Qilin is one of the most active and technically aggressive ransomware groups operating today. Since emerging in 2022 under the name Agenda, the group has rebranded, expanded its affiliate network, and executed high-impact attacks against hospitals, school districts, media conglomerates, and critical infrastructure across multiple continents.
Unlike opportunistic ransomware campaigns that cast wide nets, Qilin operates with deliberate targeting. The group runs a ransomware-as-a-service (RaaS) model, recruiting skilled affiliates to breach high-value organizations while the core team develops and maintains the malware. Victims who refuse to pay face a second threat: sensitive data published on Qilin’s dark web leak site, where it remains publicly accessible to anyone who knows where to look.
What makes Qilin particularly dangerous in 2025 and into 2026 is its technical evolution. The group has been observed stealing Google Chrome credentials before triggering encryption, abusing Windows Subsystem for Linux (WSL) to evade endpoint detection, and harvesting VPN credentials to establish persistent footholds inside corporate networks. These are not the tactics of an unsophisticated actor.
This page covers everything security teams, IT professionals, and researchers need to understand about the Qilin ransomware group: who they are, who they have targeted, how they operate, and what your organization can do to detect exposure and reduce risk before an attack escalates.
What Is Qilin Ransomware?
Qilin is a ransomware-as-a-service operation that encrypts victim systems, exfiltrates sensitive data, and demands payment in exchange for decryption, threatening public exposure. First identified in 2022, the group has grown from a relatively obscure threat into one of the most prolific ransomware gangs tracked by global cybersecurity agencies, including CISA and various national CERTs. Its targets span healthcare, education, manufacturing, and media sectors, chosen for their low tolerance for downtime and high likelihood of paying.
Qilin (Agenda) Ransomware, Origins and Naming
Qilin was originally discovered and tracked under the name Agenda in mid-2022. Early variants were written in Go and focused on enterprise customers, particularly in Africa and Asia. Researchers at Trend Micro were among the first to document the group’s activity, noting its ability to reboot systems in safe mode to bypass security tools, a technique associated with more advanced threat actors at the time.
The group later rebranded as Qilin, a name drawn from a mythical creature in Chinese folklore, and rewrote its ransomware in Rust, a language increasingly favored by sophisticated threat actors for its performance, cross-platform capabilities, and resistance to reverse engineering. The Agenda name still appears in some threat intelligence reports, which is why the terms Qilin ransomware and Agenda ransomware are used interchangeably across the security community.
Is Qilin a Russian Ransomware Group?
Attribution in ransomware is rarely clean, but the available evidence points strongly toward a Russian-speaking origin. Analysis of Qilin’s malware samples, leak site language, and operational patterns reveals characteristics consistent with Eastern European cybercriminal ecosystems, including code artifacts in Russian and a documented policy of avoiding targets in Commonwealth of Independent States (CIS) countries, a common self-imposed restriction among Russia-linked ransomware groups designed to reduce domestic legal exposure.
No formal government attribution has been publicly issued as of early 2026. Still, Qilin’s infrastructure, affiliate recruitment practices, and forum presence closely align with the broader Russian-speaking RaaS ecosystem, which has produced groups like LockBit, BlackCat, and Akira.
How Qilin Differs from Other RaaS Operations
On the surface, Qilin follows a familiar playbook: breach, encrypt, exfiltrate, extort. But several characteristics set it apart from the broader ransomware-as-a-service landscape.
Most notably, Qilin has demonstrated a consistent willingness to evolve its technical toolkit between campaigns. The shift from Go to Rust, the introduction of Chrome credential harvesting, and the more recent exploitation of Windows Subsystem for Linux (WSL) are not the work of a static operation recycling old code. The group actively develops new evasion capabilities and shares them across its affiliate network, raising the overall technical floor for every attack carried out under the Qilin brand.
Qilin also offers affiliates a notably high revenue share, reported at up to 85% of ransom payments, making it an attractive platform for experienced threat actors who might otherwise operate independently. This aggressive affiliate structure has accelerated Qilin’s victim count and helped it rank among the most active ransomware groups globally in 2025, alongside Akira and the remnants of LockBit.
