Qilin ransomware is growing, but how long will it last?

Introduction to Qilin ransomware

Qilin is a ransomware-as-a-service (RaaS) operation that is thought to be based out of Russia or other former Soviet states. It has affiliates worldwide and has become a significant global threat. 

A "Qilin" is a mythical creature deeply rooted in Chinese, Korean, Japanese, and Vietnamese cultures, most often associated with peace, prosperity, justice, and protection. This is a great branding choice for a threat group because the visual is a cool dragon-like creature, and ransomware affiliates can consider themselves the embodiment of any of those characteristics. If you’re a ransomware criminal, there’s really no downside to saying you act on behalf of peace and justice, or that you’re a powerful punisher. 

This branding doesn’t change the fact that Qilin operators and affiliates just want your money. They’ve claimed differently in at least one attack, but we’ll come back to that later. 

Qilin’s origin story

Researchers observed the Qilin operation as early as July 2022, when a threat actor with the username ‘Qilin’ advertised ‘Agenda’ ransomware on the RAMP and XSS hacking forums. Threat actor Qilin published several alleged victims to the Agenda ransomware data leak site until September 2022, when the Agenda operation was rebranded as Qilin. 

This name change coincided with the release of a new Rust-based variant of the ransomware. The new version offered technical improvements in efficiency, stealth and detection evasion over the original Golang binary. By February 2023, Qilin was fully operational as a RaaS operation that offered cross-platform ransomware binaries and supported both encryption and data exfiltration.

Today Qilin is best known for aggressive attacks, high ransoms and rapid growth.

Like many other groups, the precise location of the core group of Qilin operators is unconfirmed. The evidence points to a home base in Russia or one of the countries in the Commonwealth of Independent States (CIS). Qilin appears to be operating among the Eastern European cybercriminal networks:

• Language kill switch: Qilin ransomware often includes code that prevents execution on systems with Russian or other Eastern European languages. This is meant to prevent the ransomware from being executed in their home regions.
• Operational Hours: Analysis of attack timings sometimes aligns with Eastern European work hours.
• Affiliate Recruitment: Qilin and its affiliates operate often primarily in forums that use the Russian language or have a large Russian or post-Soviet presence.

We should note that the designation “Eastern European cybercriminal networks” is not a cybersecurity industry term. It is often used by law enforcement and researchers to distinguish cybercriminal activity with origins or primary operations in the Eastern European region.

There is no evidence that Qilin is officially linked with any nation-state operations. It’s more likely that Qilin enjoys a “state-tolerated” status, wherever it is based. And despite the branding and the brief Moonstone Sleet activity, there is no evidence linking Qilin to China or other Asian states. The core operators of the group remain unknown or undisclosed to the public, through they are believed to be experienced ‘Russian-speaking’ RaaS operators and threat developers.

Qilin and pals

Qilin is primarily known as a rebrand of Agenda, and there is no evidence of another rebrand or offshoot in Qilin’s family tree. There are some code similarities between Qilin and Black Basta, Black Matter and Revil, but not enough to establish a link between them. These similarities have been attributed to threat actors sharing development resources, moving from one group to another, or learning from another’s successful attacks.

Although there are no direct links established with other groups, Qilin has taken advantage of the disruption of operations like RansomHub and LockBit. Qilin activity surged when RansomHub was allegedly taken over by the DragonForce Ransomware Cartel. Affiliates went to Qilin, and Qilin became the most active ransomware threat in June 2025.  LockBit affiliates scattered after the Operation Cronos disruption, leaving the operational but greatly reduced LockBit RaaS to go on without them. Qilin was able to recruit experienced affiliates from this group as well.

Affiliate migrations like this are not new and not unique to Qilin. Qilin just happened to do a good job executing a good recruitment strategy. The operators actively advertised on forums like RAMP and XSS, leaning into their technical advantages, customizable attacks, and generous payments to affiliates. The group recently made headlines when they advertised a new “Call Lawyer” feature for affiliates.  

“A new feature has been added to our panel: legal assistance.

If you need legal consultation regarding your target, simply click the “Call lawyer” button located within the target interface, and our legal team will contact you privately to provide qualified legal support.

The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings.” (Translation of Qilin forum post, via Security Affairs)

Qilin has updated its program and capabilities regularly. Throughout 2025, it has added spam campaigns, DDoS attack capabilities, automated network propagation, and automated ransom negotiation from within the affiliate panel. The group also offers data storage, making it possible for some affiliates to avoid other cloud storage services.

Qilin also provides “in-house journalists” to assist affiliates with “blog posts and also assist with pressure during negotiations.”

Some of these features are designed to make things easier for affiliates, some are meant to increase pressure on the victims. Qilin hasn’t stopped there. It continues to develop advanced payload variants that make the binaries more efficient and harder to detect. The aggressive recruitment and ongoing improvements have made Qilin an attractive platform for ransomware affiliates. The result of these efforts is a network of Qilin affiliates that operate from countries around the world.

