Ransomware

Inside Qilin: The Double Extortion Ransomware Threat

Orlaith Traynor

5 min lesen - Juli 16, 2025

A new threat has appeared on the horizon in 2025. Qilin ransomware, a rising ransomware-as-a-service provider, with a total of 72 victims in April 2025 alone.

Qilin enables affiliates to launch highly customizable attacks across various sectors, including healthcare, manufacturing, and government services.

How can you protect yourself against Qilin attacks? Let‘s dive deep into how Qilin operates to better understand its modus operandi.

Interested in reading more in our ransomware series? Read our guide to DragonForce.

Who is the DragonForce Ransomware Gang?

What is Qilin ransomware?

Qilin, also known as Agenda ransomware, is a cybercriminal group that operates under a ransomware-as-a-service model.

Named after a creature from Chinese mythology (similar to a Chinese unicorn), the hacker group utilizes double extortion tactics on its targets in North America and Europe.

Despite having a name that could tie the group to Beijing, the Qilin ransomware operation appears to be linked to Russia.

*Figure 1: A screenshot of a Qilin ransom note. Source: Sophos*

Timeline of attacks

Qilin has become a top ransomware group globally, focusing on industries that disrupt the US.

June 2022: The first instance of Qilin ransomware is detected. Attackers successfully accessed a customer‘s VPN and compromised the admin account, using RDP to gain access to the customer‘s Microsoft System Center Configuration Manager (SCCM) server.
October 2022: Qilin ransomware-as-a-service’s first known victim is posted on the Dedicated Leak Site (DLS) under the name Agenda.
April 2023: A victim in APAC reported the next significant Qilin attack. The group shows signs of evolving, shifting from Go-based ransomware to a Rust-based variant.
January 2024: An Australian court system reported a double-extortion attack from Qilin. Hackers worked to extort court files, including the audio-visual archive.
May 2024: Qilin gains notoriety with a $50 million ransom demand targeting Synnovis, disrupting major NHS hospitals in London. Cybercriminals stole 400GB of patient data, affecting more than 3,000 hospitals and GP appointments.
May 2025: Cobb County in Georgia reported an attack conducted by Qilin. The group acquired 150GB of data, including 400,000 files, autopsy photos, Social Security numbers (SSNs), driver’s licenses, and other personal records.
April 2025: An attack on SK Inc., a firm that invests heavily in US businesses, was uncovered when files appeared on Qilin‘s data leak site. The group exfiltrated more than 1TB of files from its servers.

Who does Qilin ransomware target?

Qilin strategically targets primary verticals that offer the largest payouts, such as manufacturing, legal, and financial services.

Companies that have been compromised share common weak points in their IT infrastructure:

Large enterprises with distributed infrastructure
Healthcare, manufacturing, education, and finance sectors
Organisations with legacy systems or misconfigured remote access

*Figure 2: Industries targeted by Qilin ransomware as of June 7, 2024. Source: HSCC*

Qilin entices affiliates with 80–85% ransom payouts, and now includes a “Call Lawyer” feature in its toolkit, aimed at pressuring victims to hike their ransom payments.

How does Qilin ransomware work?

Qilin ransomware exploits social engineering to gain access, then encrypts data and launches double extortion attacks. Written in Go and Rust, it targets both Windows and Linux, making it highly adaptable across varied IT infrastructures.

Qilin ransomware IOCs

Leveraging built-in software flaws: Qilin has been observed exploiting Fortinet flaws, including CVE-2024-21762 und CVE-2024-55591 to bypass authentication and execute malicious code.
Hijacking authentication tokens: Hackers exploited a critical flaw (CVE-2024-27198) in JetBrains’ TeamCity On-Premises, allowing remote authentication and unauthorized admin access to servers.
Veeam vulnerability: A vulnerability discovered in Veeam Backup & Replication CVE-2023-27532 allowed attackers to obtain encrypted credentials stored in the configuration database.
Unique file extension naming: Encrypted files often have unique extensions appended, such as .qilin .agenda, or victim-specific identifiers.
Ransom note delivery: Ransom notes are typically named README-RECOVER-[company_id].txt and contain instructions for payment and data recovery.
Command and Control (C2) servers: Communication with domains such as bloglake7[.]cfd has been observed.
Bring your own Vulnerable Driver (BYOVD): Utilization of vulnerable drivers like TPwSav.sys to disable Endpoint Detection and Response (EDR) tools.