Qilin Ransomware Attack History and Notable Victims
Qilin’s victim list reads like a cross-sector threat briefing. The group has struck hospitals, school systems, industrial manufacturers, and municipal governments, leaving operational disruption, exposed patient records, and stolen financial data in its wake. What follows are the most significant confirmed attacks attributed to Qilin, along with a timeline of the group’s broader activity from its emergence through early 2026.
NHS / Synnovis Attack (2024), Impact on UK Healthcare
The most consequential Qilin attack on record targeted Synnovis, a pathology services provider operating as a joint venture between major NHS trusts in London. In June 2024, Qilin affiliates breached Synnovis systems and deployed ransomware across the network, triggering one of the most serious cyber incidents ever recorded in the UK healthcare sector.
The attack forced the cancellation of thousands of operations and appointments across King’s College Hospital, Guy’s and St Thomas’ NHS Foundation Trust, and several primary care providers across London. Blood transfusion services were particularly disrupted, a critical failure in a healthcare environment, with NHS England declaring the incident a regional emergency.
Qilin subsequently published approximately 400GB of sensitive patient data on its leak site after ransom negotiations broke down, including names, dates of birth, NHS numbers, and blood test results. The incident drew formal responses from the UK National Cyber Security Centre and prompted a parliamentary inquiry into NHS cyber resilience. As of 2026, it remains the most high-profile healthcare ransomware attack in British history.
Asahi Group Breach
The Asahi Group, a major Japanese metals and industrial manufacturing conglomerate, was listed on Qilin’s dark web leak site following a breach that exposed internal business data. The attack drew significant attention in Asia-Pacific threat intelligence circles as an early demonstration of Qilin’s capacity to target large multinational corporations outside the English-speaking world. Specific ransom figures were not publicly confirmed, but the volume of data claimed by Qilin suggested deep network access before encryption.
Bertie County Schools Data Breach
In the United States, Qilin claimed an attack against Bertie County Schools in North Carolina, exposing sensitive data belonging to students, staff, and the district’s administrative operations. The incident highlighted the group’s willingness to target under-resourced public sector organizations; school districts rarely maintain the security infrastructure needed to detect or contain a sophisticated intrusion before data has already been exfiltrated. The breach triggered notification obligations under applicable US data protection frameworks and highlighted the broader vulnerability of K–12 institutions to ransomware.
Abilene, Texas Incident
The City of Abilene, Texas, experienced a significant ransomware disruption attributed to Qilin in 2025, affecting municipal systems and forcing city departments to operate on contingency procedures while the incident was contained. Local government entities present an attractive target profile for ransomware groups; they hold sensitive citizen data, often rely on aging IT infrastructure, and face public pressure to restore services quickly. While full technical details of the Abilene attack were not publicly released, the incident was consistent with Qilin’s established operational pattern of targeting organizations with high recovery urgency.
Qilin Activity Timeline: 2022–2026
Qilin’s evolution from an emerging threat to a top-tier ransomware operation has been steady and deliberate.
The group first appeared in mid-2022 as Agenda, targeting organizations primarily in Africa and Asia with Go-based ransomware. By late 2022, it had rebranded as Qilin and begun rebuilding its codebase in Rust, signaling a significant investment in long-term operational capability.
Throughout 2023, Qilin expanded its affiliate recruitment and began appearing on threat intelligence radars in Europe and North America, with attack volume steadily climbing across the healthcare, education, and manufacturing sectors.
2024 marked the group’s breakout year. The Synnovis/NHS attack in June placed Qilin in mainstream security and political discourse for the first time, while continued listings on its leak site confirmed an accelerating victim count across multiple industries and geographies.
By 2025, Qilin had established itself as one of the most prolific ransomware groups globally, ranking alongside Akira in breach volume and surpassing many longer-established RaaS operations in technical sophistication. New attack techniques, including Chrome credential harvesting and WSL-based evasion, were documented by researchers and incorporated into CISA advisories.
Into early 2026, Qilin’s activity shows no signs of deceleration. The group continues to post new victims, refine its tooling, and operate an active affiliate program, making it one of the most persistent active threats in the current ransomware landscape.
