TLP Clear HC3 Threat Profile: Qilin, aka Agenda Ransomware June 18 2024

Executive Summary 

Qilin is a ransomware-as-a-service (RaaS) offering in operation since 2022, and which continues to target healthcare organizations and other industries worldwide. The group likely originates from Russia, and was recently observed recruiting affiliates in late 2023. The ransomware has variants written in Golang and Rust, and is known to gain initial access through spear phishing, as well as leverage Remote Monitoring and Management (RMM) and other common tools in its attacks. The group is also known to practice double extortion, demanding ransom payments from victims to prevent data from being leaked.

Background

The Qilin ransomware operation was initially launched as “Agenda” in July 2022. However, by September, it had rebranded under the name Qilin, which it continues to operate as to this day. It operates as a ransomware-as-a-service (RaaS) offering in which affiliates leverage its tools and infrastructure to carry out ransomware attacks in exchange for 15-20% of the proceeds. In 2023, Qilin’s typical ransom demand was between $50,000 and $800,000, according to Group-IB. The group has steadily increased its activity over the past year, claiming responsibility for more than 60 ransomware attacks since January 2024. Researchers have identified dark web posts associated with Qilin in 2022 by a user who is likely connected to the RaaS group. In October 2023, Qilin was observed recruiting affiliates on a hacking forum and specifically excluding CIS countries from its targets. Qilin’s recruitment post includes details about its functionalities, including the encryption algorithms ChaCha20, AES-256, and RSA4096.

View the detailed report below.