The Qilin ransomware has escalated its impact significantly in the latter half of 2025, with reports of over 40 victims each month disclosing cyberattacks on its public leak site. This alarming trend signals an urgent need for heightened awareness and defense against this formidable adversary.
First identified as Agenda before rebranding to Qilin in July 2022, this ransomware-as-a-service operation has transformed into a global threat, targeting organizations across various sectors and continents. The sophistication of its tactics presents a multi-layered challenge for cybersecurity teams.
"Our research highlighted the dual-extortion model adopted by Qilin, which combines the costs of file encryption and the threat of data disclosure," said an analyst from Cisco Talos. The compounded pressure exerted on victims to meet extortion demands is a significant factor in the group's success.
"Our research highlighted the dual-extortion model adopted by Qilin, which combines the costs of file encryption and the threat of data disclosure,"
Manufacturing is currently the most affected sector, accounting for 23% of all documented incidents, followed closely by professional services, which make up 18%. The United States is particularly vulnerable, experiencing the highest concentration of attacks.
In researching the Qilin threat landscape, Cisco Talos analysts detailed the group’s comprehensive attack mechanisms, from initial access to data exfiltration and encryption. Notably, attackers often harness compromised VPN credentials obtained from dark web leaks, particularly in environments lacking robust multi-factor authentication protections.
"The entry point often traces back to weak security measures—specifically, compromised VPN credentials," the analyst noted. This initial intrusion into victim networks sets the stage for an intricate mapping of domain infrastructure using legitimate Windows utilities like nltest.exe and net.exe.
"The entry point often traces back to weak security measures—specifically, compromised VPN credentials,"
Once inside, Qilin operators conduct exhaustive reconnaissance to locate high-value targets. "The methodical data harvesting approach employed by these operators allows them to exfiltrate sensitive company information before encrypting systems," the report from Cisco Talos emphasized.
"The methodical data harvesting approach employed by these operators allows them to exfiltrate sensitive company information before encrypting systems,"
Perhaps the most innovative aspect of Qilin’s strategy involves its use of built-in Windows applications during reconnaissance. The investigation showed that the infamous mspaint.exe and notepad.exe were leveraged to manually inspect and analyze sensitive files across network storage systems.
"Instead of merely using automated scripts for file discovery, Qilin operators cleverly employ these common applications to review files manually. This method allows them to verify the quality of sensitive data before exfiltration, which can be crucial for targeting the most valuable information," the analyst explained.
By the Numbers
By the Numbers
By the Numbers
This manual inspection approach proves advantageous, enabling attackers to sift through intellectual property, financial records, and confidential documents without triggering alerts commonly associated with automated tools.
The operational sophistication of the Qilin ransomware is further illustrated by its dual-encryptor deployment strategy. The primary variant, known as encryptor_1.exe, utilizes PsExec for lateral movements within networks, enhancing its ability to inflict damage across interconnected systems.
"The multifaceted encryption strategy demonstrates the level of planning and execution that Qilin employs. It’s a clear sign that organizations need to bolster their defenses comprehensively," added another cybersecurity expert.
In conclusion, as the landscape of ransomware threats continues to evolve, organizations must remain vigilant. The ongoing activities of Qilin underline the persistent threats posed by ransomware-as-a-service models and emphasize the need for enhanced cybersecurity measures to counteract such sophisticated tactics. Vigilant monitoring, robust authentication measures, and regular security audits will be key components in mitigating the risk posed by ransomware like Qilin.