Qilin Ransomware TTPs (Tactics, Techniques, and Procedures)
Understanding how Qilin operates inside a network is the foundation of any credible defense. The group’s tactics, techniques, and procedures have grown more sophisticated with each iteration of its tooling, and what distinguishes Qilin from lower-tier ransomware operations is its consistent investment in evasion. The following breakdown covers the full attack chain, from initial access through double extortion, based on publicly documented analysis from CISA, CrowdStrike, and independent security researchers.
Initial Access Methods, VPN Credential Theft and Phishing
Qilin affiliates consistently favor two initial access vectors: compromised VPN credentials and targeted phishing campaigns.
VPN exploitation has been the more dominant of the two. Affiliates obtain credentials through a combination of infostealer malware purchased on dark web markets, credential stuffing against exposed remote access infrastructure, and exploitation of known vulnerabilities in VPN appliances that organizations have failed to patch. Once valid credentials are in hand, affiliates authenticate directly into the target environment, arriving as a legitimate user with no malware signatures triggered on entry. This approach bypasses perimeter defenses entirely, which is a primary reason Qilin intrusions often go undetected for extended dwell times before ransomware is deployed.
Phishing remains a secondary but active vector, particularly in campaigns targeting employees with access to high-privilege systems. Spear-phishing emails are used to deliver credential harvesters or establish initial footholds through malicious attachments and links, with subsequent access handed off to the affiliate responsible for the intrusion.
How Qilin Steals Google Chrome Credentials
One of the most widely reported technical developments in recent Qilin analysis is the group’s systematic theft of credentials stored in Google Chrome, a tactic documented in detail by Sophos researchers in 2024.
During post-compromise activity, Qilin deploys a custom script that harvests credentials from the Chrome browser’s local storage database across all machines on the domain. The script is distributed via Group Policy Object (GPO), meaning it executes automatically on login across all domain-joined endpoints, not just the initially compromised machine. Credentials extracted include saved usernames and passwords for banking, corporate applications, email platforms, and any other services users have stored in their browsers.
The implications extend well beyond the ransomware incident itself. Victims face a secondary wave of account-compromise risk across every service whose credentials were stored in Chrome, regardless of whether those services were connected to the original breach. This makes Chrome credential harvesting one of the most damaging components of a Qilin attack from a post-incident recovery standpoint.
WSL (Windows Subsystem for Linux) Abuse, October 2025 Vector
In October 2025, researchers documented a new Qilin attack technique that abuses the Windows Subsystem for Linux, the compatibility layer that allows Linux binaries to run natively on Windows systems. The technique, reported by Bleeping Computer, marked a notable escalation in the group’s evasion capability.
By executing ransomware payloads within the WSL environment, Qilin affiliates were able to operate in a space that many endpoint detection and response (EDR) solutions do not monitor as deeply as native Windows processes. The Linux-side execution allowed the payload to interact with Windows file systems while generating minimal alerts on the Windows security layer, effectively creating a blind spot in environments that had not explicitly extended their EDR coverage to WSL activity.
This technique is significant because WSL is increasingly enabled by default in enterprise Windows environments, and many organizations have not yet updated their detection rules or security policies to account for Linux-layer activity on Windows endpoints.
Lateral Movement and Privilege Escalation
Once inside a network, Qilin affiliates move methodically toward high-value systems before triggering any encryption. Lateral movement typically relies on legitimate administrative tools, RDP, PsExec, and Windows Management Instrumentation (WMI), to avoid generating the kind of anomalous process activity that behavioral detection tools are tuned to catch. This living-off-the-land approach makes Qilin intrusions particularly difficult to distinguish from normal administrative activity without mature detection baselines in place.
Privilege escalation commonly involves credential dumping using tools such as Mimikatz to extract hashed or plaintext credentials from memory, followed by pass-the-hash or pass-the-ticket techniques to authenticate as domain administrators. Once domain admin access is achieved, affiliates have full visibility and control across the environment, at which point data exfiltration and ransomware staging can begin in earnest.
Data Exfiltration Before Encryption
Qilin consistently exfiltrates data before encrypting systems, a deliberate sequencing that underpins its double extortion strategy. Exfiltration tools observed in Qilin campaigns include both custom utilities and widely available transfer tools repurposed for bulk data movement. Sensitive files, databases, and internal documents are staged and transferred to attacker-controlled infrastructure, typically via encrypted channels to avoid triggering data-loss prevention controls.
