Know Your Adversary: Qilin
Qilin are the most active ransomware group in 2025. Following the disappearance of RansomHub, they are equipped with an army of affiliates targeting organisations globally. How to they gain initial access? What should incident responders look out for? Find out in this release of Know Your Adversary.
1) Summary
Qilin is a double-extortion Ransomware-as-a-Service (RaaS) that steals data first, then encrypts at scale across Windows, Linux and VMware ESXi. Recent affiliates migrated from the shuttered RansomHub operation, propelling Qilin to the most-active spot in April 2025 with 72 victim leaks in a single month.
- Initial access: SSL-VPN logins without MFA or with unpatched firmware are the most common culprits, with internet-exposed service exploits (notably: CVE-2023-27532 in Veeam Backup & Replication) and themed spear-phishing as less common but growing tactics.
- Encryption: Latest “Qilin .B” variant selects AES-256-CTR (AES-NI hardware) or ChaCha20, safeguarding keys with RSA-4096, and wipes shadow copies on exit.
- Impact: Custom per-victim file extensions (often the company ID) and leak-site publication intensify pressure to pay. Qilin often also apply pressure with post-incident calls and emails into organisations.
2) Background
- Origins: Appeared mid-2022 as Agenda; re-tooled in Rust and rebranded Qilin in 2023, recruiting affiliates on Russian-language forums.
- Healthcare headline: June 2024 attack on Synnovis disrupted multiple London NHS hospitals, demanding US $50 million.
- RaaS economics: Qilin keep only 10-20 % of ransoms, luring high-skill affiliates who keep the remainder. The sudden RansomHub shutdown on 1 April 2025 drove many of those affiliates to Qilin, fuelling its rapid growth.
- Scale: Qilin are, at the time of writing this post on 26th May 2025, the most active ransomware group globally by pure victim numbers.
3) Attack Vector
With Qilin currently operating a large number of affiliates, their attack vector cannot be reliably predicted. However, VPN compromises remain (as with many ransomware groups in 2025) the most commonly identified root cause following Qilin attacks.
| Phase | Technique | Key Details |
|---|---|---|
| Initial access | Compromised SSL-VPN | FortiGate clusters running mixed firmware or single-factor policies; brute-force then log wiping reduce audit trails |
| Exploit public app | Veeam CVE-2023-27532 | Attackers pull stored service credentials to jump directly from backup servers into production networks |
| Phishing | Attachment macros & ISO lures | Spear-phishing noted as common attack vector across healthcare victims |
| Lateral move | RDP & ESXi PowerShell propagation | Custom PS scripts push the Rust locker to vCenter and ESXi hosts for mass VM encryption |
4) Privilege Escalation and Persistence
- BYOVD EDR-kill: Qilin affiliates deploy the vulnerable TPwSav.sys driver to terminate security processes (Bring-Your-Own-Vulnerable-Driver)
- Token manipulation: Built-in locker flags request SeDebugPrivilege and impersonate SYSTEM to stop critical services
- RMM footholds: Post-intrusion install of Atera or Splashtop guarantees remote persistence even after VPN passwords change
5) Tools Observed
| Stage | Tool / Binary | Hunt Clues |
|---|---|---|
| Recon & creds | NetScan, AdFind, SharpHound, SmokeLoader | NetScan bursts from non-IT subnets; SmokeLoader beacons precede NETXLOADER download |
| Lateral movement | Atera, Splashtop, RDP, PsExec | New agent installs signed with default vendor certs; lateral PsExec from backup server to DCs |
| Exfiltration | Rclone, WinSCP, WinRAR-split archives | High-volume outbound to Mega or S3 buckets, .partNN.rar chains under C:\Temp |
| Impact & cleanup | Qilin / Qilin.B locker, vssadmin, and custom PurgeLogs.exe | Unique file extension (company ID), shadow copy deletion, Windows event logs cleared |
6) Data Impact
Qilin’s operators steal tens to hundreds of gigabytes before encryption, publishing directory listings and sample files on a Tor leak portal if negotiations stall. The AES/ChaCha hybrid and RSA-4096 key wrap render recovery without the decryptor practically impossible. Affiliates often ring executives directly to increase psychological stress, or send emails to contacts within the organisation - including en-masse to employees to stir internal chaos. Strand recommends email rules are implemented to capture and forward incoming emails containing Qilin-related keywords before they reach employee mailboxes.
Stop Qilin with Strand Intelligence
When Qilin breaches your VPN or backup server, every minute counts. Strand Intelligence traces credential misuse, identifies patient-zero devices, Veeam servers or Fortinet firewalls, detects BYOVD driver drops, and rebuilds Rclone exfiltration timelines automatically. Let Strand isolate Qilin’s foothold, clean persistent RMM agents, and deliver the full forensic report your executives and regulators expect - so you can focus on restoring services.