Qilin: cross-platform ransomware-as-a-service with healthcare and public-sector impact
Rebranded from “Agenda,” active since 2022; double-extortion model, Windows/Linux payloads, and a persistent leak-site pressure cadence
Qilin is a ransomware-as-a-service operation active since 2022 that rebranded from “Agenda,” pairing data exfiltration with network-wide encryption and a branded leak site. Activity across 2024–2025 includes high-impact healthcare disruption and steady listings in public roll-ups, indicating a durable affiliate model rather than one-off campaigns.
Profile
Qilin operates a franchise model in which affiliates conduct intrusions and negotiations while a core team maintains infrastructure, payloads, and the leak portal. Early builds appeared in Go, with later variants recoded in Rust. Support for both Windows and Linux enables coverage of mixed estates and virtualized environments, and recruitment posts historically exclude targets within the CIS region. The brand’s communications emphasize encryption reliability, leak-site visibility, and staged pressure if negotiations fail.
Activity picture in 2024–2025
Open reporting places Qilin among the more active ransomware brands through 2025, with incidents spanning healthcare, state and local government, professional services, and manufacturing. The group’s cadence reflects consistent affiliate throughput: victim “cards” are added to the leak site with sector and geography details, followed by proof archives if talks stall. Public trackers show month-to-month variability typical of RaaS ecosystems as affiliates cycle tools and target sets.
Tactics, techniques, and procedures
Affiliates blend intrusion tooling with double extortion. Initial access commonly leverages credentials or exposed services and is followed by lateral movement to domain controllers and hypervisor tiers. Pre-encryption steps include discovery, process termination (databases, EDR/backup agents), and data staging for leak-site publication. Payloads support operator-defined modes and can address file servers and virtual machines to maximize downtime and pressure.
Technical characteristics (selected)
| Area | Detail |
|---|---|
| Platforms | Windows and Linux payload families; activity observed against ESXi estates |
| Languages | Go lineage with later Rust recode variants |
| Extortion model | Data theft plus encryption, with a branded leak site and staged “proof” releases |
| Common targets | Healthcare, SLTT/public sector, professional services, manufacturing |
| Operational levers | Service-stop lists, domain-wide reach, and leak-site amplification |
Notable impact: healthcare disruption and data exposure
A 2024 incident against pathology services supporting London hospitals forced large-scale fallback to manual workflows, with surgery and clinic schedules affected and data exposure acknowledged in public statements. Subsequent industry and media reporting described prolonged restoration timelines and substantial financial impact for the provider, underscoring how ransomware against clinical systems produces second-order effects beyond immediate encryption events. In parallel, public-sector and services cases through 2025 illustrate how Qilin’s affiliates adapt to diverse environments by combining data theft, availability impact, and reputational pressure through the leak portal.
2025 momentum across public sector and services
Quarterly and monthly summaries during 2025 consistently list Qilin among top active groups by victim count in U.S. state, local, tribal and territorial datasets as well as global vendor roll-ups. This visibility aligns with a broad affiliate base, stable negotiation workflows, and recognizable branding on the leak site. As other programs rebrand, splinter, or stall, Qilin’s continuity suggests operators view the program as a reliable venue for monetizing intrusions.
Communications and pressure
Qilin’s leak site publishes concise victim entries with sector, geography, and sample data. Listings can escalate from “added” to “published” if talks fail, and archives are released in stages to sustain leverage. Messaging frequently highlights dataset size and sensitive record types, amplifying regulatory and legal exposure for organizations in regulated sectors. Affiliates sometimes pair portal posts with mentions on open social channels to increase visibility and accelerate pressure.
Tradecraft context on this site
The operational mix—data theft, staged publishing, and steady listings—aligns with other 2025 extortion brands we profile. For contrast with an extortion crew focused on rapid leak-site cadence rather than novel cryptography, see Securotrop. For availability-centric pressure that relies on politically motivated DDoS rather than encryption, the pattern in Red Wolf maps how service disruption is used to drive impact without data-theft extortion.
Timeline highlights
| Date | Signal |
|---|---|
| 2022 Jul–Sep | “Agenda” ransomware appears and rebrands to Qilin as cross-platform builds enter circulation |
| 2024 Jun | London pathology services incident triggers clinical disruption and public acknowledgment of data exposure |
| 2025 Apr–Jun | Qilin features near the top of multiple monthly victim roll-ups; affiliates expand into public-sector targets |
| 2025 Q2–Q3 | Continued listings on leak trackers indicate stable affiliate throughput and sustained negotiations |
Sources
- https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/
- https://www.ft.com/content/d2be7c65-bf44-4a7d-9791-6deafe66659f
- https://www.darktrace.com/blog/a-busy-agenda-darktraces-detection-of-qilin-ransomware-as-a-service-operator
- https://www.sentinelone.com/anthology/agenda-qilin/
- https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025
- https://www.cyfirma.com/research/tracking-ransomware-june-2025/
- https://www.sans.org/blog/evolution-qilin-raas