The exfiltration phase can last days or weeks before ransomware is deployed. During this window, affiliates are identifying the most sensitive material, patient records, financial data, intellectual property, and executive communications to maximize leverage in ransom negotiations. By the time encryption begins, the attacker already holds the organization’s most valuable data and can threaten publication regardless of whether the victim recovers from backups.
Double Extortion Model Explained
Qilin operates a textbook double extortion model with a well-maintained dark web leak site, referred to internally as the “Qilin blog”, where victim organizations are named and stolen data is published when negotiations fail, or no ransom is paid.
The first extortion lever is encryption: systems are locked, operations are disrupted, and a ransom demand is issued with a payment deadline. The second lever is publication: if the victim refuses to pay or attempts to recover without negotiating, Qilin publishes stolen data to its leak site, exposing the organization to regulatory scrutiny, reputational damage, and potential liability under applicable data protection laws.
This two-pressure structure is designed to eliminate the “just restore from backups” response that organizations once relied on. Even a company with clean, tested backups faces a data-exposure problem that backups cannot solve, which is precisely the point. For organizations without visibility into what data Qilin has already exfiltrated, the threat of publication creates sustained negotiation pressure that extends well beyond the initial encryption event.
Qilin Ransomware Indicators of Compromise (IOCs)
Detecting a Qilin intrusion before ransomware deploys requires visibility into the specific artifacts, behaviors, and infrastructure the group leaves behind. The indicators of compromise documented below are drawn from published CISA advisories, CrowdStrike threat intelligence, and independent malware analysis. Security teams should treat these IOCs as a baseline. Qilin actively rotates infrastructure and updates tooling between campaigns, so no single IOC list should be considered exhaustive or permanent.
Known IP Addresses (including 31.41.244.100)
Several IP addresses have been publicly associated with Qilin ransomware infrastructure across documented attack campaigns. The address 31.41.244.100 has appeared in threat intelligence reporting in connection with Qilin command-and-control activity and leak site operations. Additional IPs linked to Qilin affiliates have been observed facilitating data exfiltration, staging, and remote access during the lateral movement phase of intrusions.
Organizations should cross-reference these addresses against firewall logs, EDR telemetry, and network flow data, particularly to identify outbound connections initiated from internal systems during off-hours, a common pattern in Qilin exfiltration activity. Any confirmed communication with known Qilin infrastructure should be treated as a high-severity incident requiring immediate containment, not a low-priority alert to be reviewed in the next threat intel cycle.
Given Qilin’s use of VPS hosting and bulletproof providers to rotate infrastructure, IP-based blocking alone is insufficient as a detection strategy. These addresses are useful for retrospective forensic investigation and hunting exercises, but should be paired with behavioral detection rules for reliable coverage.
File Hashes and Malware Signatures
Qilin ransomware samples have been catalogued across multiple malware repositories and threat intelligence platforms. The group’s Rust-based encryptor, the current primary payload, produces binaries with distinct characteristics that antivirus and EDR vendors have incorporated into detection signatures following the public disclosure of major campaigns.
Key file-based indicators observed across Qilin samples include ransomware executables dropped under randomized filenames in temporary or user-accessible directories, the presence of credential harvesting scripts targeting Chrome’s local storage database, and GPO-linked scripts distributed to domain-joined endpoints during the privilege escalation phase. The encrypted files produced by Qilin are typically appended with a custom extension unique to each affiliate campaign, which can aid in variant identification during incident response.
For current, verified file hashes, security teams should pull directly from CISA’s published advisories, the Malware Bazaar repository maintained by Abuse.ch, and commercial threat intelligence feeds, as static hash lists embedded in blog posts become stale quickly given the group’s active development cadence.
