Analysis Summary

Qilin ransomware, formerly known as Agenda, is a Russian-speaking ransomware-as-a-service (RaaS) operation that emerged in July 2022. Known for its high adaptability, Qilin enables affiliates to customize attacks, targeting both Windows and Linux/ESXi systems. It employs double extortion tactics, encrypting files and exfiltrating data to pressure victims into paying ransoms. Initial access is typically achieved through phishing emails, exploitation of known vulnerabilities, or compromised RDP and VPN credentials. Qilin uses various evasion methods, including disabling event logs and booting systems into Safe Mode to bypass security tools.

In 2024–2025, Qilin launched several major campaigns, including a high-impact ransomware attack on Synnovis, a UK-based healthcare provider, affecting NHS hospitals and compromising up to 300 million patient records. It has also targeted municipal systems in the U.S. and educational institutions, with victims across healthcare, manufacturing, education, government, critical infrastructure, and technology sectors. Countries affected by Qilin include the United Kingdom, United States, France, Brazil, Germany, Japan, Australia, and the UAE. Although sophisticated, Qilin is not attributed to any nation-state APT group and is classified as a financially motivated cybercrime group, making it a growing global threat to essential services and critical infrastructure.