Back to CTI

Threat Actor Profile: Qilin (aka Agenda)

Ransomware-as-a-Service • Active since at least 2022 • Double extortion
Contents: Overview Attribution & Origin Notable Characteristics Tactics, Techniques & Procedures Evasion & Anti-Forensics Defensive Recommendations References

Overview

Qilin, also known as Agenda, is a highly sophisticated ransomware-as-a-service (RaaS) operation active since at least 2022. The group distinguishes itself through extensive customization options for affiliates and a focus on double extortion. Qilin encrypts victim data and also exfiltrates files; if ransom is not paid, stolen data is leaked publicly.

Attribution & Origin

  • Aliases: Agenda
  • First Observed: 2022
  • Model: Ransomware-as-a-Service (RaaS)
  • Primary Target Countries: United States, United Kingdom, Germany, France, Canada, Japan
  • Primary Target Sectors: Critical infrastructure including healthcare, manufacturing, and education

Notable Characteristics

  • Double extortion Encrypts and exfiltrates data; leaks if unpaid.
  • Customization Affiliates configure persistence, encryption, and execution behavior.
  • Sophistication Uses layered persistence, privilege escalation, and evasion.
  • Initial Access Frequently via credentials purchased/leaked on underground markets.

Tactics, Techniques & Procedures (MITRE ATT&CK)

Initial Access

  • Valid Accounts (T1078): Access via leaked or purchased credentials.
  • Spearphishing Link (T1566.002): Malicious links/attachments in email.

Execution

  • Command and Scripting Interpreter (T1059): Use of CLI and scripts to execute actions.

Persistence

  • Scheduled Task (T1053.005): Maintains persistence through scheduled tasks.
  • Registry Run Keys / Startup Folder (T1547.001): Registry entries or startup executables.
  • Valid Accounts (T1078): Continued access using compromised accounts.

Privilege Escalation

  • Process Injection (T1055): Code injection into legitimate processes.
  • Group Policy Modification (T1484.001): Weakens security settings via GPO changes.
  • Group Policy Preferences (T1552.006): Abuse of stored credentials.

Defense Evasion

  • Disable Windows Event Logging (T1562.002): Hinders detection and analysis.
  • Safe Mode Boot (T1562.009): Reboots into Safe Mode before encryption.
  • Modify Registry (T1112): Adjusts registry settings to avoid detection.

Credential Access

  • Credentials in Files (T1552.001): Searches for and extracts credentials from files.

Lateral Movement

  • Replication Through Removable Media (T1091): Spreads via removable devices.

Evasion & Anti-Forensics

  • Disables security systems prior to encryption.
  • Disables Windows Event Logs to obscure activity.
  • Boots into Safe Mode to neutralize protections before encrypting data.

Defensive Recommendations

  • Multi-Factor Authentication (MFA): Enforce for all remote/privileged accounts.
  • Network Segmentation: Isolate critical systems and reduce blast radius.
  • Patch Management: Prioritize external-facing services.
  • Endpoint Detection & Response (EDR): Monitor for persistence & credential theft behavior.
  • User Awareness Training: Phishing/credential-theft education.
  • Backups: Maintain offline, tested backups.

References

  1. MITRE ATT&CK. Qilin Ransomware – Techniques and Procedures. https://attack.mitre.org/
  2. Cyble. Qilin Ransomware Group – Threat Actor Profile. https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  3. U.S. Department of Health & Human Services. Qilin Threat Profile (TLP:CLEAR). https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf