral Movement Techniques:

  • Once inside a network, Qilin employs various techniques to spread:
  • Credential dumping from compromised systems
  • Pass-the-hash and pass-the-ticket attacks
  • Exploitation of Windows vulnerabilities for privilege escalation
  • Living-off-the-land techniques using legitimate system tools
  • Network scanning to identify additional targets
  • Abuse of administrative tools like PowerShell and WMI

Network Persistence:

  • Creation of backdoor accounts and hidden administrative access
  • Installation of remote access tools for persistent connectivity
  • Modification of security policies to maintain access
  • Deployment of additional payloads for redundant access

Advanced Evasion Techniques:

Further, Qilin uses various code obfuscation methods, such as renaming functions, altering control flows, and encrypting strings, to complicate reverse engineering efforts. This also makes Qilin difficult to detect with IOCs located further along the killchain.

Anti-Analysis Mechanisms:

To further hinder analysis, Qilin integrates anti-analysis mechanisms designed to identify and disable debugging and sandbox environments. It actively scans for virtual machines and common sandbox artifacts to evade dynamic analysis, preventing security researchers from closely examining its behavior.

Encryption Implementation:

The ransomware implements robust encryption algorithms with the following characteristics:

  • Uses industry-standard AES-256 encryption for file encryption
  • Employs RSA public-key cryptography for key protection
  • Generates unique encryption keys for each infected system
  • Implements secure key management to prevent unauthorized decryption

Communication Infrastructure:

  • Utilizes Tor networks for command and control communications
  • Implements secure communication protocols to protect operator anonymity
  • Maintains redundant infrastructure to ensure operational continuity
  • Uses cryptocurrency payment systems for ransom collection

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What Qilin Malware Can Do to an Endpoint Device

When Qilin successfully infiltrates a device, it implements a multi-stage attack process designed to maximize damage while evading detection:

Initial Compromise and Persistence:

  • Establishes persistence mechanisms through registry modifications and scheduled tasks
  • Creates backup access points to maintain access even if primary entry vectors are discovered
  • Disables Windows Defender and other security solutions through privilege escalation

System Manipulation:

Using renamed binaries like upd.exe (a spoof of legitimate AV updaters), Qilin ransomware disables EDR, clears logs, and bypasses detection. The malware might even exploit outdated Carbon Black Cloud sensors to remain hidden.

Credential Harvesting:

Once elevated, Qilin dumps LSASS memory and extracts credentials to facilitate lateral movement across the network. This process allows the ransomware to escalate privileges and access additional systems.

Data Encryption Process:

  • Encrypts files using strong cryptographic algorithms, typically AES-256 with RSA key protection
  • Targets specific file types while avoiding system files necessary for basic OS functionality
  • Appends custom file extensions to encrypted files
  • Drops ransom notes in multiple locations across the infected system
  • Modifies desktop wallpaper to display ransom information

System Degradation:

  • Disables system recovery features including Windows System Restore
  • Deletes shadow copies and backup files to prevent easy recovery
  • Clears event logs to hinder forensic analysis
  • May corrupt or delete system files to increase recovery complexity.

Notable Qilin Attacks

The scope of Qilin's operations has grown dramatically. investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024. However, by 2025, the frequency had increased exponentially, with the group claiming dozens of victims monthly.

A Qilin Ransomware Attack hit a U.S. financial advisory firm on July 1, 2025. The attackers allegedly exfiltrated approximately 340 GB of sensitive data, potentially including confidential financial records, client information, and internal communications. This incident underscores the persistent threat Qilin poses to financial services organizations.

The Qilin ransomware group launched attacks exploiting Fortinet vulnerabilities CVE-2024-21762 and CVE-2024-55591 between May and June 2025. These attacks demonstrated Qilin's ability to target critical infrastructure through systematic exploitation of network security appliances.

Multiple healthcare organizations have fallen victim to Qilin attacks, resulting in cancelled surgeries, delayed medical procedures, and compromised patient care. These attacks highlight the life-threatening potential of ransomware when targeting critical infrastructure.

Several universities and school districts have been targeted, resulting in exposure of student records, research data, and administrative systems. These attacks often occur during critical periods such as registration or examination periods to maximize pressure for ransom payment.

Gathering Threat Intelligence on Qilin Ransomware

Effectively countering such complex threats as Qilin is impossible without access to a large volume of detailed up-to-date threat Intelligence. It fuels:

  • Proactive detection based on studying the malware's behavior before it attacks corporate systems.
  • Creating High-Quality Signatures and Correlation Rules: Understanding specific commands, scripts, and sequences of actions enables the configuration of security systems (SIEM, EDR) for precise attack detection.
  • Investigating Incidents: TI data helps analysts quickly understand the scope and methods of an attack, identify affected systems, and take appropriate response actions.

Indicators of Compromise (IOCs) include:

  • Presence of unusual Rust/Go executables.
  • Suspicious processes terminating backups or security tools.
  • Encrypted files with unique extensions set by affiliates.
  • Outbound connections to Tor-based C2 servers.
  • Ransom notes dropped across multiple directories.

Behavioral detection (via EDR/XDR) is critical: look for privilege escalation, mass file encryption, and registry tampering.

Start using Threat Intelligence Lookup for free: collect IOCs, browse sandbox detonations.

Start with a malware name search request to ANY.RUN’s Threat Intelligence Lookup and dive deeper into contextual data on Qilin. View public analyses of the malware’s fresh samples, extract the behavioral patterns, gather IOCs from each session.

threatName:"qilin"

Qilin samples found via Threat Intelligence Lookup Qilin sample analyses found via Threat Intelligence Lookup

To find Qilin samples with the above-mentioned password submitting, use an additional search parameter:

threatName:"Qilin" and commandLine:"password"

Qilin samples with password found via Threat Intelligence Lookup Qilin samples with password analyzed in the Sandbox

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Qilin is now one of the most prominent ransomware threats globally. Its rapid rise, adoption by advanced threat actors, and the growing number of victims in late 2024 and early 2025 point to sustained activity well into the years ahead. The threat is likely to persist and potentially intensify, making preparation and prevention more critical than ever.

The ransomware family represents a significant evolution in cybercriminal sophistication, combining advanced technical capabilities with effective business operations to create a formidable threat.

Although Qilin follows a typical ransomware attack chain, its success lies in the effectiveness of its evasion strategies, allowing it to execute attacks with minimal detection until the final encryption phase.

The fight against Qilin ransomware is not just a technical challenge but also a strategic business imperative. Organizations that invest in comprehensive cybersecurity programs, maintain current threat intelligence, and prepare for incident response will be better positioned to resist this sophisticated threat and protect their critical assets and operations.

Sign up to use ANY.RUN’s TI Lookup for free: gather fresh actionable threat intelligence for quick detection and response.

HAVE A LOOK AT

Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More