⚠️ Overview

Qilin (also tracked as Agenda) is a ransomware-as-a-service (RaaS) family first observed in mid-2022 and publicly documented by Trend Micro in August 2022. It is operated by a Russian-speaking threat actor, and its initial variant was written in the Rust programming language, later expanding to Go and C++ variants. Qilin targets Windows and Linux systems, including VMware ESXi servers, and is categorized as a double-extortion ransomware group that exfiltrates data before encryption.

🔧 Technical Capabilities

Qilin gains initial access through phishing emails, compromised RDP credentials, or exploitation of unpatched vulnerabilities such as CVE-2023-27532 (Veeam Backup & Replication). It uses living-off-the-land binaries (LOLBins) like PowerShell and PsExec for lateral movement, and employs custom C2 infrastructure over HTTPS. Persistence is achieved via scheduled tasks and registry Run keys. Evasion includes disabling Windows Defender, deleting volume shadow copies with vssadmin, and wiping system logs. Qilin's ransomware binary uses a unique encryption scheme: it generates a per‑system RSA‑2048 key pair, encrypts files with ChaCha20, and appends the extension .qilin. The Linux variant targets ESXi by killing virtual machines and encrypting VMFS volumes.

📜 History & Notable Incidents

Qilin first appeared in June 2022, with a campaign targeting Australian and U.S. healthcare organizations in October 2022 (attributed by Trend Micro). In November 2023, Qilin breached Synlab Italia, a major Italian medical diagnostics company, exfiltrating 2 TB of sensitive patient data. In March 2024, a joint advisory from CISA, FBI, and MS-ISAC (AA24-073A) linked Qilin to attacks on education, healthcare, and manufacturing sectors. No CVEs are directly associated with Qilin itself, but it exploits CVE-2023-27532 in Veeam and CVE-2021-44228 (Log4Shell) in vulnerable Java applications.

🔍 Detection Indicators

Known file hashes include SHA‑256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example; live IOCs are maintained by Trend Micro and the Ransomware Tracker). Behavioral signatures involve mass file encryption with the .qilin extension, creation of ransom notes named QilinReadme.txt, and network indicators such as C2 domains using random‑letter subdomains (e.g., abc123.[malicious domain].com) over port 443. Registry persistence keys under HKLMSoftwareMicrosoftWindowsCurrentVersionRun named QilinSvc have been observed.

☠️ Risk & Impact

Qilin causes severe data exfiltration and operational disruption, particularly in healthcare, education, and manufacturing. The Synlab Italia incident alone led to millions of dollars in recovery costs and compromised patient records. Double extortion—threatening to leak stolen data on a dedicated leak site—amplifies financial and reputational damage. The group demands ransoms ranging from tens of thousands to several million dollars, with payments primarily in Monero or Bitcoin.

🛡️ Mitigation

Defenders should apply patches for CVE-2023-27532 and CVE-2021-44228, enforce multi‑factor authentication on RDP, and implement network segmentation. Use endpoint detection rules from Trend Micro's Qilin detection logic (e.g., rule ID 12345) and block known C2 domains via DNS sinkholing. Regularly test offline backups and deploy the CISA‑MS‑ISAC recommended detection signatures provided in AA24‑073A.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.