Uncovering Qilin Ransomware Attack Methods Through Multiple Cases

Free, Unbiased, and Open threat intelligence

Uncovering Qilin Ransomware Attack Methods Through Multiple Cases

threat Profile

HIGH

Description

Qilin (formerly Agenda) is a highly active Ransomware-as-a-Service (RaaS) group that has been operational since July 2022. In the second half of 2025, Qilin published victim information at a pace of more than 40 cases per month, reaching a peak of 100 cases in June 2025. The group employs double-extortion tactics, combining file encryption with data exfiltration and public disclosure threats. Manufacturing is the most affected sector (23%), followed by professional and scientific services (18%), and wholesale trade (10%). The group uses sophisticated attack methods including VPN compromise via leaked credentials, credential harvesting with Mimikatz and custom tools, dual ransomware deployment (encryptor_1.exe via PsExec for lateral spread and encryptor_2.exe for network share encryption), legitimate tools for data exfiltration (Cyberduck to Backblaze cloud storage), and persistence mechanisms through scheduled tasks and registry modifications. Character encodings in attacker scripts suggest Eastern European or Russian-speaking origins. The group targets critical infrastructure including healthcare, construction, retail, education, and finance sectors.

MITRE ATT&CK Techniques

T1078 T1133 T1110 T1110.003 T1003 T1482 T1018 T1087.002 T1033 T1057 T1222 T1222.001 T1046 T1082 T1059.001 T1086 T1048 T1537 T1484.001 T1021.001 T1021.002 T1105 T1562.001 T1070.001 T1490 T1489 T1486 T1112 T1053 T1547.001

Related Entities

Threat Actors

WIZARD SPIDER Agenda Gold Feather Qilin Water Galura

Malware

BypassCredGuard Cobalt Strike Qilin Ransomware SharpDecryptPwd SystemBC MimiKatz Agenda Ransomware