Cyberdudebivash

Qilin (aka Agenda) — Ransomware Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025

Executive summary

Qilin (rebranded from Agenda) is a RaaS program active since 2022, with lockers written in Go and newer Rust variants targeting Windows, Linux, and ESXi. It practices double extortion, and in 2024–25 surged via aggressive affiliate recruitment, customizability (operator-tuned encryption modes/extensions), and opportunistic edge exploitation (notably Fortinet SSL-VPN CVEs in 2025). High-impact operations include the Synnovis/NHS London incident (June 3, 2024), which the UK later linked to a patient death after months of disruption. HHS.govCheck Point SoftwareBleepingComputerReuters

Who/what is Qilin (RaaS traits & scale)

  • Lineage / naming: Launched as Agenda (July 2022), rebranded Qilin by Sept 2022. HHS.gov
  • Tech stack: Go initially; Rust “Qilin.B” line enhances evasion and ESXi propagation; operator-selectable extensions and encryption modes (normal/step-skip/fast/percent). Algorithms commonly include ChaCha20, AES-256, RSA-4096Check Point SoftwareTrend Micro
  • Affiliate model: Classic RaaS with ~15–20% cut to core; active recruitment since late 2023. Some reporting highlights a panel feature to “Call Lawyer” to pressure victims during talks. HHS.govCheck Point Software+1
  • Victimology: Opportunistic big-game hunting across industries; healthcare repeatedly impacted (e.g., Synnovis/NHS). Qilin topped several 2025 league-tables (e.g., June 2025: 86 posted victims). HHS.govCyble

Notable operations (impact context)

  • Synnovis / NHS London (June 3, 2024) — severe pathology outages; later Reuters (Jun 26, 2025) reported the attack contributed to a patient’s death; ransom demand widely reported as $50M; leaks ~400 GB of data. Reuters+1The HIPAA Journal
  • Cobb County, Georgia (May 2025) — Qilin claimed theft of 150 GB incl. sensitive records; county confirmed a breach while probing scope. Axios

Attack chain (MITRE ATT&CK-mapped highlights)

Initial access — TA0001

  • Phishing / valid credsexposed apps like Citrix/RDPHHS.gov
  • 2025 edge exploitation: coordinated, partially automated campaigns against Fortinet FortiOS/FortiProxy (e.g., CVE-2024-21762CVE-2024-55591) with an initial focus on Spanish-speaking regions. Patch immediatelyBleepingComputer

Execution / Persistence / Priv-esc — TA0002/TA0003/TA0004

  • Use of Cobalt StrikeRMM tools; creation of new admin users; driver abuse for defense evasion. HHS.gov

Discovery / Lateral movement — TA0007/TA0008

  • PsExec and SSH propagation; custom PowerShell to push lockers to vCenter/ESXi in the Rust line. Trend Micro

Exfiltration & C2 — TA0010/TA0011

  • Double extortion is standard; data moved to attacker-controlled infra before crypto; comms via Tor portals / encrypted messengers. (Affiliate-chosen tooling varies.) HHS.gov

Impact (Encryption) — TA0040

  • Operator-tuned encryption modesservice/process killsevent-log clearingVSS deletion; victim-unique file extensionsCheck Point Software

2025 evolutions to watch

  • Fortinet pipeline: auth-bypass/RCE chaining for fast footholds (see CVEs above). BleepingComputer
  • Affiliate pressure tactics: the RaaS panel’s “Call Lawyer” option advertised, raising negotiation pressure optics. Check Point Software
  • Market position: Qilin repeatedly #1 by victim posts in 2025 monthly tallies as rivals stumbled. Cyble

Artifacts & hunting cues (behavior > hashes)

