Guardsix Blog | Cybersecurity Research & Threat Intelligence

Qilin (formerly Agenda): From emergence to global ransomware dominance

Written by Nischal Khadgi | May 15, 2026 8:29:20 AM

 

 

Tactics
Techniques
Initial Access Phishing (T1566), Valid Account (T1078), External Remote Services (T1133)
Execution Windows Command Shell (T1059.003), PowerShell (T1059.001)
Persistence Schedule Task/Job (T1053), Registry Run Keys / Startup Folder (T1547.001), Create Account (T1136), Modify Registry (T1112)
Privilege Escalation Access Token Manipulation (T1134), Account Manipulation (T1098), Abuse Elevation Control Mechanism(T1548)
Defense Evasion Indicator Removal (T1070), Windows File and Directory Permissions Modification (T1222.001), Modify Registry (T1112), Disable or Modify Tools (T1562.001)
Credential Access Credentials from Password Stores (T1555), OS Credential Dumping(T1003)
Discovery System Information Discovery (T1082), Network Service Discovery (T1046), Domain Trust Discovery (T1482), Remote System Discovery (T1018),
Lateral Movement SMB/Windows Admin Shares (T1021.002), RDP (T1021.001), SSH(T1021.004)
Collection Archive via Utility (T1560.001)
Command and Control Remote Desktop Software (T1219.002), Multi-hop Proxy (T1090.003)
Exfiltration Exfiltration to Cloud Storage (T1567.002), Exfiltration Over Alternative Protocol (T1048)
Impact Inhibit System Recovery (T1490), Data Encrypted for Impact (T1486)

 

 

Defender’s guidance and best practices

As Qilin continues to expand its operations, organisations must take a proactive and layered approach to defence. Modern ransomware campaigns combine social engineering, credential abuse, lateral movement and data exfiltration to maximise impact. The following best practices help strengthen resilience:

  • conduct regular security awareness training focused on phishing and social engineering techniques. Establish a clear reporting process so suspected incidents can be escalated quickly
  • keep systems, applications and infrastructure up to date with timely patching. Enforce strong password policies aligned with modern standards and require multi-factor authentication (MFA), particularly for remote access and privileged accounts
  • monitor for unauthorised account creation, privilege escalation and unexpected modifications to administrative groups
  • combine endpoint protection, SIEM monitoring, network segmentation, identity controls and email/web filtering to detect and prevent attacks at multiple stages
  • maintain a documented and tested incident response plan. Conduct regular tabletop exercises to validate readiness and improve coordination
  • follow the 3-2-1 backup strategy and maintain at least one offline or immutable backup to prevent ransomware from encrypting recovery data
  • ensure comprehensive logging is centralised in your SIEM and deploy network detection capabilities to identify command-and-control activity and lateral movement

By combining people-focused awareness with strong technical controls and operational preparedness, organisations can significantly reduce the likelihood and impact of ransomware incidents like Qilin.

**All new detection rules are available as part of Guardsix’s latest release, as well as through our Servicedesk.
View full post