MITRE ATT&CK Technique Mapping
Qilin’s attack chain maps across multiple MITRE ATT&CK tactics, providing a structured framework for detection engineering and threat hunting. The most consistently observed techniques include:
Initial Access T1078, Valid Accounts (VPN credential abuse) T1566, Phishing
Execution T1059, Command and Scripting Interpreter T1072, Software Deployment Tools (GPO-based script execution)
Credential Access T1003, OS Credential Dumping (Mimikatz) T1555.003, Credentials from Web Browsers (Chrome credential theft)
Defense Evasion T1562, Impair Defenses (safe mode reboot, WSL abuse) T1036, Masquerading
Lateral Movement T1021, Remote Services (RDP, WMI, PsExec)
Exfiltration T1041, Exfiltration Over C2 Channel
Impact T1486, Data Encrypted for Impact T1490, Inhibit System Recovery
Mapping Qilin activity to ATT&CK provides detection engineers with the foundation to build or validate existing SIEM rules, EDR behavioral policies, and threat-hunting playbooks tailored to this group’s known behavior patterns.
CISA Advisories and Official IOC Sources
The Cybersecurity and Infrastructure Security Agency (CISA) has referenced Qilin ransomware activity in multiple advisories, particularly in the context of healthcare sector threats and cross-sector ransomware guidance. These advisories represent the most authoritative publicly available IOC sets and should be the first stop for any organization building detection coverage specifically targeting Qilin.
Beyond CISA, the following sources maintain actively updated Qilin-related threat intelligence:
The UK National Cyber Security Centre (NCSC) published guidance following the Synnovis/NHS incident and remains an important source for Qilin IOCs relevant to European targets. CrowdStrike’s adversary intelligence portal tracks Qilin under its own internal naming convention and publishes detailed TTP analysis accessible to customers. Sophos X-Ops conducted foundational research on the Chrome credential-harvesting technique. Abuse.ch’s Malware Bazaar and MalShare maintain community-submitted sample repositories that include Qilin variants submitted as part of active campaigns.
For organizations that lack the internal capacity to operationalize raw IOC feeds, automated dark web monitoring platforms can surface Qilin-related data exposure, including leaked credentials and mentions of your organization on Qilin’s leak site, before the information is weaponized further.
Qilin’s Leak Site and Dark Web Infrastructure
Every major ransomware group operating a double extortion model requires two things beyond the malware itself: a negotiation channel and a publication platform. Qilin has built both into a functioning dark web infrastructure that runs parallel to its attack operations, giving the group persistent leverage over victims long after the initial encryption event.
How the Qilin Blog / Leak Site Operates
Qilin maintains a dedicated leak site, referred to within the group’s communications as the “Qilin blog”, accessible via the Tor network using an .onion address. The site serves as the public-facing arm of the group’s extortion operation, functioning simultaneously as a threat delivery mechanism and a reputational signal to future victims that non-payment carries real consequences.
The site’s structure follows the standard format established across the ransomware ecosystem: a list of named victim organizations, countdown timers tied to payment deadlines, and staged data releases designed to escalate pressure. Initial listings typically include a partial data preview, enough to confirm that the breach is real and that the stolen data is sensitive, without releasing the full dataset. This staged approach is deliberate. Qilin releases data in tranches to maintain negotiation leverage for as long as possible, rather than publishing everything immediately and eliminating the incentive to pay.
The leak site is hosted on infrastructure specifically chosen for its resistance to takedown. Bulletproof hosting providers and Tor-based .onion routing make the site difficult for law enforcement or security vendors to disrupt, and Qilin has demonstrated the ability to migrate infrastructure and restore the site following any partial disruption to its operations.
Victim Naming and Extortion Tactics
When an organization is listed on the Qilin leak site, the entry typically includes the victim’s full legal name, industry sector, country of operation, an estimated data volume, and a description of the data types stolen. This level of detail is intentional; it signals to the victim that Qilin has conducted thorough reconnaissance and understands exactly what it holds, while simultaneously broadcasting the breach to the victim’s customers, partners, regulators, and competitors who monitor dark web sources.
The extortion timeline generally follows a predictable pattern. After ransomware is deployed and the initial ransom demand is delivered, the victim is given a deadline, typically between three and ten days, to contact the ransomware operator through a Tor-based negotiation portal. If no contact is made or negotiations collapse, the victim is listed publicly on the leak site with a secondary countdown before full data publication begins.
Qilin affiliates have also been observed applying additional pressure tactics during negotiations, including threatening to notify the victim’s regulators directly of the breach, contacting individual executives named in the stolen data, and, in some cases, reaching out to the victim’s clients or business partners to amplify reputational damage. These escalation tactics reflect a sophisticated understanding of the organizational pressure points that accelerate ransom payment decisions.
