CTI Report: Shielding Your Business from Qilin Ransomware

Blog Post, CTI Report

Introduction In the fast-evolving world of cyber threats, one name has risen to prominence in 2025: Qilin ransomware. This Russia-based ransomware-as-a-service (RaaS) group has claimed 304 victims this year, making it one of the most active and dangerous cyber threats

by Eric J. Taylor | Feb 24, 2026

CTI Report_Shielding Your Business from Qilin Ransomware

Introduction

In the test fast-evolving world of cyber threats, one name has risen to prominence in 2025: Qilin ransomware. This Russia-based ransomware-as-a-service (RaaS) group has claimed 304 victims this year, making it one of the most active and dangerous cyber threats. For business owners and IT professionals, the rise of Qilin is a stark reminder of the need to protect your organization from sophisticated cyberattacks. At Barricade Cyber Solutions, we’re here to guide you through this challenge, offering expert ransomware recovery and prevention services to ensure your business thrives in a secure digital environment.

Understanding Qilin Ransomware

Qilin, previously known as Agenda, emerged in July 2022 and has since evolved into a formidable threat. In 2025, it ranked as the third most active ransomware group, with 72 victims in April and an estimated 55 in May, totaling 304 victims. Their attacks employ double extortion—encrypting data and stealing it, then threatening to leak it on their Tor-based leak site or Telegram channel if ransoms are not paid. Ransoms typically range from $50,000 to $800,000, with some demands reaching $50 million, as seen in the attack on Synnovis, a UK pathology provider, which disrupted NHS hospital services and tragically resulted in a confirmed death (The Register).

Qilin’s technical sophistication includes Rust-based malware targeting Windows, Linux, and VMware ESXi environments. They exploit known vulnerabilities, such as CVE-2023-27532 and CVE-2024-21762, and use tools like Cobalt Strike and Mimikatz to move laterally and escalate privileges. Their recent "Call Lawyer" feature, introduced in June 2025, allows affiliates to involve legal counsel to pressure victims into paying larger sums, further amplifying their impact (The Hacker News).

How Qilin Operates

Qilin’s tactics, techniques, and procedures (TTPs) are designed to maximize disruption and ensure successful extortion. Here’s a detailed breakdown:

Initial Access

  • Spear-Phishing: Affiliates send targeted phishing emails with malicious attachments to steal credentials.

  • Exploiting Exposed Services: Qilin targets internet-facing remote access systems, such as unpatched Citrix gateways and VPNs, often using stolen credentials.

  • Vulnerability Exploitation: They exploit known vulnerabilities, including:

    • CVE-2023-27532

    • CVE-2024-1853

    • CVE-2024-21762

    • CVE-2024-55591

    • Recently, Qilin has been observed exploiting critical Fortinet flaws in FortiOS/FortiProxy devices (HIPAA Journal).

Lateral Movement

  • Uses built-in tools like PsExec (Windows) and SSH (Linux) for network traversal.

  • Deploys Cobalt Strike beacons for command and control.

  • Dumps credentials (e.g., via registry hive dumps) to escalate privileges.

Data Exfiltration

  • Steals browser-stored credentials (e.g., from Chrome).

  • Uses FTP for transferring large volumes of data, with one reported attack involving 783 GB.

Encryption and Extortion

  • Employs a customizable Rust-based encryptor to lock files.

  • Practices double extortion, threatening to leak stolen data on Tor-based leak sites or their Telegram channel.

  • Introduced the "Call Lawyer" feature in June 2025 to involve legal counsel in negotiations, increasing pressure on victims (Cybereason).

Communication

  • Uses a Tor-based victim portal for negotiations.

  • Utilizes encrypted messengers like ProtonMail and Tox.

  • Maintains a Telegram channel for leaking data and wider exposure (Telegram).

    Tools Used by Qilin

    Qilin’s affiliates use a variety of tools to carry out their attacks, enabling persistence, evasion, and maximum impact:

CATEGORY TOOLS
Offensive Security Cobalt Strike, Evilginx, NetExec
Credential Theft Mimikatz
Exfiltration Eazyupload.io
RMM Tools ScreenConnect
LOLBAS fsutil, PsExec, WinRM
Defense Evasion EDRSandBlast, PCHunter, PowerTool, YDArk, Zemana Anti-RootKey Drive
Networking Proxychains
Discovery/Enum Nmap, Nping

Notable Qilin Attacks in 2025

Qilin’s global reach and diverse targeting have made it a significant threat across sectors. Here are some notable attacks:

  • Synnovis (UK): In June 2025, Qilin attacked Synnovis, a UK pathology provider, leading to a $50 million ransom demand and disruption of NHS hospital services, tragically resulting in a confirmed death (The Register).

  • Credit Mediators Inc. (USA): Targeted a debt recovery firm, potentially disrupting services (X Post).

  • Melilla (North Africa): Stole 4-5TB of data, disrupting infrastructure (X Post).

  • Tappoo Group (Fiji): Financial information stolen (X Post).

  • Tecore Networks (USA), GUDECO Elektronik (Germany): Added to Qilin’s dark web portal in June 2025 (X Post).

  • Broadleaf Game (USA), Driver Solutions (USA): Also added to Qilin’s dark web portal in June 2025 (X Post).

Barricade Cyber Solutions: Your Guide

When facing a threat as sophisticated as Qilin, you need a trusted partner. Barricade Cyber Solutions specializes in ransomware recovery and prevention, with GIAC-certified experts who have restored data for thousands of businesses. Our 24/7 support and comprehensive cybersecurity consulting services are designed to combat threats like Qilin, ensuring your business remains secure.

Our services include:

  • Investigation and Containment: Quickly identify and isolate threats.

