Overview
The Qilin ransomware group, also known as Agenda, is a Russia-based ransomware-as-a-service (RaaS) operation active since at least July 2022. Initially operating under the name “Agenda,” the group rebranded to “Qilin” in September 2022. Qilin targets a wide range of organizations across various industries globally, demonstrating opportunistic rather than highly targeted attacks. While they have impacted numerous sectors, healthcare organizations have been specifically noted as victims. The group employs double extortion tactics, leaking stolen data if ransom demands aren’t met, and utilizes various methods for initial access and lateral movement within compromised networks. Their ransomware variants are written in Golang and Rust, showcasing adaptability and sophistication.
The name “Qilin” (麒麟), while used by the ransomware group, is also a mythical creature in Chinese mythology and the name of a Chinese military-oriented operating system. This naming choice may be a deliberate attempt at obfuscation or misdirection. There is no publicly known connection between Qilin and the LockBit RaaS operation, despite a single US HPH victim appearing on both data leak sites. This is attributed to multiple RaaS groups claiming possession of the same exfiltrated data rather than re-victimization.
Known Aliases
Qilin ransomware, also known as Agenda ransomware and Qilin Locker, has been observed under multiple aliases in cybersecurity reports. Initially identified as Agenda, the ransomware later adopted the Qilin branding while maintaining similar attack patterns and encryption techniques. Some sources also reference it as Qilin Locker, highlighting its evolution and continued activity in cyber threats.
Country of Origin:
- Russia (High likelihood, based on observed activities and affiliate recruitment exclusions)
Most Recent Qilin Ransomware Attacks:
- West Haven, CT cyberattack (Jan 15, 2025): Crippled city IT systems, data breach investigation.
- NHS cyberattack (June 7, 2024): Disrupted South London hospital services via Synnovis. A UK-based pathology and diagnostic services provider was attacked, impacting multiple major London hospitals (as reported in open-source intelligence).
- Chrome credential theft (Aug 23, 2024): New tactic stealing credentials from Chrome browsers.
- Victoria Court Hack (Nov 1 – Dec 21, 2023): Stolen audio-visual recordings of court hearings.
- Since January 2024, Qilin has claimed responsibility for over 60 ransomware attacks.
- At least fifteen incidents involving Qilin/Agenda ransomware have been identified in the Healthcare and Public Health Sector (HPH) worldwide since October 2022, with approximately half impacting US organizations.
- US HPH sector victims ranged in revenue from $6 million to $40 million and included dental clinics, a healthcare communications company, an emergency medicine specialist, a radiology company, a home healthcare provider, a neurology center, and a cardiovascular medicine clinic. Affected states included Indiana, Florida, Ohio, Georgia, Minnesota, Nevada, and Arizona.
- According to a third-party analysis of the Qilin data leak site (DLS) as of June 7th, 2024, healthcare victims represented just over 7% of the over 100 victims listed. The most targeted industries were Manufacturing (21%), Legal and Professional Services (15%), and Financial Services (14%).
MITRE ATT&CK Tactics and Techniques of Qilin Ransomware:
The Qilin group utilizes a range of techniques across multiple MITRE ATT&CK tactics. These include:
- Initial Access: Valid Accounts (T1078), Phishing (T1566), Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), Exploit Public-Facing Application (T1190)
- Execution: Scheduled Task/Job (T1053), Command and Scripting Interpreter (T1059.003), PowerShell (T1059.001)
- Persistence: Boot or Logon Initialization Scripts (T1037)
- Privilege Escalation: Exploitation of Vulnerabilities (T1068), Abuse Elevation Control Mechanism (T1548)
- Defense Evasion: Process Injection (T1055), Rootkit (T1014), Exploitation for Defense Evasion (T1211), Execution Guardrails (T1480), Virtualization/Sandbox Evasion (T1497), Obfuscated Files or Information (T1027)
- Credential Access: OS Credential Dumping, LSASS Memory (T1003.001)
- Discovery: System Information Discovery (T1082), Application Window Discovery (T1010), Network Service Scanning (T1046), Remote System Discovery (T1018)
- Lateral Movement: Remote Services, Remote Desktop Protocol, SSH (T1021.001), (T1021.004), Lateral Tool Transfer (T1570), Execution System Services: Service Execution (T1569.002)
- Collection: Data from Local System (T1005)
- Exfiltration: Exfiltration Over Other Network Medium, Exfiltration Over Bluetooth (T1011.001)
- Command and Control: Data Obfuscation, Junk Data (T1001.001)
- Impact: Data Encrypted for Impact (T1486), Data Destruction (T1485), Inhibit System Recovery (T1490), Disk Wipe (T1561.001)
Common Methods of Infiltration of Qilin Ransomware:
- Spear phishing emails
- Exploiting exposed applications and interfaces (e.g., Citrix, RDP)
- Leveraging Remote Monitoring and Management (RMM) tools
- Use of Cobalt Strike for binary deployment
Malware/Ransomware Strain(s) Used by Qilin Ransomware:
- Qilin ransomware (variants in Golang and Rust)
- Agenda ransomware (earlier name for Qilin)
- A Linux variant targeting VMware ESXi servers was also identified.
