Qilin ransomware: Attack Chain, MITRE ATT&CK TTPs, and Incident Response Guide

Heloise Montini
Heloise Montini
&
Magdy Abdelaziz
Magdy Abdelaziz
·Published: ·Updated:
Qilin Ransomware: Operating Model, Attack Chain, and Technical Profile

Qilin, also known as Agenda, is a ransomware-as-a-service (RaaS) operation that has been active since 2022. As of mid-2026, it is one of the most prolific double-extortion ransomware groups in operation. It combines system encryption with data theft and threatens to publish stolen information if victims refuse to pay.

Affiliates gain initial access through compromised VPN credentials, phishing, and exposed remote services, then move laterally using built-in Windows administration tools before deploying encryption across Windows, Linux, and VMware ESXi environments.

Files are encrypted while sensitive data is exfiltrated and published on a Tor-accessible leak site if payment is not made. As of this publication, no public decryptor exists.

If Qilin ransomware is detected in your environment, the immediate priority is to isolate the network and preserve forensic evidence before any recovery attempt. Contact Proven Data’s Emergency IR team for immediate assistance.

Qilin ransomware history and timeline

Qilin has grown from a niche Go-based ransomware family into one of the most active and technically capable RaaS operations currently tracked. Early versions were written in Go (Golang) and tailored for specific targets.

The group has confirmed victims across manufacturing, healthcare, financial services, technology, and aviation.

2022–2024: emergence, Linux expansion, and high-profile attacks

Qilin first appeared in July 2022 under the name Agenda, with early builds written in Go for Windows targets. By late 2022, a Rust-based variant was added alongside the existing Go version.

In December 2023, a Linux variant capable of targeting VMware ESXi infrastructure was identified, extending the operation's reach beyond Windows endpoints into enterprise virtualization environments. The June 2024 attack on Synnovis, a pathology provider serving major London NHS hospitals, brought the group to wider public attention after causing significant disruption to blood transfusion and test result services.

This isn’t the first time that VMware systems have been targeted by ransomware.

2025–2026: record activity and new evasion techniques

Security researchers tracked Qilin as one of the most prolific ransomware operations globally through 2025. In February 2026, the group listed Malaysia Airlines on its leak site, alleging a breach, following a separate confirmed attack on Kuala Lumpur International Airport the previous year.

Researchers identified a new evasion technique: Qilin affiliates deploying Linux encryptors through Windows Subsystem for Linux (WSL) to evade Windows-native security tools.

In June 2026, an authentication-bypass vulnerability (CVE-2026-50751) in a widely deployed VPN platform was confirmed to be actively exploited by Qilin affiliates, with exploitation activity traced back to at least May 7, 2026.

How Qilin ransomware affiliates operate

Qilin's RaaS structure separates payload development from attack execution. A core team maintains the ransomware, backend infrastructure, and the leak site, while independent affiliates carry out the intrusions and split the ransom revenue. Qilin’s affiliates retain a substantial share of each ransom payment in exchange for deploying the platform.

This structure has an important forensic implication. The affiliate deploying encryption is often not the actor who obtained network entry. In many Qilin-linked incidents, access was purchased from Initial Access Brokers (IABs) who compromised the environment weeks or months earlier. The result is a dwell period between first access and ransomware deployment, with early intrusion artifacts frequently predating encryption by days or months.

How a Qilin ransomware attack unfolds

Qilin intrusions follow a deliberate attack chain rather than automated deployment. Each phase is human-operated and adaptive, not scripted and indiscriminate.

Phase 1: initial access through VPN exploitation, phishing, and credential theft

The most consistent entry vectors are compromised remote access services and stolen credentials. Affiliates target internet-facing VPN appliances and RDP endpoints using credentials sourced from IABs or obtained through phishing.

Phishing and spear-phishing remain active delivery methods. CVE-2026-50751 is the most recently confirmed first-stage compromise vector, with active exploitation observed since May 2026.

Phase 2: privilege escalation and lateral movement

After establishing a foothold, affiliates enumerate local and domain accounts using PowerShell cmdlets. Access token manipulation using embedded Mimikatz modules is documented in Qilin deployments, enabling privilege escalation to launch processes at an elevated security context.