  • Extensions/notes: Extensions are custom/unique per victim; don’t key on one string. HHS.govTEHTRIS
  • Telltale behaviors (Windows):
    • VSS wipe (e.g., vssadmin delete shadows / wmic shadowcopy delete) followed by mass renames.
    • Event log clearing (e.g., wevtutil cl *) + service kills prior to crypto.
    • Safe-mode or service-stop patterns not mandatory but observed in some campaigns. Check Point Software
  • ESXi/Linux: abrupt VM stop waves; SSH enablement; locker pushed to multiple hosts in quick succession (Rust line). Trend Micro

Detection quick wins (drop-in rules of thumb)

Identity/edge

  • High-fidelity alerts for Fortinet SSL-VPN exploitation attempts (CVE-2024-21762CVE-2024-55591) and anomalous clientless VPN sessions; force MFA everywhere. BleepingComputer

Endpoint / SIEM

  • Sequence detection: VSS deletion → service/process kill list → wevtutil clear → high-volume file writes (minutes). Check Point Software
  • Flag new local/domain admins created outside change windows; block/alert on unapproved RMM installs and Cobalt Strike beacons. HHS.gov

Network

  • Anomalous SFTP/SSH egress to new ASNs from non-admin subnets; Tor bootstraps from servers; sudden SMB scan + PsExec bursts. HHS.gov

Mitigation priorities (what actually cuts risk)

  1. Patch the edge first: prioritize Fortinet FortiOS/FortiProxy (21762/55591) and hardened configs; review Citrix/RDP exposure. BleepingComputerHHS.gov
  2. Zero-trust the RMM/tunnel stack: block by default; least-privilege allowlisting; continuous inventory of remote-access tools. HHS.gov
  3. Identity hardening: phishing-resistant MFA, monitor/admin creation alerts, tight tiering for DCs/ESXi/vCenter. HHS.gov
  4. Backups: immutable/offline, cross-domain, frequent restore tests; assume leak regardless of payment. HHS.gov
  5. Tabletop IR with legal/comms for double-extortion (Synnovis is a cautionary tale). Reuters

Rapid response playbook (print-ready)

  1. Contain: isolate suspected hosts; block suspicious VPN/RMM; disable new admin accounts; geo-fence edge.
  2. Preserve: snapshot hypervisors/VMs; pull Fortinet/Citrix/VPN, AD, EDR, and vCenter logs; mirror any exfil endpoints.
  3. Hunt: look for the behavior chain above (VSS→kills→logs cleared), PsExec/SSH propagation, Tor portal artifacts.
  4. Eradicate: patch CVEs; rotate creds (esp. VPN/ESXi/admin); remove persistence (services, GPOs, scheduled tasks).
  5. Recover: staged restore from clean, immutable backups; throttle egress; validate with canary files.
  6. Notify: regulators & law enforcement; prepare disclosures—consider patient safety where relevant (NHS case). Reuters

Sources & further reading

  • HHS HC3 Threat Profile — Qilin/Agenda (June 18, 2024): origins, sectors, Go/Rust variants, RMM/Cobalt Strike, operator-tuned modes/extensions. HHS.gov
  • Check Point (2025): Go→Rust evolution, encryption modes/algos, Fortinet CVEs, customizable extensions, “Call Lawyer” note. Check Point Software
  • BleepingComputer (June 6, 2025): Qilin exploiting CVE-2024-21762 & CVE-2024-55591; regional focus. BleepingComputer
  • Trend Micro (Mar 26, 2024): Rust variant propagating to vCenter/ESXi via PowerShell. Trend Micro
  • Reuters (Jun 26, 2025)NHS confirms patient death linked to the Synnovis attack; $50M demand and damages context. Reuters
  • Cyble (Jul 1, 2025): Qilin #1 by posted victims in June 2025 (86). Cyble

#CyberDudeBivash #Qilin #Agenda #Ransomware #RaaS #DoubleExtortion #Fortinet #ESXi #CISA #MITREATTACK #DFIR #XDR #ThreatIntel

Leave a comment

Design a site like this with WordPress.com
Get started