Qilin Ransomware 2026: TTPs, Victims and Defense Guide

What is Qilin Ransomware? The Most Active RaaS Operation in 2026

Qilin operates as a ransomware-as-a-service (RaaS) platform, with operators who maintain the payload and supporting infrastructure, recruit affiliates, and collect a percentage of ransom payments. When major ransomware operations, like LockBit, RansomHub, and ALPHV/BlackCat, collapsed, were dismantled, or went dark throughout 2024 and into 2025, displaced affiliates needed somewhere to go, and Qilin had the infrastructure, recruitment pipeline, and revenue model to compete for them.

The operation has expanded its targeting, grown its ransomware affiliate program, and built an extortion model that goes well beyond encryption. MOXFIVE tracking shows Qilin operators have claimed approximately 1,500 victims since launch, with more than 500 in 2026 alone, making it the most active ransomware operation in our dataset. (See the MOXFIVE Threat Actor Spotlight on Qilin for additional tracking and affiliate analysis.)

How Qilin's Ransomware-as-a-Service (RaaS) Model Works

Qilin operates under the RaaS model, meaning the operators behind the operation develop and maintain the infrastructure while affiliates carry out attacks against victim organizations. That division of labor allows the operation to support more activity than a closed ransomware group could likely sustain on its own. Affiliates earn between 80 and 85 percent of each ransom payment, with operators retaining the remainder, a split that positions QiIlin as one of the more financially attractive programs available to threat actors in the market. Recruitment is conducted through RAMP, a Russian-language cybercrime forum, giving operators access to an established base of potential affiliates.

Originally launched in 2022 under the name Agenda, the operation rebranded as Qilin and rewrote its codebase in Rust before expanding into a mature RaaS platform. The payload targets Windows, Linux, and VMware ESXi environments, a combination that puts virtualized enterprise infrastructure directly in scope alongside traditional endpoints. The affiliate panel gives affiliates customizable execution options, service termination capabilities, and safe-mode rebooting to evade defenses during encryption, enabling less-prepared affiliates to execute more capable attacks.

The extortion model extends well beyond encryption. Qilin affiliates exfiltrate data before deploying ransomware, then use the threat of public exposure as a second layer of pressure. (This approach is also known as double extortion ransomware.) Stolen data is published on a Tor-based leak site, though Qilin's leak site infrastructure is known to be unstable. Outages lasting a week or more are not uncommon, and each victim dump is hosted on a unique onion URL, meaning individual postings can become inaccessible for extended periods. Since May 2024, operators have extended that exposure throughWikiLeaksV2, a clear web site that publishes leaked victim data outside the dark web. The affiliate panel also includes a DDoS capability and a feature described as Call Lawyer, which introduces purported legal counsel into ransom negotiations and frames the victim's exposure in terms of regulatory liability under GDPR, CCPA, and HIPAA. Together, those features give affiliates more ways to pressure victims before and after encryption.

Who is Behind Qilin? Affiliates, Cybercriminals and State-Linked Threat Actors

Qilin operators are known to recruit broadly, and the threat actors that have adopted the platform span a wide range of types and motivations. Because affiliates bring their own initial access methods and operational approaches, Qilin deployments can vary by intrusion.

• Financially Motivated Affiliates: These cybercriminals make up the largest known portion of Qilin's affiliate base. Their targeting is opportunistic, driven by access availability rather than sector-specific focus, and their methods span credential theft, phishing, and vulnerability exploitation.
  ‍
• State-Linked Deployment: Moonstone Sleet and North Korea. Qilin has also been deployed by state-linked threat actors. In 2025, Microsoft observed Moonstone Sleet, a North Korea-linked state actor, deploying Qilin ransomware against a limited number of organizations, marking the first reported instance of the group deploying ransomware developed by a RaaS operator instead of its own custom ransomware.

That mix makes a single defensive profile insufficient. Qilin deployments can involve different access methods, tooling, and objectives depending on the threat actors behind the intrusion.

Qilin Ransomware Victims: Industries and Geographies Targeted in 2026

While the United States accounts for the highest concentration of victims, Qilin's impact has been felt across North America and Western Europe. Manufacturing and Production is the most targeted sector, followed by Professional Services, Retail and Hospitality, Technology, and Construction and Engineering. With over 500 victim organizations posted in 2026alone, Qilin’s targeting spans industries and organization sizes that make it relevant to both mature security programs and resource-constrained teams.

