Full Report
Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence.
Analysis Summary
# Threat Actor: Qilin (formerly Agenda)
## Attribution & Identity
* **Identification:** Ransomware group operating under a Ransomware-as-a-Service (RaaS) model.
* **Aliases:** Formerly known as **Agenda**.
* **Known Associations:** Affiliates are responsible for executing attacks globally using the Qilin platform and tools.
* **Attribution Clues:** Scripts showed character encodings suggesting an Eastern Europe or Russian-speaking region, though this is noted as potentially a false flag.
## Activity Summary
* **Timeline:** Active since approximately July 2022.
* **Recent Activity (H2 2025):** Extremely prolific, publishing victim information at a pace exceeding 40 cases per month on their leak site. This activity places them among the most impactful ransomware groups worldwide.
* **Modus Operandi:** Employs a double-extortion strategy (encryption + data disclosure).
* **Business Model:** Operates as a RaaS, developing and distributing the ransomware platform to affiliates.
## Tactics, Techniques & Procedures
* **Initial Access:** Suspected use of leaked administrative credentials from the dark web to gain VPN access. Lack of MFA on compromised VPNs was noted as an enabler. May also involve Group Policy (AD GPO) changes enabling RDP access.
* **Lateral Movement:** Confirmed use of **PsExec** for spreading `encryptor_1.exe` across hosts.
* **Execution/Encryption:** Observed dual deployment strategies:
* `encryptor_1.exe` spreads via PsExec.
* `encryptor_2.exe` is run from one system to encrypt multiple network shares.
* **Data Staging/Exfiltration:** Use of the legitimate, open-source file transfer tool **Cyberduck** to move data to cloud servers for exfiltration.
* **Internal Discovery/Reconnaissance:** Use of standard built-in tools like **notepad.exe** and **mspaint.exe** to view high-sensitivity information.
## Targeting
* **Sectors:**
1. Manufacturing (Most affected, approx. 23% of cases)
2. Professional and Scientific Services (approx. 18%)
3. Wholesale Trade (approx. 10%)
* Also significantly impacted: Healthcare, Construction, Retail, Education, and Finance (averaging around 5% each).
* **Geography:** Most severely affected countries include the United States, Canada, United Kingdom, France, and Germany.
* **Victims:** Over 40 new victims publicly disclosed monthly in the latter half of 2025, peaking near 100 disclosures in June 2025.
## Tools & Infrastructure
* **Malware Families Used:** Qilin Ransomware (encryptor\_1.exe, encryptor\_2.exe).
* **Legitimate Tools Abused:** Cyberduck (for exfiltration), PsExec (for lateral movement), notepad.exe, mspaint.exe.
* **Infrastructure:** No specific C2 domains, IPs, or domains were provided in the summary context.
## Implications
Qilin poses a significant and persistent global threat due to its high operational tempo (40+ victims/month) and use of a RaaS model, ensuring wide distribution of its capabilities. The group's proficiency in using legitimate tools (like Cyberduck) for malicious purposes complicates detection and defense. The heavy targeting of the manufacturing sector suggests disruption of critical supply chains.
## Mitigations
* Implement Multi-Factor Authentication (MFA) on all remote access services, especially VPNs.
* Monitor and restrict the use of legitimate tools like PsExec for unauthorized lateral movement.
* Monitor for network traffic associated with legitimate file transfer tools like Cyberduck if they are not explicitly sanctioned or monitored for sensitive transfers.
* Implement comprehensive network monitoring (e.g., using Cisco Stealthwatch) to detect unauthorized RDP connections post-VPN compromise.
* Apply relevant Snort SIDs (e.g., 65446) and deploy endpoint protection detecting related malware signatures (e.g., Win.Ransomware.Qilin-10044197-0).