Qilin (also known as Agenda) is a ransomware-as-a-service (RaaS) operation active since at least 2022, used in financially motivated double-extortion campaigns that combine system encryption with data theft. The ransomware has been observed in multiple implementations, including builds written in Go and Rust, enabling deployment across different operating systems and enterprise environments rather than a single, fixed intrusion scenario.
Timeline overview
2022: initial emergence and early naming
The ransomware operation known as Qilin was first observed in July 2022 under the name “Agenda.” The names “Agenda” and “Qilin” refer to the same ransomware ecosystem rather than separate or unrelated groups.
2023: RaaS-scale activity and repeat deployments
By 2023, Qilin activity reflected RaaS-scale use, with deployment patterns consistent with repeated campaigns conducted through a shared operational framework rather than isolated incidents.
In December 2023, a Linux variant targeting VMware ESXi was identified, expanding the operation’s relevance beyond Windows endpoints into virtualized and server-side infrastructure.
2024-2025: sustained activity and increased visibility
Across 2024 and into 2025, Qilin remained active with recurring incidents across different environments. The June 2024 Synnovis incident brought wider attention to the operation after causing significant disruption to pathology services supporting major London hospitals in the UK.
RaaS structure and affiliate model
Qilin follows a service-oriented model in which a centralized team maintains ransomware tooling and supporting infrastructure, while affiliates conduct intrusions and deployment.
The core operation provides the components required to run extortion campaigns consistently across victims. This typically includes maintained ransomware payloads, backend infrastructure for communication with victims, and channels used for negotiation and coordinated data publication.
Affiliates control execution after they gain initial access. They determine how initial access is achieved, how long they remain in the environment prior to encryption, and which systems are prioritized for impact. The model uses revenue sharing: affiliates typically retain a substantial portion of ransom payments, with a smaller share remitted to the core operators in exchange for access to the platform and infrastructure.
Victimology and targeting patterns
Industries and organization types
Qilin-related activity reflects an opportunistic targeting model shaped by affiliate-level decision-making. Victim selection is driven primarily by access availability and perceived extortion potential rather than by centrally defined industry priorities.
Observed victims span a wide range of sectors. Observed activity has included manufacturing, professional and legal services, and financial services, alongside cases across healthcare, education, technology, industrial organizations, and the public sector. This distribution indicates no sustained focus on a single industry vertical.
Geographic distribution and regional scope
Observed Qilin incidents show activity across multiple geographic regions rather than concentration in a single country or market. Victims include organizations based in North America and Europe, with additional cases reported in other regions. Overall, available data indicate geographically dispersed activity over time, without a stable regional focus.
Some affiliate-facing rules associated with Qilin have included restrictions against targeting organizations in Commonwealth of Independent States (CIS) countries, and recruitment activity has appeared in Russian-language cybercriminal forums. These are considered operational signals and, on their own, do not establish attribution.
Intrusion lifecycle and attack chain
Initial access methods
Initial access is commonly established through phishing or spear-phishing and through exposure of remote access services (for example, RDP and VPN). Access is frequently enabled by compromised credentials obtained through credential theft or acquired via underground markets, allowing attackers to authenticate via otherwise legitimate access paths.
Post-compromise activity and deployment
After entry, attackers expand control by escalating privileges, enumerating the environment, and moving laterally to systems that enable broad operational impact (such as management servers, backup infrastructure, and virtualization hosts). Execution and lateral movement are commonly performed using existing administrative access and built-in management capabilities. Operators may also maintain interactive access to compromised environments to stage ransomware deployment across multiple systems.
Data theft and operational impact
Data theft is used as leverage ahead of encryption: sensitive files are collected and transferred out to increase pressure during extortion. The final stage is coordinated encryption across multiple hosts, producing immediate operational disruption. Recovery is further constrained when attackers remove accessible restore options, including deleting Volume Shadow Copies.
Technical profile of Qilin encryptors
Supported platforms
Qilin ransomware supports multiple operating systems, including Windows and Linux, and has also been deployed against virtualized infrastructure such as VMware ESXi. This enables affiliates to target both endpoint systems and core server environments within mixed enterprise networks.
Implementation languages and variants
Early Qilin builds were implemented in Go, providing cross-platform compatibility. By late 2022, a Rust-based variant was observed alongside existing Go versions. Both Go- and Rust-based variants have been observed over time.
