Threat Actor Profile
Qilin
The Qilin cybercrime group, a Russian-speaking Ransomware-as-a-Service (RaaS) operation, popped onto the scene around August 2022. Initially known for their "Agenda" ransomware, these actors have a nasty habit of targeting critical sectors. They provide their affiliates with customizable malware, making them a flexible and dangerous threat to watch out for.
Threat Actor Profile
Qilin
Country of Origin
The Qilin group is believed to be a Russian-speaking organization. While their exact location isn't pinned down, their language and operations point to Russian origins.
Members
The exact size and structure of the group are not publicly known. However, their RaaS model means they work with a network of affiliates who carry out the attacks. These affiliates reportedly pocket a hefty 80-85% of the ransom payments, which is a pretty sweet deal for them and a huge incentive to cause chaos.
Leadership
The specific leaders or key figures behind Qilin remain unknown. Like many of these groups, they prefer to stay in the shadows.
Fancy Bear TTPs
Tactics
Qilin's main goal is simple: make money. They achieve this through a Ransomware-as-a-Service model. Their primary tactic is double extortion—not only do they encrypt a victim's files, but they also steal sensitive data and threaten to leak it on their dark web blog if the ransom isn't paid. They've shown a clear preference for hitting critical infrastructure, healthcare, education, and manufacturing sectors where downtime is especially painful.
Techniques
These actors are big fans of phishing to get their foot in the door. Once inside a network, they move laterally to find the most valuable data and systems. They've been known to use legitimate system administration tools to blend in and avoid detection before deploying their ransomware payload. Their ability to customize the malware for each target makes their attacks particularly effective.
Procedures
Qilin started with a Go-based ransomware called "Agenda," which was notable for its customization options. Affiliates could tailor the attack by changing file extensions, termination processes, and services for each specific victim. By late 2022, they had switched things up, rewriting their ransomware in Rust. This move made the malware harder for security tools to detect and analyze, showing that these folks are serious about evolving their tradecraft.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Qilin has been making headlines with some seriously disruptive attacks. One of their most infamous operations was the 2024 ransomware attack against several London hospitals. This attack caused a "critical incident," leading to canceled appointments and surgeries, and forcing some hospitals to divert emergency patients. It was a stark reminder of the real-world impact these cyberattacks can have.
More recently, in October 2025, the group claimed responsibility for hitting Asahi, one of Japan's largest breweries. The attack disrupted the company's systems and halted beer production, proving that no industry is safe from their reach. They seem to enjoy the spotlight that comes from hitting big, recognizable names.
Law Enforcement & Arrests
As of now, there have been no major, publicly announced arrests or law enforcement operations that have successfully dismantled the Qilin RaaS operation. Global law enforcement agencies are undoubtedly aware of and investigating the group's activities, especially following their high-profile attacks on critical infrastructure like healthcare. However, the group continues to operate.
How to Defend Against
Secure Email Gateways: Since phishing is their go-to entry method, strong email filtering is your first line of defense.
User Training: Teach your team to spot and report suspicious emails. A savvy user can stop an attack before it even starts.
Patch Management: Keep your systems and software updated. Qilin and their affiliates will exploit any vulnerability they can find.
Network Segmentation: Limit their ability to move laterally. If they get in, make sure they can't get far.
Endpoint Detection and Response (EDR): You need a solution that can spot and stop malicious activity in its tracks.
This is where Huntress comes in. Our Managed Security Platform provides 24/7 monitoring from our human Security Operations Center (SOC) team. We don't just rely on automation; our experts actively hunt for threats like Qilin. With powerful EDR capabilities, we can detect the sneaky techniques they use to infiltrate networks and deploy ransomware, stopping them before they can cause serious damage.
References
Other RaaS Threat Actors
BlackCat
BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims.
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