Qilin Initial Access Methods: How Affiliates Breach Target Environments

Affiliates deploying Qilin gain access through a range of entry points that vary based on available credentials, exposed services, and exploitable public-facing systems. The common initial access methods fall into two broad categories: credential-based access and exploitation of public-facing applications.

Credential-based vectors account for the highest frequency of observed initial access points. The conditions that enable them, exposed RDP services, unprotected VPN portals, and credentials available on dark web markets, appear often enough across sectors to make credential-based access a recurring concern. Beyond credentials, affiliates have exploited vulnerabilities in internet-facing firewall appliances, VPN infrastructure, and enterprise software platforms.

Qilin Attack Chain: From Initial Access to Encryption (TTPs Breakdown)

Gaining access is only the beginning. Many Qilin deployments move through recognizable phases, with affiliates often delaying ransomware execution until they have expanded access, staged data, or weakened recovery options. The tools deployed at each phase vary, but the objective remains the same: encrypt systems, disrupt recovery, and pressure the victim to pay.

• Credential Access: An early priority after gaining a foothold is credential extraction, providing the access needed to move laterally and escalate privileges across targeted systems. Mimikatz has been observed at this stage, where threat actors use it to dump credentials directly from memory. Group Policy scripts have also been deployed to harvest credentials stored in Google Chrome across domain-joined machines, extending credential exposure before encryption begins.
• Defense Evasion: Before encryption, affiliates may attempt to reduce endpoint visibility. A BYOVD attack chain deployed via DLL sideloading has been observed terminating hundreds of EDR drivers, reducing visibility before ransomware execution. Linux encryptors executed inside Windows Subsystem for Linux can bypass detections focused on native Windows execution.
• Lateral Movement: Stolen credentials are used to reach domain controllers and expand access throughout the environment. PsExec and RDP have been observed at this stage, with CobaltStrike used to support command and control before ransomware execution.
• Exfiltration: Before ransomware deploys, affiliates can stage and transfer data out of the environment. CyberDuck has been observed as a cloud transfer tool in multiple Qilin incidents, though other methods have been used. By the time encryption-based detection activates, the data theft phase may already be complete.
• Encryption and Impact: The final phase increases recovery pressure by encrypting systems, disrupting backups, and forcing the victim into a negotiation under operational stress. Volume Shadow Copies are deleted, Veeam backup infrastructure is targeted, and event logs are cleared before the ransom note appears. In environments where full domain compromise affects identity, backups, and administrative trust, recovery can require domain-level remediation rather than host-by-host restoration.

By the time many organizations detect a Qilin deployment, affiliates may have already moved through credential access, lateral movement, and exfiltration. The useful question for defenders is which controls can stop the intrusion before affiliates move from access to encryption.

How to Defend Against Qilin Ransomware: Controls That Actually Work

Qilin’s affiliate model means tools and entry points can shift from one incident to the next, but defenders still see recurring pressure points: credentials, endpoint visibility, lateral movement, exfiltration, and backups. The controls that matter most are the ones that interrupt the attack at multiple points regardless of how an affiliate executes it.

• Enforce phishing-resistant MFA: Standard MFA alone is insufficient against the adversary-in-the-middle credential harvesting techniques observed in Qilin incidents.
• Patch internet-facing infrastructure: FortiGate and SAP NetWeaver vulnerabilities have both been exploited in Qilin campaigns. Unpatched perimeter devices represent a direct entry point.
• Deploy and extend EDR coverage: Qilin affiliates specifically target gaps in standard endpoint detection, including WSL-based execution and BYOVD driver loading. Organizations without behavioral endpoint detection have limited visibility into defense evasion and lateral movement.
• Monitor RMM tool usage: AnyDesk, ScreenConnect, Splashtop, and TeamViewer have all been observed in Qilin attacks outside of legitimate contexts. Unexpected RMM activity is a pre-encryption indicator.
• Detect exfiltration before encryption: Data leaves the environment before ransomware deploys in Qilin attacks. Detection built around encryption events alone can miss the most consequential part of the attack.
• Protect backup infrastructure: VSS deletion and Veeam targeting have been observed in Qilin cases. Offline, immutable backups not accessible through domain accounts can be the difference between recovery and a full rebuild.

Qilin is not a threat that organizations can patch their way out of once. The affiliate network continues to expand, the tooling evolves, and the targeting is broad. These controls exist because the attack chain gives defenders multiple opportunities to interrupt it, but only if those controls are already in place.

For a deeper look at Qilin's infrastructure, affiliate recruitment, and observed TTPs, see the MOXFIVE Threat Actor Spotlight: Qilin.

‍