Encryption schemes and configuration options
Qilin encryptors support modern cryptographic schemes, typically combining symmetric encryption (such as AES-256 or ChaCha20) with asymmetric key protection. The malware allows configurable encryption behavior, including selective file targeting and multiple operator-controlled encryption modes, allowing affiliates to balance speed and impact during deployment.
Encrypted files are often renamed by appending modified file extensions or identifiers, allowing the encrypted data to be linked with specific incidents.
Notable technical characteristics
Qilin encryptors are designed to limit recovery by interfering with backup and restoration mechanisms. Some variants also terminate selected services prior to encryption to ensure consistent file access across active systems.
Evasion techniques and living-off-the-land abuse
Abuse of legitimate administrative and remote management tools
Qilin intrusions commonly rely on built-in administration mechanisms and widely used remote-access tooling to reduce obvious “malware-like” noise. Instead of introducing many custom binaries, operators often execute commands and distribute payloads through standard remote execution and management paths, blending into activity that can resemble legitimate IT operations.
In environments where remote management is already present, attackers can also leverage remote monitoring and management (RMM) or remote-access utilities as an operational layer for deployment and control. This approach shifts detection from simple signature-based blocking to behavior and context: who initiated remote execution, from where, and to which systems.
BYOVD and defense evasion
One observed defense-evasion technique associated with Qilin activity is the use of vulnerable, legitimately signed drivers (BYOVD). The goal is practical: reduce or neutralize endpoint monitoring and protection so ransomware deployment and pre-encryption activity face less resistance.
This technique is operationally attractive because it shifts security suppression into driver-level abuse, which many environments treat differently than user-mode activity. In practice, it raises the bar for defenders: driver loading, unusual driver provenance, and unexpected kernel-level activity become important signals.
Non-standard execution paths and hybrid tooling
Qilin has also been associated with execution approaches that break common defensive assumptions, including non-standard execution paths in mixed environments. In some campaigns, legitimate file-transfer and remote-control tools are used to stage and execute a Linux ransomware binary in Windows-heavy networks rather than deploying a typical Windows encryptor.
Such activity may include auxiliary components that complicate tracing and containment, such as proxying mechanisms that obscure operator traffic. Separately from encryption itself, activity targeting backup infrastructure and backup credentials can serve as a “recovery denial” layer, reducing the victim’s ability to restore systems cleanly even if encryption is detected and halted mid-flight.
Data leak site and extortion operations
Qilin ransomware uses a dedicated leak site to support its extortion strategy. After stealing sensitive information from a compromised environment, operators or affiliates post the names of affected organizations and samples of stolen data on a Tor-accessible leak portal if ransom demands are not met. This public disclosure mechanism amplifies pressure on victims by demonstrating proof of exfiltration and signaling the threat of further publication.
Victims receive ransom notes directing them to unique negotiation portals tied to their incident. Communication and ransom demands are conducted through these anonymized channels, with payment requested in cryptocurrency. While specifics can vary by affiliate, the core process combines the threat of data publication with encryption to encourage ransom payment.
Indicators of compromise and detection strategies
Behavioral indicators
Qilin intrusions are usually detected more reliably through correlated behavior (identity + endpoint + network) rather than static indicators that change across incidents. The strongest early signals are anomalous remote access and credential use (VPN/RDP/SSH logins from unusual locations, devices, or hours), followed by rapid administrative authentication across multiple internal systems.
On endpoints, prioritize unusual remote execution from non-management hosts and first-time or abnormal use of administrative utilities (for example, PsExec, WMI/WinRM, PowerShell, or SSH). The appearance of post-exploitation tooling (including Cobalt Strike-style frameworks) or unauthorized remote-access/RMM tools (such as AnyDesk, ScreenConnect, or Splashtop) outside established IT workflows should be treated as a high-risk escalation. A separate red flag is a non-standard execution context on Windows, including Linux binaries or Linux execution paths paired with staging behavior (for example, WinSCP and proxying).
Pre-impact escalation signals
As intrusions progress toward impact, telemetry may show recovery suppression and staging. High-priority indicators include unexpected interaction with backup infrastructure, deletion of Volume Shadow Copies, and coordinated service or process termination to unlock files and maximize encryption coverage. Network-side signals can include new outbound flows from systems that rarely initiate external traffic, proxying (including SOCKS-style), and periodic beaconing, especially when they align with identity anomalies and lateral execution.
