Qilin Ransomware: Analysis, Impact and Defense (2025)

In Q2 2025, Qilin ransomware 2025 incidents accounted for nearly a quarter of all reported ransomware attacks on U.S. state and local governments. This surge, combined with high-profile events like the Synnovis NHS attack, has put Qilin in the spotlight. The group’s operators employ double extortion ransomware tactics, not only encrypting data but also stealing and threatening to leak it, which amplifies pressure on victims to pay. With ransom demands sometimes reaching tens of millions of dollars and victims across multiple sectors, Qilin has quickly gained global notoriety in the cybersecurity community.

Qilin was first observed in 2022, originally operating under the name Agenda ransomware. Later that year, the malware rebranded as Qilin and was upgraded – shifting from its Golang codebase to a more efficient Rust-based variant that could target both Windows and Linux systems. Since then, Qilin has matured into a fully-fledged RaaS operation.

Under the Qilin RaaS model, the core ransomware operator provides the malware, infrastructure, and support tools while recruited affiliates carry out the attacks. Affiliates typically keep 80–85% of any ransom payments, with the remaining 15–20% going to Qilin’s operators as commission.

This affiliate driven business model has fueled the growth of Qilin’s activities.

Dozens of Qilin ransomware operations have been recorded worldwide since 2022, impacting organizations in healthcare, government, education, and other sectors. With its aggressive tactics and large ransoms, Qilin has made a substantial impact, disrupting critical services and exposing sensitive data, and now ranks among the most disruptive ransomware threats of recent years.

Qilin’s attack chain follows a familiar ransomware playbook:

Initial intrusion often begins with social engineering or exploitation of network vulnerabilities. Many incidents start with phishing emails (sometimes spear-phishing) to trick employees, or by exploiting exposed applications and interfaces like unpatched VPN gateways, Citrix servers, or insecure RDP endpoints.

Once inside, the attackers escalate privileges and move laterally across the network. They use legitimate admin tools and frameworks (for example, deploying Cobalt Strike beacons) to maintain access and map out the environment. The ransomware is then executed to encrypt files on as many systems as possible. Qilin’s malware (a rebranded version of Agenda) is highly configurable: affiliates can choose which processes to kill and even set custom extensions of encrypted files.

Before launching encryption, Qilin operators quietly exfiltrate large volumes of sensitive data – part of a double extortion strategy to maximize leverage. After locking the files and leaving ransom notes, they threaten to publish or sell the stolen data if the ransom isn’t paid.

A Qilin TTPs MITRE ATT&CK mapping shows that the group’s tactics span all stages of an attack, from initial access via phishing to credential theft, lateral movement, data exfiltration, and destructive cleanup.

One of Qilin’s most notorious incidents was the Synnovis NHS attack in London.

A ransomware strike on Synnovis (an NHS pathology services provider) on June 3, 2024, crippled medical diagnostic services across multiple hospitals. Qilin’s malware infection halted ~90% of blood testing capacity and forced over 1,100 surgeries and 2,000 outpatient appointments to be canceled within the first two weeks.

The attackers demanded a huge $50 million ransom, which the victim refused to pay.

In retaliation, the Qilin group followed its double extortion playbook: they had already exfiltrated 400 GB of sensitive data (including records from 300 million patient interactions) and proceeded to leak this data on their dark web site when the deadline passed. The consequences were dire – reports indicate the disruption contributed to 170 cases of patient harm and at least one patient’s death.

Qilin sets itself apart from many ransomware groups through its extensive feature set and unorthodox extortion tactics.

The gang operates like a business service provider, equipping affiliates with special tools to maximize success. For instance, Qilin introduced a “Call Lawyer” button in its affiliate panel – a unique legal support ransomware feature that summons a (purported) lawyer into negotiations. The mere appearance of legal counsel is meant to intimidate victims by raising the specter of regulatory and legal troubles, thereby upping the pressure to pay.

Qilin’s platform also integrates other aggressive methods: affiliates can launch DDoS attacks on victim websites, employ “in-house” journalists to write shame posts on leak sites, and even use an automated negotiation chatbot, all from within the panel. Additionally, the group continually updates its malware (adding faster encryption methods, new evasion tricks, etc.) to stay ahead of security defenses.

Qilin’s affiliates have struck a wide range of victims. The group has attacked hospitals and lab services, city and county governments, educational institutions, manufacturing firms, and other businesses. Essentially, any organization with sensitive data or a low tolerance for downtime could be a target. These threat actors tend to seek out mid-sized to large entities that might pay substantial ransoms.

Healthcare providers are a notable focus (given their need for uninterrupted operations and valuable patient data), but the threat isn’t limited to the health sector. Government agencies, schools, and private companies around the world have all suffered Qilin ransomware attacks.

Below are 5 strategies that can be used to mitigate Qilin ransomware:

1. Strengthen Authentication & Access Controls

Enforce multi-factor authentication (MFA) on all remote logins and admin accounts. Require strong, unique passwords and disable or strictly limit services like RDP and VPN access to only what’s necessary. This helps prevent abuse of stolen credentials and reduces exposure of vulnerable interfaces.

2. Educate and Test Employees

A lot of Qilin breaches start with phishing. Train staff to recognize suspicious phishing emails and attachments and conduct regular phishing simulation tests. An alert employee can stop an attack at the earliest stage.

3. Keep Systems Patched & Reduce Attack Surface

Apply security updates promptly to operating systems and software (especially for any internet-facing applications such as Citrix or VPN appliances). Disable or firewall off unused ports and services to eliminate easy entry points that Qilin affiliates might exploit.

4. Maintain Backups & Incident Response Plans

Perform backups of data and store backups offline or in secure, segmented networks. Test your backups to ensure you can restore systems in an emergency. While backups won’t stop a data leak, they can enable recovery without paying a ransom. Additionally, have a clear incident response plan: know how to isolate infected machines, who to contact (cyber insurers, law enforcement, forensic experts), and how to communicate during a ransomware crisis.

5. Network Segmentation & Monitoring

Divide your network into segregated zones so that a compromise of one system doesn’t give attackers free reign over everything. Monitor network and endpoint activity for red flags. For example, use EDR (endpoint detection & response) tools to catch behavior linked to Qilin’s tactics (like use of Cobalt Strike or unusual admin tool usage). You can also review logs and alerts for any signs of intrusion.

Qilin’s story is a cautionary tale about the evolution of ransomware.

Ransomware groups in 2025 operate like enterprises, providing RaaS platforms, affiliate panels, and even customer support. They pair technical innovation (cross-platform malware, built-in propagation) with extortion techniques (data leaks, DDoS, legal threats) to maximize leverage.

The evolution from Agenda to Qilin shows us how quickly attackers adapt and rebrand. Unfortunately, Qilin ransomware reminds us that ransomware is no longer just an IT issue, but a serious business risk.

Learn how BlackFog ADX prevents data loss and neutralizes ransomware threats.

Explore BlackFog ADX.