Qilin Ransomware: A Silent Intrusion That Ends in Total Lockdown

Aegiron 11 mins0

Executive Overview

Qilin, also known internally by some actors as Agenda, is one of the most active and dangerous ransomware operations seen in 2024–2025. It operates under a Ransomware-as-a-Service (RaaS) model, meaning a core group develops the malware while multiple affiliates carry out attacks using their tooling. This model allows Qilin to scale quickly and adapt its techniques depending on the target.

By late 2025, Qilin consistently ranked among the top three ransomware groups worldwide, responsible for a large percentage of global ransomware incidents. What makes Qilin particularly dangerous is not just the encryption itself, but the way attacks are carefully staged, manually operated, and aimed at causing maximum operational damage—especially in virtualized and enterprise environments.

Qilin attacks are not noisy, fast-spreading worms. They are quiet, patient, human-driven intrusions that may remain undetected for days or weeks before encryption begins.

What Qilin Ransomware Is

Qilin is a double-extortion ransomware. This means victims are attacked in two ways:

  1. File encryption that renders systems unusable
  2. Data theft, followed by threats to leak sensitive data if payment is not made

Earlier versions of Qilin were written in Go (Golang). In late 2023, the operators rewrote the malware in Rust, which significantly improved its stealth, performance, and cross-platform capability. The Rust version can target:

  • Windows workstations and servers
  • Linux servers
  • VMware ESXi hypervisors

This rewrite also makes the malware harder to reverse engineer and easier to customize per victim.

How a Qilin Attack Typically Happens

Qilin attacks follow a structured lifecycle, similar to a professional penetration test—but with criminal intent.

1. Initial Entry Into the Network

Qilin does not rely on a single entry method. Affiliates choose whatever is easiest for the specific victim.

The most common entry paths include:

  • Phishing emails
    Carefully crafted emails that contain malicious links or attachments. In several campaigns, fake IT tools (such as trojanized RVTools installers) were used to trick administrators.
  • Exposed remote services
    Unpatched or poorly secured VPNs, firewalls, and remote management tools are frequently exploited. Products from Citrix, Fortinet, Ivanti, and ScreenConnect have all been abused.
  • Stolen credentials
    Affiliates often buy valid RDP or VPN credentials from underground brokers. If MFA is not enabled, this gives instant access with little effort.

At this stage, the attacker usually blends in with normal user activity.

2. Establishing Control and Privilege Escalation

Once inside, the attacker’s first goal is administrative control.

Typical techniques include:

  • Dumping credentials from memory using tools like Mimikatz
  • Extracting passwords and hashes from LSASS
  • Abusing vulnerable kernel drivers (BYOVD – Bring Your Own Vulnerable Driver) to gain SYSTEM-level access
  • Installing Remote Server Administration Tools (RSAT) to interact with Active Directory

After domain admin or equivalent privileges are obtained, the environment is effectively compromised.

3. Lateral Movement Across the Network

With elevated privileges, Qilin operators move laterally to as many systems as possible.

They commonly use:

  • PsExec over SMB
  • RDP for interactive access
  • SSH in mixed Windows/Linux environments
  • Cobalt Strike beacons for command-and-control
  • AnyDesk or similar tools where already installed

In some documented campaigns, attackers compromised a Managed Service Provider (MSP) and used that access to deploy ransomware simultaneously across dozens of downstream customers.

4. Defense Evasion and Preparation

Before encryption, Qilin operators actively weaken defenses:

  • Disabling or uninstalling EDR and antivirus agents
  • Clearing Windows Event Logs to erase evidence
  • Deleting Volume Shadow Copies
  • Searching for and deleting online backups
  • Modifying registry settings to improve network throughput for mass operations

A particularly dangerous technique used by Qilin is rebooting systems into Safe Mode, where many security tools do not run. Encryption then occurs while defenses are effectively blind.

5. Data Theft and Encryption

Sensitive data is collected first and exfiltrated using tunneling tools or encrypted HTTPS channels.

Encryption follows:

  • ChaCha20 is used to encrypt file contents (fast and effective)
  • RSA-4096 protects the encryption keys
  • Files are renamed with extensions such as:
    • .qilin
    • .qln
    • .agenda
    • or victim-specific custom extensions

Ransom notes are dropped in each directory, instructing victims on how to negotiate and pay.

