Executive Summary

The Qilin ransomware group, also known as Agenda, has emerged as the most dominant ransomware threat of 2025, with its victim count surging past 700 in the first ten months of the year. This represents a more than 280% increase since April 2025, coinciding with the disappearance of the formerly prolific RansomHub group. Operating a highly successful Ransomware-as-a-Service (RaaS) model, Qilin and its affiliates are aggressively targeting critical infrastructure sectors globally, including manufacturing, finance, healthcare, and government. The group employs a double-extortion strategy, encrypting victim data while also exfiltrating it for public leakage to maximize pressure. Their recent tactics include deploying Linux ransomware variants on Windows systems and abusing legitimate remote management tools for command and control.

Threat Overview

Active since at least July 2022, Qilin is a Russia-based cybercriminal group that has rapidly scaled its operations. Research from Comparitech shows the group's victim count has quadrupled from 179 in all of 2024 to 701 by October 2025. This explosion in activity is largely attributed to its RaaS model, which offers affiliates a generous 80-85% share of ransom payments, attracting a large and motivated pool of attackers.

The group's growth accelerated dramatically following the shutdown of the RansomHub operation in April 2025, strongly suggesting that many of RansomHub's skilled affiliates have migrated to the Qilin platform. The group has maintained a relentless pace, averaging over 40 victims per month and peaking at 100 in June 2025.

Technical Analysis

Qilin's affiliates employ a variety of tactics, techniques, and procedures (TTPs) to compromise victim networks. Recent analysis from Cisco Talos and Trend Micro has highlighted several key methods:

• Initial Access: While not detailed in these reports, initial access is likely achieved through common vectors such as phishing, exploitation of unpatched vulnerabilities, and compromised credentials.
• Command and Control: Affiliates heavily rely on legitimate Remote Monitoring and Management (RMM) software, such as AnyDesk, ScreenConnect, and Splashtop. This Living-off-the-Land (LotL) technique helps them blend in with normal administrative activity and evade detection.
• Execution & Defense Evasion: In some attacks, the group has been observed deploying a Linux ransomware variant on Windows systems, likely using Windows Subsystem for Linux (WSL) or a virtual machine to execute the payload. This hybrid approach can bypass security tools focused on traditional Windows executables.
• Impact: The core of the attack is the deployment of the Qilin ransomware payload (T1486 - Data Encrypted for Impact) and the exfiltration of sensitive data (T1567 - Exfiltration Over Web Service) for double extortion.

Impact Assessment

Qilin's targeting strategy focuses on organizations where operational disruption has the most severe consequences, maximizing their leverage for ransom negotiations. In 2025 alone, the group has claimed responsibility for attacks on:

• 45 healthcare providers
• 40 government entities
• 26 educational institutions

The United States is the most heavily impacted nation, with 375 attacks, followed by France, Canada, South Korea, and Spain. The group boasts of having stolen over 116 terabytes of data, posing a significant risk of data breach notifications, regulatory fines, and reputational damage for victims, even if they recover from the encryption.

IOCs

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables for Detection

Detection & Response

Defenders should focus on detecting the abuse of legitimate tools and anomalous system behavior.

1. Monitor RMM Tool Usage:

   • Establish a baseline of legitimate RMM software used in your environment. Create strict EDR or application control policies to block or alert on the execution of any unauthorized RMM tools like AnyDesk or ScreenConnect.
   • Monitor network logs for connections to the command and control infrastructure of these RMM tools, especially from critical servers.

2. Hunt for Hybrid Attacks:

   • Use EDR to hunt for the presence of Linux binaries (.elf files) on Windows systems.
   • Monitor for the installation or execution of Windows Subsystem for Linux (wsl.exe) on servers or endpoints where it has no legitimate business purpose.

3. Behavioral Analysis:

   • Implement behavioral detection rules that look for common ransomware pre-cursor activities, such as the disabling of security services, deletion of volume shadow copies (vssadmin), and mass file modification.
   • Employ D3-PA: Process Analysis to identify suspicious parent-child process relationships, such as an Office application spawning an RMM tool.

Mitigation

A multi-layered defense is crucial to protect against RaaS threats like Qilin.

1. Restrict Remote Access Tools: Implement strict application control policies to prevent the use of unauthorized RMM software. For sanctioned tools, enforce Multi-factor Authentication (MFA) and limit access to authorized personnel from specific IP addresses.

2. Phishing and User Training: Since phishing is a common entry vector for ransomware, conduct regular user awareness training to help employees recognize and report suspicious emails.

3. Backup and Recovery: Maintain immutable, offline backups of critical data and systems. Regularly test your disaster recovery and business continuity plans to ensure you can restore operations without paying a ransom.

4. Network Segmentation: Segment your network to prevent attackers from moving laterally from a compromised workstation to critical servers. This can contain the blast radius of an infection.

5. D3FEND Countermeasures:

   • Utilize D3-EAL: Executable Allowlisting to control which applications, including RMM tools, can run.
   • Implement D3-OTF: Outbound Traffic Filtering to block connections to known malicious or unauthorized C2 domains.