Ransomware Trends: Qilin Group Activity Surges
September 17, 2025
The Qilin ransomware group (also known as Agenda) has significantly ramped up operations in 2025, and their targeting pattern should be on the radar of every mid-market organization.
Unlike some ransomware groups that focus exclusively on large enterprises, Qilin has shown a willingness to target organizations across the revenue spectrum, including healthcare providers, manufacturing firms, and professional services companies in the $50M-$500M range.
What makes Qilin worth watching
Ransomware-as-a-Service model. Qilin operates an affiliate program, which means the group behind the malware isn't necessarily the group conducting the intrusion. This creates a diverse set of initial access methods. Some affiliates use phishing, others exploit VPN vulnerabilities, others purchase access from initial access brokers.
Cross-platform capability. Qilin has variants targeting both Windows and Linux/VMware ESXi environments. This is significant because many organizations that have invested heavily in Windows endpoint security have less visibility into their Linux server and virtualization infrastructure. An attacker who can't deploy ransomware on the endpoints may still be able to encrypt the virtual machine hosts.
Double extortion as standard practice. Like most modern ransomware groups, Qilin exfiltrates data before encryption. Even if you have excellent backups and can restore without paying, you still face the risk of sensitive data being published on their leak site. This makes data loss prevention and network monitoring as important as backup and recovery.
The typical Qilin attack chain
Based on incident reports and threat intelligence, a typical Qilin intrusion follows a predictable pattern:
- Initial access through compromised VPN credentials (often purchased) or exploitation of internet-facing vulnerabilities
- Discovery and lateral movement using legitimate tools like Advanced IP Scanner, PsExec, and RDP
- Privilege escalation to domain admin through credential harvesting
- Data exfiltration to cloud storage services before encryption
- Deployment of ransomware across the environment, often targeting both Windows systems and ESXi hosts
The time from initial access to ransomware deployment varies, but in several documented cases, the entire attack chain completed within 48-72 hours.
Defensive priorities
1. Secure your internet-facing attack surface. VPN appliances, remote desktop gateways, and web applications are the most common entry points. Patch these systems aggressively. Implement MFA on all remote access, not just VPN, but also any web-based management interfaces.
2. Monitor for lateral movement indicators. Tools like PsExec, unauthorized RDP sessions, and network scanning from workstations are strong indicators of an active intrusion. Your EDR and SIEM should alert on these activities. If you don't have these capabilities, this is where to invest.
3. Protect your backup infrastructure. Qilin and similar groups specifically target backup systems. Your backups should be isolated from the production network, require separate credentials, and include at least one copy that's offline or immutable. Test restoration regularly.
4. Segment your virtualization infrastructure. ESXi management interfaces should not be accessible from the general corporate network. VMware admin access should require MFA and be limited to specific jump servers.
5. Have a data exfiltration detection capability. If an attacker is staging gigabytes of data for exfiltration, you want to know about it before the ransomware deploys. Monitor for unusual outbound data transfers, especially to cloud storage services.
What to do right now
Run this quick check: Can an attacker who compromises a single employee's VPN credentials reach your domain controllers, backup servers, and virtualization hosts? If the answer is yes, you have work to do, and that work should start this week, not next quarter.