Another high-risk pattern is a short execution chain that transitions from legitimate administrative activity into encryption staging. This may include remote execution or service deployment initiated by privileged tools, followed shortly by the appearance of a new, previously unseen binary or task running across multiple hosts. When such transitions occur in parallel with backup access or recovery suppression, they strongly indicate imminent ransomware deployment rather than routine administration.
Logging and telemetry considerations
Assume late-stage on-host evidence may be incomplete. Stream logs off-host in advance: Windows Security logs and endpoint telemetry (process creation, script execution, service creation, remote execution events), plus VPN/RDP/IdP authentication logs, into a SIEM. On Linux and virtualization platforms, export audit and system logs. Detection should focus on deviations from normal administration patterns: who ran what, from where, and what systems were touched next.
Prevention and hardening measures
Reduce initial access exposure
Qilin intrusions have repeatedly started from exposed or weakly protected remote access and from credential compromise. Reduce the reachable surface area and tighten who can authenticate to it.
- Put all remote access behind MFA and conditional access where possible, and remove direct internet exposure for RDP and similar services (use VPN/ZTNA with strong controls instead).
- Enforce strong credential hygiene for privileged accounts: unique passwords, no shared admins, separate admin identities, and rapid disablement of stale accounts.
- Treat RMM and remote-control tooling as high-risk entry points: restrict to allowlisted devices, lock enrollment, and require explicit approvals for new agent deployments.
Make lateral movement harder
Qilin operators and affiliates often lean on legitimate admin workflows and remote execution paths. The goal is not to “block administration,” but to make admin activity attributable, constrained, and hard to abuse at scale.
- Segment the network so that a compromised workstation cannot automatically access domain controllers, backup servers, or virtualization management planes.
- Restrict remote admin protocols to management subnets only, and require privileged access workstations or jump hosts for administrative operations.
- Reduce credential reuse and credential exposure: disable cached admin credentials where feasible, harden LSASS protections, and limit where privileged accounts can log on interactively.
Harden ESXi and mixed-OS environments
Qilin has had Linux and ESXi-relevant deployments, and enterprise environments that mix Windows management with Linux/ESXi infrastructure need explicit guardrails.
- Separate ESXi hosts and vCenter management networks from general user networks, and restrict administrative access paths with tight firewall rules.
- Enforce least privilege and MFA on virtualization management, rotate credentials, and disable unnecessary services/interfaces to reduce the attack surface.
Protect recovery paths before you need them
Qilin campaigns have included actions aimed at limiting recovery (including shadow copy removal and pressure around restoring services). The most reliable counterweight is a recovery design that the attacker cannot reach.
- Maintain immutable or offline backups and isolate backup infrastructure from normal admin domains; use separate credentials and network segments for backup management.
- Regularly test restore scenarios for tier-0 systems (identity, backups, virtualization management) and define a “minimum viable restore” path so recovery does not depend on compromised tooling.
Reduce the impact of BYOVD-style defense suppression
BYOVD-style signed-driver abuse represents a relevant enterprise risk in Qilin-related intrusions.
- Enable driver and kernel-mode protections where available (e.g., memory integrity / HVCI), and monitor for unexpected driver loads, especially outside standard endpoint baselines.
- Tighten application control for admin tooling and security tooling tampering: allowlist known-good drivers and block known vulnerable drivers where your platform supports it.
Patch and reduce execution freedom
Even when initial access is credential-based, post-compromise tooling relies on being able to execute freely and persist.
- Keep patching consistent and timely for edge services and management tooling, and remove unused software that expands execution paths.
- Use application control (allowlisting) and restrict script execution to signed/approved contexts in high-value zones, especially where admin workflows run.
Defensive framing for Qilin-style intrusions
Defending against Qilin-style intrusions is less about catching a specific payload and more about limiting what valid credentials and trusted admin workflows can do inside the environment. These campaigns often succeed when identity controls are weak, segmentation is shallow, and recovery paths are reachable from the same administrative plane.
Treat identity, backups, and virtualization management as tier-0 assets. Constrain administrative access to controlled paths (jump hosts/PAWs), enforce least privilege, and make privileged activity attributable and monitored. The practical goal is to force attackers into noisier behavior that can be contained through coordinated incident handling and investigation support, including digital forensics and incident response (DFIR) services.
Recovery design matters as much as prevention. Isolate backup infrastructure, separate credentials, and maintain restore procedures that do not depend on potentially compromised tooling. If encryption occurs, rapid containment and engagement of ransomware data recovery experts can reduce operational impact by preserving evidence, enabling controlled restoration, and preventing further spread.