Monitoring Qilin’s Dark Web Activity
For security teams and threat intelligence professionals, tracking Qilin’s leak site activity provides early warning of new campaigns, targeted industries, and active infrastructure in use. The challenge is that manual monitoring of dark web sources at any meaningful scale is operationally difficult. .onion sites require Tor access, infrastructure changes without notice, and the volume of ransomware group activity across the broader dark web ecosystem makes manual tracking unsustainable for most organizations.
The more immediate concern for most organizations is not tracking Qilin in the abstract; it is knowing whether their own data, their employees’ credentials, or their organization’s name has already appeared on Qilin’s site or in the dark web data markets where stolen datasets are subsequently traded.
Automated dark web monitoring closes this gap. Platforms like DeXpose continuously index ransomware leak sites, dark web markets, and breach data sources, alerting organizations the moment their data surfaces, whether from a Qilin listing, a credential dump, or any other dark web exposure event. For organizations operating in sectors Qilin actively targets, early warning capability is the difference between getting ahead of a breach disclosure and reading about your own data on someone else’s threat intelligence feed.
Monitor your organization’s dark web exposure with DeXpose →
Qilin Ransomware in 2025, Scale and Threat Ranking
By 2025, Qilin had moved firmly out of the “emerging threat” category and into the tier of ransomware groups that security organizations actively track, brief executives on, and build detection programs around. The combination of a high-revenue affiliate model, rapidly evolving technical capabilities, and a consistent operational tempo across multiple sectors pushed Qilin into the upper bracket of global ransomware activity, a position it has held and reinforced through early 2026.
How Prolific Is Qilin? Comparison with Akira, LockBit, and Others
Ransomware group activity is typically measured by leak site victim listings, an imperfect but widely used proxy for attack volume, since it captures only cases where ransom negotiations failed or were never initiated. By this measure, Qilin ranked among the top five most active ransomware groups globally in 2025, with monthly victim counts that, at peak periods, rivaled those of Akira, one of the most consistently active RaaS operations over the past two years.
The comparison with LockBit is instructive. Following coordinated law enforcement action against LockBit infrastructure in early 2024, Operation Cronos, the ransomware ecosystem saw experienced affiliates redistribute across surviving operations. Qilin was among the beneficiaries, absorbing skilled operators who brought existing access and established intrusion methodologies with them. This affiliate migration effect is a well-documented pattern in the ransomware economy: disrupting a major group rarely eliminates the underlying workforce; it reallocates it.
Against Akira specifically, Qilin competes for similar target profiles, mid-market enterprises, healthcare organizations, and critical infrastructure, and has matched or exceeded Akira’s monthly listing counts during surge periods in 2025. Where Akira has historically been more prolific in raw volume, Qilin has demonstrated a higher average impact per attack, driven by the sophistication of its credential-harvesting and lateral-movement capabilities.
Key Incidents and Surge Periods (January 2026 Activity)
Qilin’s activity in 2025 was not uniformly distributed. The group showed distinct surge patterns, with elevated victim listings during periods that appeared to correlate with new affiliate recruitment cycles and updated tooling releases, a pattern consistent with how RaaS operations roll out capability upgrades across their affiliate networks.
The post-summer 2025 period was particularly active, coinciding with the documented release of the WSL-based attack technique and a corresponding increase in successful intrusions against organizations running standard Windows endpoint security without Linux-layer detection coverage. This technical edge translated directly into higher attack success rates during the period before defenders had widely updated their detection rules.
Into January 2026, Qilin maintained an elevated operational tempo. New victim listings continued to appear on the group’s leak site at a consistent rate, with targets spanning North America, Europe, and Asia-Pacific. There was no indication of the kind of operational pause or infrastructure disruption that typically precedes or follows law enforcement action, suggesting the group entered 2026 with stable infrastructure, an active affiliate base, and no immediate pressure to reduce its operational footprint.
Industries and Geographies Most Targeted
Qilin’s targeting is neither random nor purely opportunistic. Analysis of confirmed victims across 2023–2026 reveals clear sectoral and geographic patterns that reflect deliberate affiliate targeting decisions.