VMware ESXi and Virtual Environment Attacks

Qilin is especially dangerous to organizations running VMware.

The ransomware includes logic specifically designed to:

  • Connect to vCenter
  • Stop running virtual machines
  • Disable High Availability (HA) and Distributed Resource Scheduler (DRS)
  • Ensure VM disk files are unlocked before encryption

This allows attackers to encrypt entire virtual infrastructures, often bringing hundreds of systems down at once.

Indicators of Compromise (IOCs)

File Extensions

  • .qilin
  • .qln
  • .agenda
  • Custom extensions unique to each victim

Ransom Notes

  • README.txt
  • qilin_readme.txt
  • HOW_TO_RECOVER_FILES.txt
  • README-RECOVER-[company].txt

Common Malicious Filenames

  • encryptor.exe
  • w.exe
  • hosts.exe
  • dato.exe
  • rs64c.exe (SSH tunneling tool)
  • Randomized PsExec executables

Known Malicious Domains

  • cloudflariz[.]com
  • rv-tool[.]net

Known IP Addresses (Observed in 2025)

  • 184.174.96[.]74
  • 180.131.145[.]73
  • 216.120.203[.]26
  • 31.192.107[.]144

Suspicious Commands and Behaviors

  • vssadmin delete shadows /all /quiet
  • Event log clearing via PowerShell
  • Mass AD enumeration
  • PsExec execution with -accepteula
  • Reboot into Safe Mode without user interaction

How Qilin Can Be Detected

Detection should focus on behavior, not just hashes.

Key warning signs include:

  • Sudden use of PsExec across multiple hosts
  • PowerShell scripts interacting with vCenter or ESXi APIs
  • Safe Mode reboots outside of maintenance windows
  • Large outbound HTTPS transfers to unknown domains
  • Rapid deletion of shadow copies and backups
  • Installation of RSAT on non-admin systems

Example YARA Rules (Detection-Oriented)

These are behavioral and string-based examples meant for internal detection and tuning.

Qilin Ransomware Binary (Generic)

rule Qilin_Ransomware_Generic
{
    meta:
        description = "Detects Qilin (Agenda) ransomware characteristics"
        author = "Internal SOC"
        severity = "high"

    strings:
        $ext1 = ".qilin"
        $ext2 = ".qln"
        $note1 = "HOW_TO_RECOVER_FILES"
        $note2 = "qilin"
        $cmd1 = "vssadmin delete shadows"
        $cmd2 = "cipher /w"
        $mutex = "Agenda"

    condition:
        2 of ($ext*) or
        2 of ($note*) or
        any of ($cmd*) or
        $mutex
}

Qilin PowerShell Activity (ESXi / AD Focus)

rule Qilin_PowerShell_Activity
{
    meta:
        description = "Detects suspicious PowerShell behavior linked to Qilin"
        severity = "medium"

    strings:
        $ps1 = "Get-ADComputer"
        $ps2 = "Stop-VM"
        $ps3 = "vpxd"
        $ps4 = "Get-WinEvent"
        $ps5 = "Clear-EventLog"

    condition:
        any of ($ps*)
}

How Qilin Can Be Prevented

Preventing Qilin is about breaking the attack chain early.

Access Protection

  • Enforce multi-factor authentication on all VPN, RDP, and admin access
  • Remove unused external services
  • Regularly rotate privileged credentials

Patch Management

  • Patch VPNs, firewalls, hypervisors, and remote management tools quickly
  • Monitor for exploitation of known vulnerabilities

Network Design

  • Segment ESXi hosts and backup systems
  • Restrict lateral movement with firewalls and jump servers
  • Limit PsExec and SMB admin access

Backup Strategy

  • Maintain offline or immutable backups
  • Test restoration regularly
  • Ensure backup credentials are separate from domain admin accounts

Monitoring and Response

  • Alert on Safe Mode reboots
  • Monitor PowerShell and AD enumeration
  • Block known tunneling tools and suspicious domains

Final Takeaway

Qilin is not just ransomware—it is a full-scale intrusion operation. The encryption is the final act, not the beginning. Organizations that rely only on antivirus or backups without strong access controls and monitoring are especially vulnerable.

Defending against Qilin requires visibility, discipline, and early detection. Once encryption starts, recovery becomes slow, expensive, and uncertain.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.