One of those global affiliates is the notorious Scattered Spider, a threat group that will collaborate with anyone if the money is right. The group has been linked to ALPHV/BlackCat, RansomHub, DragonForce, ShinyHunters, Karakurt, and many more. The social engineering expertise of Scattered Spider is one of many factors driving Qilin’s dominance in the ransomware landscape. Scattered Spider is believed to be based in the United States and the United Kingdom.

What motivates Qilin?

This is easy, but interesting to explore. Money is what motivates Qilin. Money and self-preservation.

In nearly every strategic move, Qulin’s motives appear to be financial. The group is continually improving its abilities to maximize profit from ransomware attacks and data extortion. All of the capabilities they so proudly announce on the forums are designed to increase the amount of ransom collected. There is no evidence that Qilin is aligned with any ideology, and there is no political messaging to be found on Qilin’s data leak site or in other communications. Qilin has never claimed to be interested in anything but money, except for one unfortunate attack in 2024.

In February 2024, Qilin affiliates gained access to Synnovis, a pathology services provider for NHS hospitals in London. The attack disrupted operations, tests and blood transfusions, and led to a significant reduction in healthcare capacity. It was later confirmed that the attack was a contributing factor in at least 170 cases of patient harm, with two classified as severe, involving long-term or permanent damage. The attack also contributed to the death of one patient.

Ransomware groups don’t normally want to kill people, and if they do kill people, they don’t want to say it was for money. That brings us to the ‘suddenly-they-care’ part of the story:

“We are very sorry for the people who were suffered because of it. Herewith we don’t consider ourselves guilty and we ask you don’t blame us in this situation.”

The hackers said the UK government should be blamed as they were not helping in the unspecified war.

…

“Our citizens are dying in unequal combat from a lack of medicines and donor blood”

Any attack that results in physical harm to the public is a legitimate threat to the survival of a ransomware group. There’s no cyber insurance that can protect a hospital or its patients from the delay of life-saving health care. It forces a more aggressive response from law enforcement, and it can cause internal divisions because it makes people angry. Remember Black Basta? That was a strong operation until it tore itself apart over the Russia-Ukraine war and the attack on Ascension Health.  The group went offline in January 2025 and their internal chat logs were leaked a few weeks later. Darkside was also a successful group until it hammered the United States with the Colonial Pipeline attack, forcing a whole-of-government response from the Biden Administration.  Darkside tried some damage control, but ultimately shut down “due to the pressure from the US.”

Threat actors will rebrand or join other groups, but affiliates do not want to lose their potential or just-paid ransoms because the RaaS operation had to cut-and-run.

So, back to Qilin. In the interview with the BBC, the Qilin spokesperson refused to identify which side of which war the group was “supporting” in the Synnovis attack. People will come to their own conclusions on whether these statements were genuine. With any luck, the Qilin success story will soon come to an end because of this attack or internal divisions over geopolitical issues.

Qilin attack chain

The Qilin attack chain follows the typical multi-stage process:

Initial Access: Attackers breach the network using phishing attacks (most common), stolen credentials to remote access applications, or known vulnerabilities in appliances or applications.

Privilege escalation, defense evasion, & lateral movement: After access is established the binary will execute and begin privilege escalation. The attack uses credential theft tools like Mimikatz to gain administrative control and move across the network to identify valuable targets. Security software is disabled, and shadow copies are deleted to prevent recovery.

Network Discovery & Data Exfiltration: PowerShell is used to execute scripts for Active Directory (AD) enumeration and facilitate discovery. File transfer tools are prepared, and sensitive data is packaged for transfer to Qilin (or other) servers.

Deployment and Execution: The encryption payload is executed on multiple systems and a ransom note is left demanding payment in cryptocurrency.

Cleanup and Anti-Forensic Actions: Qilin initiates several tasks to impede recovery and investigation. These include deleting the event logs and remaining shadow copies, overwriting free disk space with cipher utilities, and rebooting systems to apply changes to system settings.  

Defending against Qilin ransomware

There are no known vulnerabilities you can exploit directly in Qilin ransomware to defend against it once it's already active within your system. The focus for defense is prevention, detection, and rapid response. Here are some key steps:

• Implement strong access controls like multi-factor authentication (MFA) and use the principle of least privilege when granting permissions.
• Patch and Update Regularly to defend against vulnerability exploits and disable any unused services. Barracuda Managed Vulnerability Security can help you identify and prioritize vulnerabilities that exist in your network. (See demo)
• Use a consistent backup and recovery strategy. Create regular backups of all critical data and store multiple copies in multiple locations. Use ransomware-proof backup solutions and test your backup restoration process regularly. Make sure you are protecting applications like Microsoft 365 and Microsoft Entra ID.
• Deploy and maintain endpoint protection and use network segmentation strategies to limit lateral movement if a breach occurs.

Barracuda can help

Only Barracuda provides multi-faceted protection that covers all the major threat vectors, protects your data, and automates incident response. The BarracudaONE AI-powered platform protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service. It unifies your security defenses and provides deep, intelligent threat detection and response. Visit our website to see how it can help you protect your business.