Healthcare has been the most consistently targeted sector, accounting for a disproportionate share of Qilin’s high-profile victims. Hospitals and healthcare service providers represent an ideal target profile for ransomware: they hold highly sensitive data, operate under intense pressure to restore systems quickly, and have historically underfunded cybersecurity relative to the value of the data they hold. The Synnovis/NHS attack was the most visible example of this targeting logic, but it was not an outlier; it was a high-consequence instance of a sector-wide pattern.
Education, manufacturing, and professional services make up the next tier of industries frequently targeted. Local government and municipal infrastructure, as demonstrated in the Abilene, Texas incident, have also featured with increasing regularity as Qilin affiliates recognize that public sector organizations face the same recovery urgency as healthcare organizations, with comparably limited security resources.
Geographically, Qilin’s victims are concentrated in the United States, the United Kingdom, Australia, and Western Europe, English-speaking and high-GDP markets where ransom payment capacity is highest, and data protection regulatory exposure provides additional leverage. The group’s documented avoidance of CIS-region targets remains consistent with the broader pattern, reinforcing the assessment that its core operators are based in or aligned with Russian-speaking cybercriminal networks.
How to Detect and Respond to a Qilin Ransomware Attack
Detection and response to a Qilin intrusion operate on two very different timelines. The ideal scenario is to catch the attack during the pre-encryption phase, while affiliates are moving laterally, escalating privileges, or staging data for exfiltration. The more common scenario is discovering the intrusion after encryption has already occurred, at which point the response shifts from prevention to containment, recovery, and the management of the secondary threat of data publication. Both scenarios demand a structured approach.
Is There a Qilin Decryptor?
As of early 2026, there is no publicly available free decryptor for Qilin ransomware. Unlike some ransomware strains, for which law enforcement operations have recovered decryption keys and released them through platforms like No More Ransom, Qilin’s encryption implementation, built on its Rust-based payload, has not been publicly broken.
Organizations that have fallen victim to Qilin and are hoping for a technical fix without payment should check the No More Ransom Project (nomoreransom.org) for any updated decryptor releases, as this is where law enforcement-recovered keys are published when they become available. However, as of the time of writing, no Qilin-specific decryptor exists in the public domain. Engaging a reputable incident response firm is the most reliable path to understanding recovery options specific to the variant and encryption implementation used in a given attack.
Immediate Incident Response Steps
When a Qilin ransomware attack is confirmed or suspected, the priority sequence matters. Acting in the wrong order, or too slowly, can allow ongoing exfiltration to continue or destroy forensic evidence needed for the investigation.
The immediate response should follow this sequence: isolate affected systems from the network without powering them down, where possible, and preserve memory artifacts that may contain encryption keys or attacker tooling. Activate your incident response retainer or engage an external IR firm immediately if internal capability is limited. Notify legal counsel in parallel, since data exfiltration triggers regulatory notification obligations in most jurisdictions that have defined timelines from the point of discovery.
Preserve all available logs, firewall, EDR, Active Directory, VPN authentication, and DNS before any remediation activity begins. These are the foundation of the forensic investigation and will determine the full scope of the breach. Do not wipe and rebuild systems before forensic imaging is complete.
Assess whether Qilin has already listed or threatened to list your organization on its leak site, and monitor the group’s dark web presence throughout the incident. The status of that listing will directly inform negotiation decisions and the timing of regulatory disclosures.
CISA and CrowdStrike Guidance Summary
CISA has addressed Qilin ransomware activity within its broader healthcare and critical infrastructure ransomware advisories, recommending a set of defensive measures that align directly with the group’s known attack vectors. The core guidance centers on promptly patching VPN appliances and remote access infrastructure, enforcing phishing-resistant multi-factor authentication across all remote access points, segmenting networks to limit lateral movement, and explicitly extending EDR coverage to WSL environments on Windows endpoints.
CrowdStrike tracks Qilin within its adversary intelligence framework and has published a detailed TTP analysis on its threat intelligence portal. CrowdStrike’s guidance emphasizes behavioral detection over signature-based approaches, given Qilin’s use of legitimate administrative tools for lateral movement, signature detection alone will miss a significant portion of the attack chain. Detection engineering should focus on anomalous use of RDP, WMI, and PsExec, particularly in combination with credential dumping activity and unusual outbound data transfer volumes.