WMI, PowerShell, and PsExec are the primary lateral movement tools, blending attacker activity into patterns that resemble routine IT administration. The objective is to reach domain controllers, backup management consoles, and virtualization hosts before detonating.

Phase 3: data exfiltration and double-extortion leverage

Before encryption begins, affiliates exfiltrate sensitive files to attacker-controlled infrastructure. WinSCP has been confirmed as a file transfer mechanism in reported cases.

"For mature human-operated ransomware groups, exfiltration-before-encryption is now a standard playbook. The leak threat changes payment discussions when the data is regulated, embarrassing, legally sensitive, financially material, or operationally valuable," explains Magdy Abdelaziz, seasoned DFIR specialist with experience across SOC, offensive security, and incident response.

Phase 4: encryption, backup deletion, and impact

Encryption uses AES-256 or ChaCha20, combined with asymmetric-key protection. Before or during encryption, affiliates delete Volume Shadow Copies, terminate selected services to unlock active files, and target backup infrastructure directly.

Attackers have been observed accessing backup management consoles, destroying catalogs, and disabling jobs to close off clean restoration paths.

Defense evasion techniques

Qilin affiliates do not rely on a single evasion method. They combine driver-level attacks, cross-environment execution, and administrative tool abuse to reduce detection surface.

BYOVD driver attacks

BYOVD (Bring Your Own Vulnerable Driver) attacks load a legitimately signed but exploitable driver into kernel mode, then use it to terminate EDR processes and remove kernel callbacks, effectively blinding endpoint security.

BYOVD is identified in Qilin operations as a pre-encryption step, reducing resistance from endpoint protection prior to the encryption deployment.

WSL-based Linux execution in Windows

Qilin affiliates deploy a Linux encryptor via the Windows Subsystem for Linux rather than a Windows binary. Because many Windows security tools do not inspect WSL process activity at the same fidelity as native Windows processes, the Linux encryptor can execute and encrypt mounted Windows file shares while generating fewer detection events.

Living-off-the-land binaries and remote tool abuse

Qilin intrusions consistently abuse living-off-the-land binaries (LOLBins) for execution and lateral movement. This approach shifts the detection challenge from signature-based blocking to behavioral context: who ran the command, from which host, and what happened next.

Remote access tools such as AnyDesk and ScreenConnect appearing outside established IT workflows are reported detection signals in Qilin intrusions.

Indicators of compromise and MITRE ATT&CK mapping

Technical IOCs change across Qilin campaigns. Behavioral indicators are more operationally durable and should form the foundation of detection logic.

Technical indicators

  • Encrypted file extension: Renamed with a victim-specific extension configured per affiliate deployment
  • Ransom note: Dropped in encrypted directories with a variant-specific filename pattern
qilin ransom note example
  • Scheduled tasks: Unexpected entries created as a persistence mechanism post-compromise
  • LSASS memory access: Abnormal process access to lsass.exe consistent with credential dumping
  • Driver loads: Signed drivers appearing outside standard endpoint baselines, especially loading shortly before encryption
  • WinSCP execution: File transfer activity from non-administrative hosts or non-IT contexts
  • ESXi/Linux hosts: Unexpected Go or Rust-compiled binaries executing on virtualization infrastructure

MITRE ATT&CK technique mapping (S1242)

Tactic ID Technique
Initial Access T1190 Exploit Public-Facing Application (VPN)
Initial Access T1078 Valid Accounts (stolen credentials)
Execution T1059.001 PowerShell
Privilege Escalation T1548.002 Bypass User Account Control
Privilege Escalation / Defense Evasion T1134 Access Token Manipulation (Mimikatz)
Defense Evasion T1562.001 Disable or Modify Security Tools (BYOVD)
Discovery T1087.001 Account Discovery: Local Account
Discovery T1087.002 Account Discovery: Domain Account
Command and Control T1071.002 File Transfer Protocols (WinSCP)
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery (VSS deletion)

Behavioral detection signals

Reliable Qilin detection depends on correlating signals across identity, endpoint, and network telemetry rather than static signature matching.

High-priority behavioral signals:

  • Anomalous VPN or RDP authentication from unrecognized devices, geolocations, or hours
  • First-time domain admin activity originating from non-management hosts
  • Bulk LSASS access events correlated with subsequent lateral authentication activity
  • Mass Volume Shadow Copy deletion across multiple systems in a short window
  • Coordinated service termination across multiple hosts simultaneously
  • Unexpected driver loads outside established endpoint baselines

Prevention and hardening

Effective prevention directly targets the access methods and lateral movement patterns observed in Qilin intrusions.

