What Is Qilin?

Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group active since mid-2022. Instead of attacking victims directly, Qilin operates a service model that enables the adversarial group to scale rapidly and adapt quickly to new targets:

• Core operators build and maintain the ransomware platform

• Affiliates conduct intrusions, steal data, and deploy encryption

• Revenue is shared, with affiliates keeping the larger cut

Why Qilin Is Dangerous

Qilin combines technical sophistication with operational scale, making it one of the most impactful ransomware ecosystems observed in recent years. In 2025, Qilin was recognized by the FBI as the #2 most reported ransomware variant, targeting organizations in more than 60+ countries.

Qilin at a glance:

• 700+ attacks reported in 2025

• Multi-platform payloads: Windows, Linux, VMware ESXi

• Double extortion: data theft + encryption

• Broad targeting: healthcare, manufacturing, government, education, finance

Some Technical Highlights

• Ransomware-as-a-Service (RaaS) Architecture

  • Core operators maintain tooling and infrastructure; affiliates handle intrusions and execution

  • Revenue-sharing model enables rapid scaling and global reach

• Multi-Platform Encryptors

  • Native support for Windows, Linux, and VMware ESXi

  • Payloads written in Rust and Go for portability and performance

• Password-Gated Execution Control

  • Encryptor requires a command-line password

  • Password is SHA-256 hashed and validated against embedded configuration

• End-to-End Double Extortion Workflow

  • Data exfiltration precedes encryption

  • Stolen data leveraged via affiliate-managed leak sites to amplify pressure

• Credential Theft and Lateral Movement

  • LSASS credential dumping (e.g., Mimikatz)

  • Propagation via RDP, SMB, and PsExec

• Aggressive Defense Evasion

  • Terminates AV, EDR, backup, database, and virtualization processes

  • Deletes shadow copies and disables recovery mechanisms

• Flexible Encryption Strategies

  • Supports full, fast, step-skip, and percentage-based encryption modes

  • Optimized for speed in large enterprise environments

• Strong Cryptographic Implementation

  • Per-file AES-256-CTR encryption

  • Keys wrapped using RSA for centralized ransom control

• Pre-Execution Anti-Analysis

  • Anti-debugging and anti-VM checks (PEB inspection, timing, CPUID)

  • Dynamic API resolution to hinder static detection

• Operational Precision

  • Targeted file-type selection with size-based exclusions

  • Drops QILIN_README.txt ransom note per directory for consistent victim messaging

Mitigating Qilin: A Capability-Driven Methodology for Secure Recovery

When Qilin exploits compromised critical workloads, operational continuity largely depends on the resilience and proficiency of the organization’s data protection architecture.

Druva has successfully enabled customers to mitigate the impact of Qilin attacks through a layered and controlled recovery workflow that emphasizes backup preservation, threat isolation, granular data validation, and secure restoration.

1. Immutability and Early Threat Detection

An effective response to Qilin begins with ensuring backup integrity and accelerating threat identification. By leveraging air-gapped, tamper-proof snapshots, Druva keeps recovery data in a separate security domain outside the blast radius. Simultaneously, the platform monitors for anomalous encryption behaviors and mass file modifications. Combined with Threat Hunting tools, teams can validate specific Indicators of Compromise (IOCs) with the assurance that data remains recovery ready.

2. Validation of Clean Recovery Points

A primary challenge during Qilin remediation is avoiding "blind restores" that inadvertently reintroduce the threat. Druva’s Restore Scan allows organizations to inspect backup data across affected workloads before it ever touches the production environment. This validation process utilizes two primary mechanisms:

• File Hash Scanning: Cross-referencing backups against a curated, continually updated Ransomware IOC library to detect known Qilin variants.

• Antivirus (AV) Scanning: Applying signature-based detection to identify malicious payloads embedded within files. 

By deeply assessing backups, Druva identifies "known-clean" snapshots with high confidence.

3. Orchestrated Sandbox Recovery

Restoring directly to production following a Qilin incident is high-risk. To prevent reinfection, identified clean backups are first restored into an isolated Sandbox Recovery environment. This staged methodology allows incident responders to:

• Validate data integrity within a quarantined state.

• Confirm the total absence of Qilin ransomware artifacts or dormant persistence mechanisms.

• Verify system stability and functionally clean. 

Only after thorough verification can recovery proceed to production.

Minimizing Qilin for Druva Customers

By shifting the recovery paradigm from speculation to verified integrity, Druva eliminates variables of reinfection and latent persistence to ensure only "known-clean" workloads are permitted back into production. This gives organizations the technical assurance necessary to minimize ransomware risk and confidently resume operations at scale.

To see how Druva transformed a real-world ransomware crisis into a recoverable event, read our latest blog. It provides a breakdown of how an organization mitigated a Qilin attack and achieved full operational restoration with Druva—preventing reinfection without conceding to ransom demands.