Skip to content
The Nexus
Group profile173 claimed in last 30d249 total tracked

qilin

Forward this

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion, demanding payment for a decryptor, as well as for the non-release of stolen data.

First seen: May 17 · 17:22 UTCLast seen: Jul 8 · 15:26 UTC
Sectors hit
  • Business Services33
  • Manufacturing17
  • Unspecified16
  • Consumer Services16
  • Healthcare14
  • Construction14
  • Agriculture and Food Production8
  • Technology7
Countries hit
  • United States60
  • United Kingdom11
  • Germany8
  • Australia6
  • Canada5
  • Czechia4
  • Austria4
  • Thailand3
  • Portugal3
  • Mexico3
MITRE ATT&CK · observed TTPs14 tactics

Tactics and techniques attributed to QILIN by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      Compromised credentials used to authenticate via VPN and RDP. Qilin notably steals credentials from Chrome browsers on compromised endpoints before encryption.

    • T1190Exploit Public-Facing Application

      Exploitation of vulnerabilities in VPN appliances and remote management tools to gain initial access.

    • T1566Phishing
    • T1566.003Phishing: Spearphishing via Service

      Qilin affiliates spear-phished MSP administrators via ScreenConnect to gain access to downstream customers. Phishing campaigns using credential-harvesting pages targeting VPN and SSO portals.

  • TA0002Execution
    • T1059.001Command and Scripting Interpreter: PowerShell

      PowerShell scripts used for payload execution, lateral movement, and post-exploitation tasks.

    • T1059.004Command and Scripting Interpreter: Unix Shell

      Shell scripts used to execute the Linux/ESXi variant of the Qilin ransomware payload.

    • T1569System Services
    • T1569.002System Services: Service Execution
  • TA0003Persistence
    • T1037Boot or Logon Initialization Scripts
    • T1053Scheduled Task/Job
    • T1053.005Scheduled Task/Job: Scheduled Task

      Scheduled tasks created to maintain persistence and execute post-exploitation scripts.

    • T1098.004Account Manipulation: SSH Authorized Keys
    • T1136Create Account
    • T1547Boot or Logon Autostart Execution
  • TA0004Privilege Escalation
    • T1068Exploitation for Privilege Escalation
  • TA0005Defense Evasion
    • T1027Obfuscated Files or Information

      Qilin.B variant (October 2024) introduced enhanced obfuscation and anti-analysis techniques compared to earlier versions.

    • T1036.001Masquerading: Invalid Code Signature
    • T1134.004Access Token Manipulation: Parent PID Spoofing
    • T1211Exploitation for Defense Evasion
    • T1480Execution Guardrails
    • T1497.001Virtualization/Sandbox Evasion: System Checks
    • T1553.002Subvert Trust Controls: Code Signing
    • T1562.001Disable or Modify Tools

      Security tools and EDR solutions disabled via batch scripts and Group Policy modifications.

    • T1562.004Impair Defenses: Disable or Modify System Firewall
    • T1564Hidden Artifacts
    • T1564.003Hidden Artifacts: Hidden Window
  • TA0006Credential Access
    • T1003.001OS Credential Dumping: LSASS Memory

      LSASS memory dumped to harvest credentials for lateral movement and privilege escalation.

    • T1040Network Sniffing
    • T1110.002Brute Force: Password Cracking
    • T1555.003Credentials from Web Browsers

      Qilin notably deployed a custom script to steal credentials stored in Google Chrome browsers on all domain-joined machines via Group Policy — a distinctive TTP first observed in the Synnovis NHS attack (June 2024).

  • TA0007Discovery
    • T1012Query Registry
    • T1046Network Service Discovery

      Network scanning used to enumerate hosts and services within the victim environment.

    • T1082System Information Discovery

      System information collected to tailor the attack and identify high-value targets.

    • T1614System Location Discovery
  • TA0008Lateral Movement
    • T1021Remote Services
    • T1021.001Remote Services: Remote Desktop Protocol

      RDP used for lateral movement across victim networks.

    • T1021.002Remote Services: SMB/Windows Admin Shares

      SMB used to propagate payloads and move laterally within the network.

    • T1021.004Remote Services: SSH
    • T1570Lateral Tool Transfer
  • TA0009Collection
    • T1560.001Archive Collected Data: Archive via Utility

      Data compressed and archived prior to exfiltration.

    • T1602.002Network Device Configuration Dump
  • TA0010Exfiltration
    • T1011Exfiltration Over Other Network Medium
    • T1011.001Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
    • T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
    • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

      Data exfiltrated to cloud storage and actor-controlled servers for double extortion via the Qilin leak site.

  • TA0011Command and Control
    • T1001Data Obfuscation
    • T1001.001Data Obfuscation: Junk Data
    • T1071.001Application Layer Protocol: Web Protocols

      C2 communication over HTTPS; Tor used for victim portals.

