virus logo Threat Actor

Qilin Ransomware

Description

Qilin is a ransomware group that operates a Ransomware-as-a-Service (RaaS) model and surfaced around mid-2022. The group initially came out as “Agenda” but named rebranded as “Qilin” a few months later. The origin of the name “Qilin” is unknown, but what is certain is that a user named “Qilin” promoted the Agenda ransomware.

Qilin’s target set spans multiple regions. The industries impacted are diverse and include sectors often considered critical or resource intensive such as energy and healthcare. The group employs a double-extortion tactic, in which it does not only encrypts victim data but also steals it and threatens publication.

Qilin has introduced a “Call Lawyer” feature in its affiliate portal in mid-2025. When an affiliate invokes it during ransom negotiations, the feature connects the affiliate with alleged legal counsel, which remains unproven, supplied by ransom operator. This feature is designed to pressure victims into paying by providing legal-surrounding arguments and threatening posture, not to assist victims.

In September 2025, the ransomware group “DragonForce” announced that Qilin, alongside LockBit, had joined their ransomware cartel. However, that claim has not been verified.

Aliases

  • QilinCrypt
  • Agenda
  • Qilin Ransomware Operators
  • Qilin Locker
  • Qilin ransomware group
  • Qilin ransomware Operators

Common Vulnerabilities and Exposures

Targeted Industries

  • Education
  • Government (Local/Municipal)
  • Healthcare
  • Home Users
  • Media and Entertainment
  • Small and Medium Businesses (SMBs)

Objectives

Financial Gain

Known Tools Used

  • 7-Zip
  • Brute-force tools
  • Custom scripts
  • Exploit kits
  • SMB scanners
  • TOR
  • Web shells

Known Infection Vectors

  • Brute-force attacks
  • Compromised RDP/VPN credentials
  • Fake software updates
  • Initial Access Brokers (IABs)
  • Malicious ads (malvertising)
  • Managed Service Provider (MSP) breaches
  • Misconfigured cloud services
  • Phishing (malicious emails/attachments)
  • Supply chain attacks
  • Third-party app exploits (e.g.TeamViewer/AnyDesk)
  • USB/Removable media
  • Vulnerability exploits
  • Watering hole attacks

References

Ransomware Roundup: Snatch, BianLian and Agenda (Fortinet)
https://www.fortinet.com/blog/threat-research/ransomware-roundup-snatch-bianlian-and-agenda

Qilin (MITRE)
https://attack.mitre.org/software/S1242/

Qilin Top Ransomware Threat to SLTTs in Q2 2025 (Center for Internet Security)
https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025

Qilin Ransomware

ID

6254

Published

Mar 24, 2026

Threat Actor Type

Ransomware-as-a-Service (RaaS)

Tags

UNC1549 Espionage Attack Microsoft Exchange Androxgh0st Malware Russian Cyber Espionage Ivanti Authentication Bypass MSDT Follina Citrix Bleed Attack PaperCut RCE Apache Path Traversal Microsoft Outlook Elevation of Privilege Earth Lamia APT Attack Lazarus RAT Attack VMware Workspace One Campaigns Confluence OGNL CISAtop20_PRC2022 ConnectWise ScreenConnect Attack Log4j2 Vulnerability Threat Signal

Attacker Origins

  • Unknown

Target Systems

  • ESXi
  • Linux (CentOS/Debian/RHEL/Ubuntu)
  • Windows 7/10/11
  • Windows Server 2012/2016/2019/2022

Regions Targeted

  • Africa
  • Asia
  • Europe
  • North America
  • Oceania
  • South America

Active CVEs