Qilin ransomware has rapidly ascended to become the world’s most prevalent ransomware threat, accumulating over $50 million in ransom payments throughout 2024 alone.
Originally developed as ‘Agent’ in 2022 and later recorded in the Rust programming language, this sophisticated malware has evolved into a formidable weapon targeting critical infrastructure across more than 25 countries.
Qilin Ransomware Emergence
Qilin gained significant traction by late 2023 through targeted attacks on VMware ESXi infrastructure, establishing itself as a dominant force in the cybercriminal ecosystem.
.png
)
Named after the mythical Chinese creature symbolizing power and prosperity, the ransomware has been linked to threat actors, including Scattered Spiders and entities associated with North Korea.
The malware’s operational model includes unprecedented features such as legal support for clients through a “Call Lawyer” service, demonstrating the sophistication of modern ransomware-as-a-service operations.
Public threat intelligence reports now rank Qilin as the leading ransomware threat, with the FBI identifying over 1,700 ransomware attacks in 2024, generating reported earnings of $91 million across all variants.
The U.S. Department of Health and Human Services has documented Qilin-related losses ranging from $6 million to $40 million per incident, primarily affecting healthcare and government agencies.
Qualys reports that the recent Qilin B variants incorporate sophisticated encryption enhancements, including AES-256-CTR (Advanced Encryption Standard with 256-bit key and Counter mode), Optimal Asymmetric Encryption Padding (OAEP), and ChaCha20 for secure communications.
The malware leverages AES-NI (Advanced Encryption Standard New Instructions) capabilities to accelerate encryption processing on x86 architecture systems.
Initial access vectors include spearphishing campaigns, Remote Monitoring & Management software exploitation, multifactor authentication bombing, and SIM swapping techniques.
Qilin has previously exploited CVE-2023-27532 as part of the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application).
The ransomware employs advanced evasion tactics, clearing Windows event logs and deleting itself to hinder forensic analysis.
Defense Recommendations
Security experts emphasize the importance of proactive defense measures, including immutable backup strategies targeting Windows Volume Shadow Copy Service (VSS) deletion attempts.
Organizations should implement Zero Trust Architecture with network segmentation to limit the blast radius during breaches.
Critical recommendations include prioritizing vulnerability patch management for network-facing systems, deploying multi-layered antivirus solutions, and conducting regular tabletop exercises focused on ransomware scenarios.
The ransomware strategically targets manufacturing, legal, professional services, and financial services sectors, using online calculators to estimate potential payouts before launching attacks.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
