EWJ August 62 2025 web - Journal - Page 22
Meet Qilin
'Ransomware in focus' is our new series unravelling the complexities of ransomware groups
throughout the ecosystem. By detailing their business strategies, target victims, and the tactics,
techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with
essential knowledge required to confront and overcome the challenges posed by ransomware. In
this instalment, Milda Petraityte and Melissa DeOrio examine the operations of Qilin.
|
Background
Group affiliations
Qilin is a financially-motivated cybercriminal group
first observed in the beginning of July 2022 as Agenda
ransomware. The group rebranded as Qilin in
September of the same year and have operated as a
Ransomware-as-a-service (‘RaaS’) since February
2023. Qilin’s RaaS operators are likely based in Russia
(or former-Soviet territories) on the basis of affiliate
recruitment on Russian-language cybercrime forums
and RaaS rules against attacking organisations in Russia or former Soviet Union countries. These constraints often correlate with the physical location of
operators who are permitted to act freely as long as
local entities are not impacted.
Although there are no publicly known connections
between Qilin and other RaaS groups, on at least two
separate occasions a Qilin victim has previously
appeared on the leak site of other well-known RaaS
operations such as LockBit and Cactus – likely indicating the presence of shared affiliates. Other groups
such as the collective, Scattered Spider, and North
Korean nation state group, Moonstone Sleet have also
reportedly deployed the ransomware during their
attacks.
Shift in targeting Techniques
Recently, Qilin has launched targeted phishing
campaigns against a Managed Service Providers
(MSPs) – a tactic likely intended to expand the group’s
access to multiple downstream client environments.
The campaign leverages fraudulent authentication
alerts impersonating ScreenConnect Remote Monitoring and Management (RMM) notifications to MSP
administrators. Victims are redirected to sophisticated
phishing pages that are designed to harvest administrator credentials, session cookies and MFA tokens,
enabling account takeover and the bypass of multifactor authentication controls.
Motivations
Qilin is a financially-motivated group that has
no stated ideological or political objectives. Qilin
imposes minimal constraints on affiliate behaviour
beyond prohibiting attacks on entities in Russia or
other CIS countries, offering substantial autonomy in
victim selection. Data indicates that the group has primarily targeted organizations in the manufacturing,
construction, and financial services sectors within the
past month.
Group developments
Following the closure of RansomHub in early April
2025, S-RM has observed a notable increase in the
number of reported victims on the group's leak site;
reported victims increased by approximately 56%
month over month. This temporal correlation suggests potential affiliate migration from the defunct
RansomHub operation to Qilin’s RaaS platform,
though definitive attribution of this activity surge
remains under assessment.
Business model
Operating as a RaaS, Qilin rents out its infrastructure
to affiliates in exchange for 15-20% of the earnings
from each ransomware operation; reportedly taking
20% commission on payments of USD 3 million
or less; and 15% for payments over USD 3 million.
Publication of stolen data and ransom payment negotiations are reportedly handled by Qilin operators.
Qilin provides its affiliates with a highly customizable panel that enables bespoke payload configuration for each victim offering the ability to alter the
files or directories to be targeted or excluded and the
contents of the ransom note. This flexibility makes
the ransomware particularly adaptable across
environments.
EXPERT WITNESS JOURNAL
Emerging extortion tactics
Recently, Qilin has offered new extortion enablers to
affiliates such as "Call Lawyer,“ which offers affiliates
with the opportunity to access a legal advisor through
the victim chat portal during negotiations. The lawyer
20
AUGUST/SEPT 2025