    • T1572Protocol Tunneling
  • TA0040Impact
    • T1486Data Encrypted for Impact

      Qilin (formerly Agenda) uses ChaCha20 for file encryption with RSA-4096 for key protection. Originally written in Go, later rewritten in Rust (Qilin.B). Targets Windows, Linux, and VMware ESXi. Notable attack: Synnovis NHS pathology services (June 2024) causing 10, 000+ NHS appointment cancellations. Active RaaS with high affiliate revenue share.

    • T1490Inhibit System Recovery

      Shadow copies deleted; ESXi snapshots removed to prevent VM recovery.

    • T1561Disk Wipe
    • T1561.001Disk Wipe: Disk Content Wipe
  • TA0042Resource Development
  • TA0043Reconnaissance
    • T1590.004Gather Victim Network Information: Network Topology
Recent claimed victims
BrazilJul 8 · 15:26 UTC

S.J. Louis

www.sjlouis.com
Jul 7 · 20:52 UTC

Lechner Massivhaus GmbH

Jul 7 · 20:52 UTC

COP® Vertriebs-GmbH Zentrale

ConstructionAustriaJul 7 · 18:29 UTC

Lechner Massivhaus GmbH

www.lechner-massivhaus.de
Business ServicesGermanyJul 7 · 18:28 UTC

COP® Vertriebs-GmbH Zentrale

www.cop-gmbh.de
HealthcareCzechiaJul 7 · 17:31 UTC

Next Clinics

www.next-clinics.cz
Business ServicesUnited StatesJul 7 · 14:00 UTC

Accelirate

www.accelirate.com
Jul 6 · 16:50 UTC

Precision Steel Services

ConstructionUnited StatesJul 6 · 14:02 UTC

Keystone Homes

www.gokeystone.com
ManufacturingJul 6 · 14:02 UTC

Precision Steel Services

www.precisionsteel.org
Business ServicesUnited StatesJul 6 · 14:01 UTC

Answer Precision Tool

www.answerprecision.com
Business ServicesUnited StatesJul 6 · 13:00 UTC

Wood Ellis & Wood CPA

www.woodelliswoodcpa.com
Business ServicesUnited KingdomJul 6 · 12:59 UTC

Max Fordham

www.maxfordham.com
Business ServicesMexicoJul 6 · 12:58 UTC

Grupo Inteca

grupointeca.com
Business ServicesUnited StatesJul 6 · 09:24 UTC

LabelDaddy

www.labeldaddy.com
Financial ServicesJul 3 · 18:57 UTC

TQ Financial Services

www.tqfinancials.com
United StatesJul 3 · 18:30 UTC

Md Lewis

www.mdlewiscpa.com
Consumer ServicesUnited StatesJul 3 · 18:29 UTC

Goodwill Manasota

www.experiencegoodwill.org
TechnologyGermanyJul 3 · 18:28 UTC

Sitmatic

www.sitmatic.com
TechnologyPortugalJul 3 · 18:28 UTC

Sisint

www.sisint.pt
Jul 2 · 12:00 UTC

Pennant Hills Golf Club

Hospitality and TourismAustraliaJul 2 · 09:26 UTC

Pennant Hills Golf Club

www.pennanthillsgolfclub.com.au
Jul 1 · 14:59 UTC

Dennis Waters Rental Properties

Jul 1 · 14:59 UTC

Mattatuck Industrial Scrap Metal

Jul 1 · 14:59 UTC

Laughlin Nunnally Hood & Crum

Jul 1 · 14:59 UTC

Dynamic Laser Solutions Ltd.

Consumer ServicesUnited KingdomJul 1 · 13:18 UTC

Dennis Waters Rental Properties

Dennis Waters Rental Properties
Business ServicesUnited StatesJul 1 · 13:18 UTC

Mattatuck Industrial Scrap Metal

www.mattatuckscrap.com
Business ServicesUnited StatesJul 1 · 13:17 UTC

Laughlin Nunnally Hood & Crum

www.greenevillelaw.com
Business ServicesSlovakiaJul 1 · 13:16 UTC

Rossum Integration

www.rossum.sk
ManufacturingUnited KingdomJul 1 · 13:15 UTC

Dynamic Laser Solutions Ltd.

www.dynamiclasersolutions.com
Consumer ServicesUnited StatesJul 1 · 13:15 UTC

Dixie Beverage

www.dixiebeverage.com
ManufacturingJun 30 · 12:32 UTC

Chamco

www.chamco.com
Business ServicesGermanyJun 30 · 12:30 UTC

Hemmersbach GmbH & Co. KG

www.hemmersbach.com
Jun 30 · 11:54 UTC

Hemmersbach GmbH & Co. KG

Jun 29 · 18:01 UTC

KALIACT ANCHETA et Associs

ManufacturingGermanyJun 29 · 17:34 UTC

Kunert Fashion

www.kunert.de
EducationJapanJun 29 · 16:34 UTC

Musashino University

www.musashino-u.ac.jp
Business ServicesFranceJun 29 · 16:00 UTC

KALIACT ANCHETA et Associs

www.ancheta-associes.fr
ManufacturingArgentinaJun 29 · 15:59 UTC

Metal Sur Famin

www.metalsurfamin.com
QILIN · Underground group profile · The Nexus