Both organizations emphasize that the window between initial access and ransomware deployment in Qilin campaigns is measured in days to weeks, meaning organizations with mature detection capabilities have a realistic opportunity to identify and evict the threat before encryption occurs, provided they are actively hunting rather than waiting for alerts.
How Dark Web Monitoring Catches Qilin Exposure Early
One of the most underutilized detection layers against ransomware groups like Qilin is dark web monitoring, and it operates on a timeline that precedes the attack itself.
Before Qilin affiliates breach an organization, they typically acquire access through stolen credentials. Those credentials, belonging to employees, contractors, or third-party vendors, are bought and sold on dark web markets and infostealer log repositories, often weeks or months before they are used in an intrusion. An organization with active dark web monitoring in place will surface exposed credentials before an affiliate has a chance to weaponize them, enabling password resets and MFA enforcement that closes the access vector entirely.
After an attack, dark web monitoring provides a different but equally critical function: visibility into whether your organization has been listed on Qilin’s leak site, whether stolen data is being traded in dark web markets, and whether additional credentials exposed during the breach are circulating in criminal forums. This post-incident visibility directly informs regulatory disclosure decisions, negotiation posture, and the scope of the breach notification that affected individuals and regulators will ultimately receive.
Monitor Your Organization with DeXpose
DeXpose continuously monitors dark web markets, ransomware leak sites, including active Qilin listings, infostealer logs, and breach data sources across the dark web ecosystem. When your organization’s credentials, data, or name surfaces anywhere in that landscape, DeXpose surfaces it first.
For organizations operating in sectors Qilin actively targets, healthcare, education, manufacturing, and local government, early warning capability is not a nice-to-have. The detection layer sits in front of the attack itself.
Start monitoring your organization’s dark web exposure with DeXpose →
Conclusion
Qilin is not a threat on the horizon; it is an active, technically capable ransomware operation that has already disrupted hospitals, school systems, and critical infrastructure across multiple continents. The group’s willingness to evolve its tooling, combined with an aggressive affiliate model and a functioning dark web extortion infrastructure, makes it one of the most consequential ransomware threats organizations face heading into 2026.
Detection starts before the attack. The credentials Qilin affiliates use to breach organizations are circulating on dark web markets before any intrusion occurs, and that exposure window is where monitoring makes a difference.
DeXpose continuously tracks dark web leak sites, infostealer logs, and breach data sources, so your organization can surface threats before they escalate.
Get your free dark web report at dexpose.io/free-darkweb-report →
Frequently Asked Questions (FAQ’s)
What country is the Qilin ransomware group from?
Qilin is widely assessed to originate from Russia or a Russian-speaking country, based on code artifacts, operational patterns, and the group’s documented policy of avoiding targets in CIS-region nations, a hallmark of Russia-aligned cybercriminal operations. No formal government attribution has been publicly issued as of 2026.
What is the difference between Qilin and Agenda ransomware?
Qilin and Agenda are the same ransomware group. Agenda was the original name used when the group first appeared in 2022 with Go-based malware; the group later rebranded as Qilin and rebuilt its payload in Rust. Both names refer to the same threat actor and are used interchangeably across threat intelligence reporting.
Has anyone recovered files from a Qilin attack for free?
As of early 2026, no free decryptor for Qilin ransomware exists in the public domain. Victims should check the No More Ransom Project (nomoreransom.org) for any future decryptor releases. Still, the current recovery without paying ransom depends on the availability of clean backups or on engaging a professional incident response firm.
What data does Qilin steal before encrypting?
Qilin exfiltrates sensitive files, internal databases, and documents before deploying ransomware, and specifically harvests credentials stored in Google Chrome across all domain-joined machines via a GPO-distributed script. This means stolen data routinely includes saved passwords, patient or customer records, financial data, and executive communications.
How do I know if my organization’s data is on the Qilin leak site?
Manually monitoring Qilin’s dark web leak site requires Tor access and consistent tracking as the group’s infrastructure changes. The more reliable approach is automated dark web monitoring. Platforms like DeXpose continuously index ransomware leak sites and alert your organization the moment your name, data, or credentials appear, without requiring direct dark web access.
