Threat Research

Qilin Top Ransomware Threat to SLTTs in Q2 2025

cisecurity
Qilin Top Ransomware Threat to SLTTs in Q2 2025

Qilin (also known as Agenda) emerged in Q2 2025 as the most active ransomware targeting U.S. State, Local, Tribal, and Territorial (SLTT) government entities, responsible for roughly 24% of reported incidents and leveraging double-extortion tactics including data theft and public leak sites. Qilin operates as a Ransomware-as-a-Service (RaaS) with affiliates using phishing, exploited public-facing applications, and remote services (e.g., RDP and exploited FortiGate/SAP vulnerabilities) to achieve network-wide encryption and large ransom demands such as $500,000. #Qilin #Agenda #FortiGate #CVE-2025-31324

Keypoints

  • Qilin (aka Agenda) became the top ransomware targeting U.S. SLTTs in Q2 2025, rising to 24% of reported incidents to the MS-ISAC.
  • Qilin operates as a double-extortion RaaS, stealing data for public leaks in addition to encrypting systems to extract ransom.
  • Between Dec 2023 and Jun 30, 2025, MS-ISAC members reported 29 Qilin incidents, with 55% occurring in Q2 2025 across municipalities, counties, education, healthcare, and emergency services.
  • Common initial access vectors include phishing, exploiting public-facing applications, and abusing external remote services such as RDP and remote management tools.
  • Reported exploited vulnerabilities linked to Qilin activity include FortiGate flaws (e.g., CVE-2024-21762, CVE-2024-55591) and CVE-2025-31324 in SAP NetWeaver, with web shell uploads reported.
  • Affiliates reportedly use tooling such as Cobalt Strike, SmokeLoader, NETXLOADER, PsExec, WinRM, NetExec, WinRAR, and ransomware binaries written in Rust and C.
  • MS-ISAC membership provides timely, tailored intelligence, incident response findings, and IOCs to help U.S. SLTT organizations defend against Qilin RaaS activity.

MITRE Techniques

  • [T1566] Phishing – Qilin affiliates used phishing emails with malicious links to gain initial access. Quote: “…started with a phishing email containing a malicious link.”
  • [T1190] Exploit Public-Facing Application – Threat actors exploited FortiGate vulnerabilities and SAP NetWeaver (CVE-2025-31324) to gain access and upload web shells. Quote: “…actively exploiting FortiGate vulnerabilities (CVE-2024-21762, CVE-2024-55591…)…”
  • [T1110] Brute Force (Account Discovery / Valid Accounts) – Attackers targeted user accounts with weak passwords and unnecessary admin access to escalate privileges and create new admin accounts. Quote: “…targeted a user account with a weak password and unnecessary admin access. The attackers then created new admin accounts…”
  • [T1021.001] Remote Services: Remote Desktop Protocol (RDP) – Affiliates leveraged external remote services such as RDP and remote management tools (e.g., ScreenConnect) for initial access and lateral movement. Quote: “…using external remote services, such as Remote Desktop Protocol (RDP)”
  • [T1059] Command and Scripting Interpreter / PsExec, WinRM – Qilin actors used Windows administration tools like PsExec and WinRM for lateral movement and command execution. Quote: “…using other Windows tools in environments, including PsExec… and WinRM.”
  • [T1055] Process Injection / Cobalt Strike – Threat actors tied to Qilin infrastructure used Cobalt Strike for post-exploitation operations. Quote: “…known to use Cobalt Strike for post-exploitation.”
  • [T1041] Exfiltration Over Web Service – Actors prepared files with WinRAR and exfiltrated data via services such as easyupload[.]io. Quote: “…using WinRAR to collect files and prep them for exfiltration via easyupload[.]io.”
  • [T1486] Data Encrypted for Impact – Affiliates conducted network-wide encryption of servers, leaving ransom notes demanding payment for decryption keys. Quote: “…all their servers were encrypted, and a ransom note from Qilin informed them…”
  • [T1530] Data from Information Repositories (Collection) – Qilin actors exfiltrated large volumes of sensitive data (claimed up to 500 GB), including PII and financial data, to leverage double extortion. Quote: “Qilin threat actors claimed to exfiltrate up to 500 GB of data…”

Indicators of Compromise

  • [Vulnerabilities] exploited in attacks – FortiGate CVE-2024-21762, CVE-2024-55591; SAP NetWeaver CVE-2025-31324.
  • [File/Tool Names] post-exploitation and loaders – SmokeLoader, NETXLOADER, Cobalt Strike, and Qilin ransomware binaries (Rust/C).
  • [Services/Platforms] abused for access or exfiltration – ScreenConnect (remote monitoring tool), RDP, and easyupload[.]io (used for exfiltration).
  • [Ransom/Demand] ransom note context – demands up to $500,000 for decryption key and offers not to publish stolen data (example: $500,000 demand in one incident).
  • [Leak Sites] data leak hosting – Qilin-operated data leak site on Tor and the open internet (used to name and shame victims).

Read more: https://www.cisecurity.org/insights/blog/qilin-top-ransomware-threat-to-sltts-in-q2-2025