*Figure 3: CVE-2024-27198 was exploited for backdoor access on the TeamCity server. Source: Bleeping Computer.*

Qilin ransomware TTPs

Initial access

T1078 — Valid Accounts
T1190 — Exploit Public-Facing Application

A spear-phishing email deceives staff, installing a Trojanized version of RVTools from rv-tool[.]net. In other cases, attackers log in directly using purchased or reused RDP credentials.

Execution

T1059 — Command and Scripting Interpreter

Once inside, Qilin drops custom payloads using native scripting tools. A PowerShell command silently downloads NETXLOADER, pulling in the ransomware binary without triggering the traditional antivirus.

T1547.001— Registry Run Keys / Startup Folder

Qilin’s loader disguised itself as a Windows “SystemHealthMonitor” tool and used the Registry Run key to establish persistence. This allowed the malicious script (svchost.js) to execute automatically on startup.

New-ItemProperty -Path "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

Name "SystemHealthMonitor"
`Value “C:\Windows\System32\wscript.exe //B //E:jscript C:\ProgramData\svchost.js” “
PropertyType String -Force

Privilege escalation

T1548 — Abuse Elevation Control Mechanism

Qilin hackers bring their own vulnerable drivers (BYOVD), such as Zemana AntiMalware or Toshiba power drivers, to disable security tools and gain system access.

Defense engagement

T1562 — Impair Defenses

Using renamed binaries like upd.exe (a spoof of legitimate AV updaters), Qilin ransomware disables EDR, clears logs, and bypasses detection. The malware might even exploit outdated Carbon Black Cloud sensors to remain hidden.

Credential access

T1003 — OS Credential Dumping

Once elevated, Qilin dumps LSASS memory and extracts credentials from browsers like Chrome to access other systems without being noticed.

Lateral movement

T1021 — Remote Services

With credentials in hand, Qilin moves laterally across the network using SMB, RDP, WinRM, and PsExec. IT tools like ScreenConnect and AnyDesk are sometimes hijacked to extend access.

Impact

T1486 — Data Encrypted for Impact

When ready, Qilin triggers its payload. Files are encrypted with .qilin oder .qln extensions.

Ransom notes like README.txt oder qilin_readme.txt appear across file shares and desktop paths. Backups, if reachable, are targeted and encrypted first.

How to prevent Qilin ransomware attacks

Protecting yourself against future attacks means adopting a layered defense strategy to counter foreign actors such as Qilin.

CISA’s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia. There has been no change in our posture. Any reporting to the contrary is fake and undermines our national security.
— Cybersecurity and Infrastructure Security Agency (@CISAgov) March 3, 2025

The CISA issued an alert for Qilin ransomware on X. Source: CISA.

Harden the attack surface. Patch vulnerabilities promptly, especially in VPNs, RDP, and virtualization platforms like VMware ESXi, which Qilin has targeted.
Strengthen identity and access management. Implement MFA across all accounts to mitigate the risk of credential leaks, and review domain controllers, servers, workstations, and active directories for suspicious user accounts.
Secure off-site backups. Save and secure backup files in off-site servers that malware can‘t easily find. Additionally, ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Implement network segmentation. Divide your network into smaller sections, making it more difficult for attackers to spread laterally.
Reduce your overall attack surface. Disable functionality that isn‘t used often to reduce the risk of an intruder.
Keep an eye on IoCs. Monitor your network environment for Qilin IoCs such as file hashes and suspicious IPs to stay on top of potential attacks.

Qilin ransomware mitigation

Be proactive against cyber threats by making sure you’re ready to respond quickly and minimize risk the moment an incident occurs.

Mitigate double extortion ransomware:

Protect your attack surface. CybelAngel‘s Angriffsflächenmanagement solution continuously scans the internet, including shadow IT and third-party assets, to identify exposed services, credentials, and misconfigured systems—common entry points exploited by Qilin affiliates.
Data leak detection. Qilin uses double extortion tactics to extract funds from victims. CybelAngel‘s Prävention von Datenschutzverletzungen monitors dark web forums, marketplaces, and leak sites (including Tor), enabling faster incident response.
Credential leak monitoring. Stolen or reused credentials are a frequent vector for Qilin attacks. CybelAngel‘s Credential Intelligence alerts you when credentials are harvested and dumped online, prompting quicker removal before attackers can exploit them.
Real-time alerts and remediation. Secure assets and sensitive information with CybelAngel‘s Sanierung solution—especially if attackers have leaked company information to the dark web.

Book a demo to defend against ransomware threats with Cybel Angel.

Kontakt