Nischal KhadgiMay 15, 2026 10:29:20 AM7 min read

Qilin (formerly Agenda): From emergence to global ransomware dominance

Fast facts

A quick look at the key facts shaping this threat landscape.

Originally identified as “Agenda” in mid-2022, Qilin is a Russia-based ransomware group that later rebranded and evolved into a mature Ransomware-as-a-Service (RaaS) platform.

From Q2 2025 through Q1 2026, Qilin has been observed as one of the most active ransomware groups, recording the highest number of publicly disclosed victims. At the time of writing, the group has impacted approximately 1,556 organizations.

Over time, Qilin expanded its capabilities to support cross-platform encryption across Windows, Linux, and VMware ESXi environments.

Qilin has consistently targeted high-impact industries such as manufacturing, healthcare, technology, and construction sectors where operational downtime generates significant financial and operational pressure. The group’s victim footprint spans globally, with the United States, France, Canada, the United Kingdom, and Spain among the most frequently targeted countries.

Overview

Ransomware continues to dominate the cyber threat landscape, evolving from opportunistic file-encrypting malware into structured, profit-driven criminal enterprises. Modern ransomware operations are no longer driven by lone actors. Instead, they operate under organized models with defined roles, affiliate networks, monetization strategies, and scalable infrastructure.

One of the most active and rapidly expanding ransomware groups operating under this model is Qilin.

Qilin is a Russia-based ransomware group that first emerged in 2022, initially operating under the name “Agenda.” While early activity remained relatively limited, the group gained significant momentum in 2023 and accelerated aggressively through 2024 and 2025. By late 2025, if we analyze the data from ransomware.live, Qilin has become one of the most active ransomware threats globally.

In October 2025 alone, Qilin claimed responsibility for approximately 210 victims. At the time of reporting, the group had publicly listed 1,697 victims in total and claimed 421 victims within a 90-day period, underscoring its sustained operational tempo and rapid growth trajectory.

The cumulative victim growth chart in the report highlights a clear year-over-year expansion pattern, suggesting continued operational maturity and likely persistence into 2026.

qilin-image-1

Cumulative Victims per month (source:ransomware.live)

Qilin operates under a Ransomware-as-a-Service (RaaS) model. The core operators develop and maintain the ransomware platform and supporting infrastructure, while affiliates conduct intrusions in exchange for a percentage of ransom payments.

This structure allows Qilin to:

Scale rapidly
Diversify attack vectors
Expand geographically
Maintain a high operational tempo

Over time, Qilin has evolved from a Golang-based encryptor to a Rust-based cross-platform ransomware capable of targeting Windows, Linux, and VMware ESXi systems. The affiliate panel supports customized execution, service termination, safe-mode rebooting, lateral movement, and additional extortion features.

Beyond traditional double extortion (encryption + data theft), Qilin has introduced expanded pressure tactics including DDoS extortion and a Call Lawyer negotiation feature designed to intimidate victims during ransom discussions.

etpr-qilin-image2

Qilin administrator announcement on RAMP

Marketed as a form of legal assistance, this functionality was designed to guide affiliates during extortion negotiations and help them apply additional pressure on victims. The proposed feature reportedly involved assessing stolen data to categorize it from a legal and regulatory standpoint. By identifying potential exposure under frameworks such as GDPR, CCPA, HIPAA, and other jurisdiction-specific laws, attackers aimed to underscore the compliance risks facing victim organizations. Ultimately, Qilin’s strategy was to strengthen its leverage: by framing the breach in terms of potential lawsuits, regulatory penalties, and reputational harm, the group sought to persuade victims that paying the ransom would be less costly than enduring the broader fallout.

Targeted Industries

Qilin focuses on industries where operational disruption creates maximum leverage. Its most frequently targeted sectors include:

Manufacturing
Technology
Healthcare
Construction

These industries operate under strict uptime requirements, regulatory pressure, or supply chain dependencies, increasing the likelihood of ransom payment.

Screenshot 2026-02-22 at 14.00.32

Top 5 industries targeted by Qilin (source: ransomware.live)

Geographically, Qilin’s activity spans multiple regions. The United States, United Kingdom, Germany, Canada and Spain account for the highest number of reported victims, demonstrating the group’s broad international footprint.

Screenshot 2026-02-22 at 14.01.52

Top 5 countries targeted by Qilin (source:ransomware.live)

Technical Analysis

Initial Access

Exploits public-facing vulnerabilities including CVE-2024-21762 and CVE-2024-55591,.
Conducts social engineering campaigns such as ClickFix, leading to StealC v2 malware infections.
Gains access through leaked or stolen administrative credentials.
Compromises VPN infrastructure where MFA is not enforced, reducing access barriers.
Modifies Active Directory Group Policy Objects (GPOs) to enable Remote Desktop Protocol (RDP) for deeper network access.

Persistence

Creates Registry Run keys for persistence.
Establishes scheduled tasks.
Creates backdoor administrative accounts.
Modifies registry-based RDP settings to maintain remote access.

Privilege Escalation

Uses the Windows net utility to escalate privileges by adding attacker-controlled accounts to the local Administrators group.
Creates network shares with permissive access controls to allow unrestricted access to system files.

