'Ransomware in focus' is our new series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, Milda Petraityte and Melissa DeOrio examine the operations of Qilin.
Background
Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year and have operated as a Ransomware-as-a-service (‘RaaS’) since February 2023. Qilin’s RaaS operators are likely based in Russia (or former-Soviet territories) on the basis of affiliate recruitment on Russian-language cybercrime forums and RaaS rules against attacking organisations in Russia or former Soviet Union countries. These constraints often correlate with the physical location of operators who are permitted to act freely as long as local entities are not impacted.
Motivations
Qilin is a financially-motivated group that has no stated ideological or political objectives. Qilin imposes minimal constraints on affiliate behaviour beyond prohibiting attacks on entities in Russia or other CIS countries, offering substantial autonomy in victim selection. Data indicates that the group has primarily targeted organizations in the manufacturing, construction, and financial services sectors within the past month.
Business model
Operating as a RaaS, Qilin rents out its infrastructure to affiliates in exchange for 15-20% of the earnings from each ransomware operation; reportedly taking 20% commission on payments of USD 3 million or less; and 15% for payments over USD 3 million. Publication of stolen data and ransom payment negotiations are reportedly handled by Qilin operators. Qilin provides its affiliates with a highly customizable panel that enables bespoke payload configuration for each victim offering the ability to alter the files or directories to be targeted or excluded and the contents of the ransom note. This flexibility makes the ransomware particularly adaptable across environments.
Group affiliations
Although there are no publicly known connections between Qilin and other RaaS groups, on at least two separate occasions a Qilin victim has previously appeared on the leak site of other well-known RaaS operations such as LockBit and Cactus – likely indicating the presence of shared affiliates. Other groups such as the collective, Scattered Spider, and North Korean nation state group, Moonstone Sleet have also reportedly deployed the ransomware during their attacks.
Shift in targeting Techniques
Recently, Qilin has launched targeted phishing campaigns against a Managed Service Providers (MSPs) – a tactic likely intended to expand the group’s access to multiple downstream client environments. The campaign leverages fraudulent authentication alerts impersonating ScreenConnect Remote Monitoring and Management (RMM) notifications to MSP administrators. Victims are redirected to sophisticated phishing pages that are designed to harvest administrator credentials, session cookies and MFA tokens, enabling account takeover and the bypass of multi-factor authentication controls.
Group developments
Following the closure of RansomHub in early April 2025, S-RM has observed a notable increase in the number of reported victims on the group's leak site; reported victims increased by approximately 56% month over month. This temporal correlation suggests potential affiliate migration from the defunct RansomHub operation to Qilin’s RaaS platform, though definitive attribution of this activity surge remains under assessment.
Emerging extortion tactics
Recently, Qilin has offered new extortion enablers to affiliates such as "Call Lawyer,“ which offers affiliates with the opportunity to access a legal advisor through the victim chat portal during negotiations. The lawyer reportedly provides affiliates with legal advice, including a legal assessment of the victim's exfiltrated data concerning applicable laws and regulations, and the potential implications of non-payment, enabling affiliates to more precisely pressure victims. Additionally, Qilin claims to employ in-house team journalists who will collaborate with the legal advisors to create tailored blog posts pressuring victims. S-RM has not observed these adaptations first-hand in cases we have supported to date.
Victimology
Since emerging in September 2022, Qilin has provided affiliates with broad discretion in selecting targets. However, since January 2025, S-RM has observed a shift toward strategic targeting of Managed Service Providers (MSPs). This evolution suggests a maturing operational strategy which includes centralized campaign planning and may indicate a potential reduction in affiliate moving forward.
91%
The majority of Qilin’s victims were small-medium sized businesses (businesses with fewer than 1,000 employees).
Companies targeted by country in last 30 days*
Figure 1. Source: eCrime
Notable attacks
- In April 2025, the group targeted the City of Abilene, Texas, encrypting systems and exfiltrating roughly 477 GB of data across several departments including the CityLink public transit network. The attack resulted in roughly 1 month of disruption to the city’s bus services and other operations.
- In June 2024, Qilin targeted Synnovis, a pathology provider for several NHS hospitals, disrupting blood testing and forcing cancellation of over 1,100 surgeries and 2,000 appointments. The group demanded a staggering $50 million ransom. After no payment was made, data tied to 900,000 patients was leaked.
Companies targeted in last 30 days, by sector*
Figure 2. Source: ecrime.ch
*Data based on victims posted to the actor’s leak site, and thus unlikely to be comprehensive of all victims.
Initial access
Initial access is primarily achieved through targeted phishing campaigns or exploitation of exposed remote services like Remote Desktop Protocols (RDPs) and Virtual Private Networks (VPNs). Recently, the group have been observed exploiting CVE-2025-31324, (SAP NetWeaver Visual Composer vulnerability) and have previously exploited CVE-2023-27532 (Veeam Backup and Replication vulnerability).
Propagation
Once inside a network, Qilin escalates privileges by exploiting vulnerabilities or using legitimate tools like Mimikatz, PsExec or Powershell, and achieves lateral movement through standard network discovery techniques. Since August 2024, S-RM has observed Qilin harvesting browser-stored credentials Google Chrome browsers, enabling the group a mechanism for re-entry into compromised environments.
The group employs multiple defense evasion techniques, including anti-analysis measures to detect and disable debugging sandbox environments, using PowerShell commands to remove logs and traces of activity, and deleting backups to cover their tracks.
Encryption
Qilin's ransomware is designed to be highly adaptable, enabling affiliates to tailor attacks to victim environments; the group offers support for ChaCha20, AES-256, and RSA4096 encryption algorithms. Since October 2024, Qilin has offered a new Rust-based variant of their encryptor dubbed 'Qilin.B,’ which reportedly offers enhanced encryption strength, improved evasion capabilities and the ability to disrupt data recovery mechanisms.
Extortion
Qilin leverages double-extortion (the theft and encryption of sensitive data) to pressure victims to pay a ransom. The group is known for aggressive negotiation tactics and frequently publishes stolen data in absence of payment on both it Tor-based leak site and clear web domain, WikiLeaksV2. In 2024, Qilin also operated a Telegram channel to amplify leaks, though the channel is no longer active.
