Qilin Ransomware (Agenda): A Deep Dive

Qlin ransomware, also known as Agenda ransomware, is a popular RaaS (Ransomware-as-a-Service) operation that sells its technology to affiliates – letting them launch their own attacks. Affiliates working with the RaaS operation are known for utilizing ransomware double extortion tactics. By encrypting and exfiltrating data, affiliates threaten to leak sensitive info to apply pressure when demanding payment.

With samples written in both Golang and Rust programming languages, Qilin ransomware is capable of cross-platform attacks and is known for targeting high-value victims. The Qilin/Agenda ransomware variant has evolved into one of the most active operations worldwide.

Organizations need to understand this growing ransomware threat as well as the security controls and best practices that can mitigate its impact.

Anti-Ransomware 2025 Ransomware Report

The Qilin/Agenda Ransomware Emergence

The first instances of Qilin ransomware were detected in 2022 when the group began posting leaked data to its Dedicated Leak Site (DLS). Early posts on the site were made under the name “Agenda,” giving the Golang ransomware its original name, which is still commonly used.

Qilin ransomware mainly targets Windows systems, although Linux variants have been identified that target VMware ESXi servers.

By September 2022, the ransomware had rebranded itself to the name Qilin, after a creature from Chinese mythology. Attacks by the group’s ransomware affiliates tend to avoid targeting organizations in the Commonwealth of Independent States (CIS), indicating a possible Russian threat actor.

Ransomware Affiliate

Recruitment of ransomware affiliates on hacking forums was first observed in late 2023.

The RaaS operation provides affiliates with all the tools and infrastructure needed to launch attacks. In return, the Qilin RaaS group receives 15-20% of ransoms paid.

In June 2024, Qilin ransomware claimed its largest victim, Synnovis, a UK-based medical company known for providing diagnostic and pathology services to several London hospitals. The Qilin attack demanded a $50 million ransom to prevent the release of approximately 400GB of healthcare data.

This attack highlighted Qilin’s capabilities, and the RaaS operation has only grown since then.

The State of Cyber Security Report Findings

By analyzing DLSs, the 2025 State of Cyber Security report found that Qilin accounted for 5% of victims in November 2024.

It’s important to remember that this data doesn’t measure true activity, as victims who pay the ransom will not appear on a ransomware group’s DLS. But, Qilin ransomware has seen another surge in 2025 due to the disruption of popular RaaS groups, particularly RansomHub.

Qilin Ransomware Infection Vectors: Phishing, RMM, and VPN

Here are the most common Qilin ransomware distribution methods for establishing access to a target’s network:

  • Phishing emails and more targeted spear phishing campaigns that direct victims to click on a malicious link.
  • Exploiting exposed applications and interfaces as an entry point. Common examples include Citrix and Remote Desktop Protocol (RDP).
  • Infostealer malware that targets Google Chrome.
  • Accessing an organization’s Virtual Private Network (VPN) through compromised accounts.

Once the Qilin ransomware gains initial access, it begins to move laterally to access new systems in search of sensitive data to encrypt and exfiltrate.

Remote Monitoring and Management (RMM) tools are often utilized during this process, while Cobalt Strike regularly deploys the binary. The ransomware executable can propagate through PsExec and Secure Shell (SSH) tools, and vulnerable system drivers are exploited to evade defenses.

Qilin Ransomware Capabilities: Encryption and Evasion Techniques

Qilin affiliates are known for utilizing double extortion ransomware.

This means encrypting the victim’s data to disrupt operations while simultaneously threatening to post sensitive information to its DLS hosted on Tor. Ransomware using Double extortion techniques aims to put additional pressure on the victim and increase the likelihood of receiving a ransom.

Communication and payments are designed to protect the ransomware affiliate’s identity and hinder law enforcement agencies from investigating Qilin. This includes:

  • The use of dark web portals or encrypted messaging apps for communication
  • The ransoms being paid via cryptocurrency

As a sophisticated RaaS operation, Qilin ransomware affiliates can develop their own variants and tailor capabilities to suit their targets. This includes configuring various settings for encryption and evasion.

Typical encryption algorithms utilized are:

  • ChaCha20
  • AES
  • RSA-4096

Encryption is deployed via various modes that the operator controls. These include normal, step-skip, fast, and percent.

Each mode allows the ransomware affiliate to tailor their attack to prioritize speed or completeness. Affiliates can also choose the filename extension of encrypted files. Analysis shows each victim has a unique company ID extension added to the encrypted files.

Affiliates can target a range of file types within the victim’s systems, such as:

  • Documents
  • Images
  • Databases

Code obfuscation and evasion techniques are also available, including encrypting strings, renaming functions, and altering control flows. Qilin is marketed as a versatile, stealthy, and easy-to-use ransomware. Configuration settings are all made through the affiliates panel to simplify adapting the underlying technology for diverse attacks.