  • Expert Analysis: Leverage our deep knowledge of attacker TTPs.

  • Data Recovery: Restore encrypted data and strengthen systems.

  • 24/7 Support: Immediate response to incidents, day or night.

  • Cybersecurity Consulting: Assess and enhance your security posture.

Protecting Your Business

To defend against Qilin, implement these proactive measures:

  • Patch Management: Regularly update software to close vulnerabilities like CVE-2023-27532.

  • Multi-Factor Authentication (MFA): Secure remote access points with MFA.

  • Endpoint Detection and Response (EDR): Deploy EDR solutions to detect malicious activities.

  • Backup and Recovery: Maintain immutable backups and test recovery procedures.

  • Employee Training: Educate staff on recognizing phishing and social engineering tactics.

What to Do If Attacked

If your business is hit by Qilin ransomware, follow these steps:

1. Isolate System: Disconnect affected systems to contain the attack.
2. Engage Experts: Contact Barricade Cyber Solutions for investigation and recovery.
3. Negotiate Carefully: If necessary, negotiate through professional channels.
4. Report the Incident: Inform law enforcement and regulatory bodies.

Barricade’s approach includes:

  • Assessment: Identify the scope of the attack.

  • Extortion Negotiation: 24/7 case managers negotiate to minimize impact.

  • Ransom Settlement: Secure and compliant financial handling.

  • Decrypt & Recover: Restore data and enhance security.

Don’t let Qilin ransomware disrupt your business. If you’ve been impacted or want to protect your organization, schedule a consultation with Barricade Cyber Solutions today at Barricade Consultation. Our experts are ready to guide you through recovery and prevention, ensuring your business remains secure.

Success: A Secure Future

Partnering with Barricade Cyber Solutions means more than just recovering from a ransomware attack—it means building a resilient business. Our proven track record ensures your data is secure, your operations are uninterrupted, and your reputation is protected. With our 24/7 support and expert guidance, you can focus on what matters most: running your business.

Conclusion

Qilin ransomware is a significant threat, but with the right knowledge and partner, you can protect your organization. Barricade Cyber Solutions is your guide to navigating this complex landscape, offering expert solutions to recover from attacks and prevent future incidents. Take action now to safeguard your business.

Threat Actor Profile

  • Name and Aliases: Qilin (formerly Agenda)

  • Origin and Affiliations: Russia-based or Russian-speaking, recruiting on Russian-language hacking forums, excluding CIS targets.

  • Motivation and Goals: Financial gain through ransomware attacks targeting mid-size to large organizations.

Operational Overview

  • Initial Access Vectors:

    • Spear-phishing with malicious attachments.

    • Exploiting exposed RDP/VPN services.

    • Exploiting vulnerabilities like CVE-2023-27532, CVE-2024-1853, CVE-2024-21762, CVE-2024-55591, and critical Fortinet flaws.

  • Lateral Movement:

    • Uses PsExec, SSH, and Cobalt Strike.

    • Dumps credentials for privilege escalation.

  • Data Exfiltration:

    • Steals browser credentials.

    • Uses FTP for large data transfers.

  • Encryption and Extortion:

    • Rust-based encryptor with customizable modes.

    • Double extortion via Tor leak sites and Telegram.

    • "Call Lawyer" feature to pressure victims.

Technical Details

  • Malware:

    • Qilin ransomware (Rust-based).

    • Cobalt Strike, Mimikatz, NetExec.

  • Exploited Vulnerabilities:

    • CVE-2023-27532

    • CVE-2024-1853

    • CVE-2024-21762

    • CVE-2024-55591

    • Critical Fortinet flaws in FortiOS/FortiProxy devices.

  • Tools and Infrastructure:

    • Tor-based victim portal.

    • ProtonMail, Tox, Telegram for communication.

    • Affiliate panel with advanced features.

Victimology

  • Targeted Sectors: Healthcare, automotive, financial services, technology, gaming, government.

  • Geographic Focus: Global, with attacks in the UK, USA, Germany, Fiji, North Africa.

  • Notable Victims:

    • Synnovis (UK, 2025)

    • Credit Mediators Inc. (USA, 2025)

    • Melilla (North Africa, 2025)

    • Tappoo Group (Fiji, 2025)

    • Tecore Networks, GUDECO Elektronik, Broadleaf Game, Driver Solutions (2025)

Mitigation and Prevention

  • Security Measures:

    • Patch systems regularly to address vulnerabilities.

    • Implement MFA for remote access.

    • Deploy EDR solutions to detect malicious activities.

    • Maintain immutable backups and test recovery procedures.

    • Train employees on phishing awareness.

  • Incident Response:

    • Isolate affected systems to contain the attack.

    • Engage cybersecurity experts like Barricade Cyber Solutions.

    • Negotiate through professional channels if necessary.

    • Report incidents to law enforcement and regulatory bodies.

Indicators of Compromise (IOCs)

CATEGORY TOOLS
Credential Theft Mimikatz
Defense Evasion EDRSandBlast, PCHunter, PowerTool, YDArk, Zemana Anti- RootKey Drive
Discovery/Enum Nmap, Nping
Exfiltration Eazyupload.io
LOLBAS fsutil, PsExec, WinRM
Networking Proxychains
Offensive Security Cobalt Strike, Evilginx, NetExec
RMM Tools ScreenConnect

Law Enforcement and Threat Landscape

While no direct law enforcement actions against Qilin have been reported in 2025, the group has benefited from disruptions in the ransomware landscape, such as the shutdown of RansomHub, attracting more affiliates (Cyble). Law enforcement efforts in 2024 targeted other ransomware groups, with arrests and takedowns, indicating ongoing pressure on the ecosystem.