Reduce initial access exposure:

  • Eliminate direct internet exposure for RDP. Put all remote access behind MFA and conditional access controls.
  • Patch VPN firmware on an accelerated cycle. CVE-2026-50751 was actively exploited by Qilin affiliates within weeks of its discovery.
  • Treat stale accounts, shared admin credentials, and unreviewed remote management tool enrollments as active risk. Many Qilin incidents trace back to IAB access obtained months before detonation.
  • Audit RMM tool deployments. Restrict enrollment to allowlisted devices and require explicit approval for new agent installations.

Harden ESXi and virtualized environments:

Given Qilin's documented capability to attack VMware ESXi with ransomware, the virtualization infrastructure requires explicit guardrails. Separate ESXi management networks from general enterprise networks, enforce MFA for vCenter access, and restrict administrative paths to jump hosts or privileged-access workstations.

Protect backup infrastructure:

Immutable backups are only effective if the backup control plane is unreachable by a compromised admin account. Isolate backup systems on separate network segments with dedicated credentials that do not authenticate against the main domain. For a practical ransomware-resistant backup strategy, validate restore procedures on tier-0 systems before you need them.

The 3-2-1-1-0 backup strategy operationalizes this requirement: three copies of data across two media types, one stored off-site, one air-gapped offline copy that no network-accessible account can reach, and zero unverified backup sets.

3-2-1-1-0 backup rule infographic

Establish off-host log collection:

The behavioral signals in the IOC section above are only detectable if logs are collected and retained prior to the incident. Stream Windows Security logs, endpoint telemetry (process creation, script execution, remote execution events), VPN and IdP authentication records, and ESXi audit logs to a centralized collection platform. On-host evidence is frequently incomplete or overwritten by the time containment begins.

What to do if Qilin ransomware is active in your environment

If Qilin is actively encrypting systems or has been confirmed within your environment, evidence preservation takes priority over restoration. Acting without a sequence will compress your recovery options and destroy forensic evidence needed for investigation and insurance claims.

Immediate containment

Isolate ransomware-infected servers and affected endpoints from the network immediately, but do not power them off. Network isolation stops further lateral movement without destroying volatile memory that may contain decryption material or attacker tooling. Disable compromised accounts at the directory level. If backup infrastructure is still accessible, disconnect it from the enterprise network before it is targeted.

Evidence preservation

Preserve forensic evidence before any remediation steps begin. This means capturing volatile memory on live systems, imaging disks of infected endpoints, and exporting authentication logs (VPN, RDP, IdP, directory) before retention windows expire. Given Qilin's recorded extended dwell time between first access and encryption, logs from weeks before the incident may contain the earliest evidence of the intrusion chain.

Recovery options and ransom considerations

As of June 2026, no public decryptor for Qilin is available. File recovery depends entirely on the availability and integrity of backups. The ransomware recovery timeline varies significantly based on data volume, ESXi involvement, and whether backup catalogs were destroyed.

Engaging professional incident response and digital forensics services at the earliest confirmed stage of a Qilin intrusion reduces containment time, improves recovery outcomes, and ensures the integrity of evidence for insurance and legal proceedings.

Proven Data's ransomware recovery specialists provide 24/7 emergency response and coordinated restoration for organizations that need to recover quickly with minimal data loss.

Heloise Montini

Written by

Heloise MontiniCybersecurity Content Writer

Cybersecurity writer at Proven Data covering ransomware trends, incident response, and data protection best practices.

Magdy Abdelaziz

Written by

Magdy AbdelazizHead of DFIR

Magdy Abdelaziz is a dedicated cybersecurity professional with over 6 years of extensive experience in digital forensics, incident response, reverse engineering, and security operations. He currently serves as Head of Digital Forensics and Incident Response (DFIR) at Proven Data LLC, leading a multinational team to develop and execute incident response strategies, align security initiatives with business objectives, and manage global-scale incidents.

Laura Pompeu

Reviewed by

Laura PompeuCybersecurity Content Writer

Content strategist at Proven Data focused on cybersecurity education, threat analysis, and ransomware awareness.