The Qilin.B Variant

A notable variant, first observed in 2024, that enhances the ransomware’s capabilities is Qilin.B. This variant offers improved encryption and evasion techniques.

It provides a range of different encryption techniques tailored to various systems.

(making it impossible to access compromised data without the private key.)

A Rust ransomware, Qilin.B hinders protections by terminating services associated with security tools and clearing Windows Event logs. It also deletes itself after the attack to obstruct analysis through reverse-engineering the payload.

Finally, Qilin.B deletes volume shadow copies to make recovery efforts more challenging.

Indústrias Alvo

As a RaaS operation, Qilin targets are chosen by ransomware affiliates, not the group behind the technology. Typical targets are larger organizations with high-value data to extort higher ransoms. This leads to the industries that are popular among ransomware actors, such as:

  • Serviço de saúde
  • Educação

As discussed earlier, Qilin’s most famous attack was on the UK-based healthcare organization Synnovis.

This ransomware attack led to significant disruption at multiple hospitals, causing over 6,000 appointments and procedures to be cancelled and a shortage of blood donations.

Other Qilin healthcare ransomware victims include:

  • Central Texas Pediatric Orthopedics
  • Next Step Healthcare in Massachusetts
  • The Health Trust in California

Healthcare ransomware attacks are particularly common, as these organizations run vital services that rely on sensitive patient data, but also frequently have limited budgets and cybersecurity expertise.

Although education and healthcare ransomware attacks are more common among Qilin affiliates, generally speaking, attacks seem more opportunistic rather than specifically targeted, except for the notable absence of attacks among the CIS.

Other significant Qilin victims include the UK street newspaper The Big Issue, automotive company Yanfeng, and the Australian court service.

Recent Tactics: Fortinet Exploits and Affiliate Legal Counsel

Recent tactics employed by Qilin affiliates include Fortinet vulnerability ransomware attacks targeting the company’s firewalls.

Specifically, these attacks exploit two critical Fortinet vulnerabilities:

  • CVE-2024-21762: Out-of-bounds write vulnerability that can remotely execute commands.
  • CVE-2024-55591: Authentication bypass vulnerability for privilege escalation.

Both of these vulnerabilities affect FortiOS/FortiProxy SSL-VPN devices. Initially, these Fortinet vulnerability ransomware attacks were targeting organizations in Spanish-speaking countries. However, they are expected to spread to other regions.

The Qilin group is automating the Fortinet vulnerability attacks, and affiliates only need to select their target to launch one.

Another recent update is the Qilin RaaS panel offering affiliates legal counsel with a new “Call Lawyer” feature. This is intended to further increase pressure on victims by providing access to lawyers to help with ransom negotiations.

Affiliates can learn the exact regulations their victims have broken by allowing the attack and receive expert evaluation for the potential costs to them if they don’t pay the ransom.

Detection, Mitigation & Prevention Strategies

While the Qilin ransomware offers affiliates extensive capabilities, organizations with mature cybersecurity strategies are well-placed to detect, mitigate, and prevent attacks.

Best practices and security controls that reduce the risk of ransomware attacks include:

  • Securely backing up your most sensitive data utilizing isolated, off-site infrastructure.
  • Deploying proper patch management processes that ensures you run the most up-to-date and secure software.
  • Monitoring network traffic for suspicious activity beyond typical operations.
  • Implementing robust authentication procedures based on strong, unique passwords and Multi-Factor Authentication (MFA).
  • Segmenting your network to limit lateral movement after initial unauthorized access.
  • Training staff to understand the most commonly used ransomware distribution methods, such as identifying phishing emails.
  • Encrypting sensitive data at rest when it is stored on your systems, not just when it is in transit.
  • Identifying the best anti-ransomware security tool on the market that delivers comprehensive protection to keep threats like Qilin at bay.

Proteção contra ransomware com Check Point

Harmony Endpoint from Check Point is a complete anti-ransomware solution that stops even the most sophisticated attacks. Extensive endpoint security controls deny unauthorized access to your network, and automated recovery tools minimize the impact of potential breaches.

Harmony Endpoint offers everything you need to protect your organization from Qilin and other ransomware threats in an all-in-one, cost-effective solution.

Request a personalized, free demo today and discover how it can be tailored to meet your exact needs.

Iniciar

Harmony Endpoint

Guia do CISO para prevenção de ransomware

RELATÓRIO DE CIBERSEGURANÇA

Proteção contra ransomware

Tópicos relacionados

Remoção de ransomware

Recuperação de ransomware

Armário ransomware

Tripla extorsão ransomware

Akira Ransomware