Defense Evasion

Modifies symbolic link evaluation settings using fsutil.
Clears Windows Event Logs to remove forensic traces.
Disables AMSI protections to bypass PowerShell-based security controls.
Uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security protections, deploying tools such as DarkKill and HRSword to terminate EDR solutions.

Credential Access

Dumps LSASS memory to extract credentials.
Enables WDigest to store credentials in plaintext.
Harvests credentials from Veeam backup infrastructure
Uses credential dumping tools such as Mimikatz and SharpDecryptPwd

Discovery

Uses PowerShell with the ActiveDirectory module to enumerate domain-joined systems and retrieve their DNS hostnames.
Enumerates accessible network shares and resources using Windows networking APIs such as WNetOpenEnum and WNetEnumResource.
Performs Active Directory and domain enumeration to identify trust relationships and privileged accounts using native utilities such as nltest and net.
Deploys network scanning tools such as Netscan to identify reachable systems and exposed services.
Installs and abuses Remote Management Tools (RMM) including ScreenConnect and AnyDesk via Atera agents to execute discovery commands and blend activity with legitimate administrative operations.

Lateral Movement

Uses PsExec, RDP, SSH, and Active Directory administrative tools.
Conducts network discovery and scanning using utilities such as netscan.
Demonstrates cross-platform capabilities, including executing Linux ransomware payloads via Windows Subsystem for Linux (WSL).

Collection

Custom scripts leveraging SMTP to exfiltrate data via email services.
Archives collected data using WinRAR prior to exfiltration.

Exfiltration

Stages and exfiltrates data using:
- Public file-sharing and cloud storage services such as easyupload[.]io used for data staging and exfiltration

Impact

Manipulates Volume Shadow Copy Service (VSS).
Deletes shadow copies and disables recovery mechanisms.
Encrypts local and network-accessible files to maximize disruption.
Renames encrypted files with .qilin or custom extensions.
Extensions are configurable through the Qilin RaaS panel.
Extensions often contain unique victim or company identifiers to track campaigns.
Drops ransom notes typically named:
- README-RECOVER.txt
- README-RECOVER-[company_id].txt
Notes include instructions for contacting the attackers.

etpr-qilin-image5

Qilin Ransom Note

provides access to the Qilin leak site hosted on a .onion address via the Tor network
includes direct IP-based access for victims without Tor
victims receive a unique company ID and login credentials for the negotiation portal
modifies the desktop wallpaper to display ransom instructions directing victims to recovery steps

etpr-qilin-image6

MITRE ATT&CK

Tactics	Techniques
Initial Access	Phishing (T1566), Valid Account (T1078), External Remote Services (T1133)
Execution	Windows Command Shell (T1059.003), PowerShell (T1059.001)
Persistence	Schedule Task/Job (T1053), Registry Run Keys / Startup Folder (T1547.001), Create Account (T1136), Modify Registry (T1112)
Privilege Escalation	Access Token Manipulation (T1134), Account Manipulation (T1098), Abuse Elevation Control Mechanism(T1548)
Defense Evasion	Indicator Removal (T1070), Windows File and Directory Permissions Modification (T1222.001), Modify Registry (T1112), Disable or Modify Tools (T1562.001)
Credential Access	Credentials from Password Stores (T1555), OS Credential Dumping(T1003)
Discovery	System Information Discovery (T1082), Network Service Discovery (T1046), Domain Trust Discovery (T1482), Remote System Discovery (T1018),
Lateral Movement	SMB/Windows Admin Shares (T1021.002), RDP (T1021.001), SSH(T1021.004)
Collection	Archive via Utility (T1560.001)
Command and Control	Remote Desktop Software (T1219.002), Multi-hop Proxy (T1090.003)
Exfiltration	Exfiltration to Cloud Storage (T1567.002), Exfiltration Over Alternative Protocol (T1048)
Impact	Inhibit System Recovery (T1490), Data Encrypted for Impact (T1486)

Defender’s guidance and best practices

As Qilin continues to expand its operations, organisations must take a proactive and layered approach to defence. Modern ransomware campaigns combine social engineering, credential abuse, lateral movement and data exfiltration to maximise impact. The following best practices help strengthen resilience:

conduct regular security awareness training focused on phishing and social engineering techniques. Establish a clear reporting process so suspected incidents can be escalated quickly
keep systems, applications and infrastructure up to date with timely patching. Enforce strong password policies aligned with modern standards and require multi-factor authentication (MFA), particularly for remote access and privileged accounts
monitor for unauthorised account creation, privilege escalation and unexpected modifications to administrative groups
combine endpoint protection, SIEM monitoring, network segmentation, identity controls and email/web filtering to detect and prevent attacks at multiple stages
maintain a documented and tested incident response plan. Conduct regular tabletop exercises to validate readiness and improve coordination
follow the 3-2-1 backup strategy and maintain at least one offline or immutable backup to prevent ransomware from encrypting recovery data
ensure comprehensive logging is centralised in your SIEM and deploy network detection capabilities to identify command-and-control activity and lateral movement

By combining people-focused awareness with strong technical controls and operational preparedness, organisations can significantly reduce the likelihood and impact of ransomware incidents like Qilin.

**All new detection rules are available as part of Guardsix’s latest release, as well as through our Servicedesk.

Get the full report

Dive deeper with comprehensive technical analysis and full detection coverage.

Download Report

Nischal Khadgi

How mature is your cybersecurity posture?