Qilin, also known as Agenda ransomware, is a sophisticated RaaS group that targets healthcare, education, and public administration with cross-platform Go and Rust malware designed to evade detection and enable lateral movement. This profile outlines Qilin’s infection chain, encryption and extortion methods, victimology, notable incidents, and recommended mitigations. #Qilin #AgendaRansomware
Keypoints
- Qilin (Agenda) is a ransomware threat actor described as a cross-platform RaaS group with Go and Rust samples for Windows and Linux.
- Primary targets include Healthcare, Education, and Public Administration due to reliance on critical data and comparatively weaker cybersecurity.
- Initial access commonly occurs via phishing attachments/links, software vulnerabilities, and Remote Desktop Protocol (RDP) exposure.
- Lateral movement and persistence rely on privilege escalation, PsExec/PowerShell usage, credential dumping, and network enumeration to spread within networks.
- Data is encrypted using symmetric encryption with a public RSA key for key protection; ransom notes demand cryptocurrency payments via dark web channels.
- Qilin employs anti-analysis and code obfuscation techniques, deletes logs/artifacts, and uses TOR/dark web portals for communications.
- Mitigation emphasizes robust anti-malware/EDR, security audits, MFA, backups, and proactive defense; a high-profile UK healthcare incident attributed to Qilin demonstrates real-world impact.
MITRE Techniques
- [T1566.001] Phishing – “One of the most common methods is via phishing emails, which often contain malicious attachments or links.”
- [T1059.001] PowerShell – “using legitimate tools like PowerShell or PsExec to achieve higher-level access.”
- [T1021] Remote Services – “uses PsExec for remote execution”
- [T1003] Credential Dumping – “uses credential dumping to extract passwords and other authentication details.”
- [T1135] Network Share Discovery – “network enumeration to identify other systems, shares, and services within the network”
- [T1027] Obfuscated/Compressed Files and Information – “obfuscation techniques to evade detection”
- [T1562.001] Impair Defenses – “detecting and disabling debugging and sandbox environments”
- [T1070.001] Clear Windows Event Logs – “deletes logs and other artifacts”
- [T1070.004] File Deletion – “removing temporary files”
- [T1486] Data Encrypted for Impact – “encrypts files using symmetric encryption and RSA”
Indicators of Compromise
- [File Name] context – ransomware-note.png.webp, victims-instructions.png.webp, and qilin-targeted-industries.png.webp (image assets cited in captions showing ransom note, victim instructions, and targeting data)
- [File Name] context – golang-sample-psexec.png.webp (image caption illustrating PsExec remote execution in a Golang sample)
Read more: https://socradar.io/dark-web-profile-qilin-agenda-ransomware/