SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsQilin represents one of the most dangerous and adaptive RaaS threats active today.
The authors of FOR589 discuss the evolution of one of the most active cybercriminal threats known as Qilin, a ransomware-as-a-service (RaaS) operation originating from the Russian-speaking underground community.
In this blog, we will discuss the evolution of Qilin, a well-known RaaS platform that has been linked to several high-profile ransomware attacks, including against Synnovis, The Big Issue, Yanfen, and Inotiv.
Active since at least mid-2022, the Qilin group is named after the mythical Chinese creature The cybercriminals behind the Qilin RaaS, however, speak Russian. Before the Qilin RaaS emerged, the threat actors used the name Agenda ransomware, later changing to Qilin.
Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.
Qilin is advertised on the exclusive Russian-speaking forum RAMP (short for Ransom Anon Market Place [sic]), where acquiring an account can cost up to $500 in BTC. The forum profile “Haise” joined RAMP on May 29 2022, and advertised Qilin on February 13, 2023.
On May 1, 2024, Qilin made an unusual move by adding a new QR code to its Tor data leak site, which pointed to a site called WikiLeaksV2, hosted on the Clearnet site (see on URLscan here), where they listed a selection of their victims in addition to soliciting cryptocurrency donations. They also claimed in a pseudo-interview with themselves to be politically motivated.
RansomwareLive is a useful source for investigating ransomware groups. One of the most valuable sources of data is the negotiation chats between ransomware gangs and their victims. The website contains a detailed negotiation chat between a Qilin negotiator and a victim, providing insight into how the group operates.
To entice victims to pay the ransom, the Qilin negotiator offered several services, including a decryption tool, a list of stolen files, proof that the data was deleted, an explanation of how they infiltrated the victim’s network, security recommendations, and a promise not to attack the victim again. Qilin also allowed victims to decrypt up to three files as proof they had decryption capability.
This negotiation chat began on February 3, 2025, and concluded on February 26, 2025, with no ransom being paid. During the chat, Qilin mentioned having stolen patient data, and on February 26, a medical company in Canada matching this description was listed on Qilin’s data leak site.
In short, a ransomware affiliate is essentially a partner in a RaaS operation. These are external cybercriminals (individuals or groups) who “rent” or are invited to access the RaaS through an affiliate program. Affiliates keep a cut of ransom payments, while the operators take a smaller percentage in exchange for providing the ransomware payloads, Tor infrastructure, and negotiation portal.
In March 2023, Group-IB researchers noted that Qilin affiliates using the RaaS received up to 80% if the ransom paid was $3 million USD or less. For ransoms over $3 million USD, an affiliate's cut could rise to 85%. In July 2023, KELA spotted that the Qilin RaaS operator Haise stated on RAMP that ransom payments are paid to their affiliates’ cryptocurrency wallets first and only then is a share transferred to the Qilin RaaS operators.
As of July 2025, however, security researcher Arda Büyükkaya (@WhichbufferArda) identified multiple forum posts criticising the Qilin RaaS. One affiliate, “hastalamuerte,” claimed they lost $48,000 USD (in Bitcoin) after a ransom negotiation “mysteriously disappeared” from a Tox chat. In the same thread, another actor, “Nova,” posted credentials and a screenshot of Qilin’s affiliate panel to embarrass the group. It appears that not all affiliates of Qilin are satisfied, and some are even attempting to sabotage it.
In June 2022, Microsoft reported that DEV-0237 (also known as FIN12) was identified as an affiliate of Agenda ransomware, the precursor to Qilin. FIN12 was also an affiliate of Nokoyawa, ALPHV/BlackCat, Hive, Conti, and Ryuk ransomware according to Microsoft.
On April 30, 2023, Qilin published Siix Corporation to its Tor data leak site. On October 17, 2023, ALPHV/BlackCat also published Siix Corporation to its Tor site. On October 26, 2023, SG World appeared on the Qilin Tor data leak site, having previously been listed on the Conti Tor data leak site on April 17, 2021.
In July 2024, Microsoft shared that Octo Tempest (also known as SCATTERED SPIDER) had become a Qilin affiliate, known for using social engineering techniques such as vishing IT helpdesk personnel to reset passwords and for targeting VMware ESXi servers with ransomware.
In March 2025, Microsoft identified Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations.
In April 2025, a Qilin affiliate self-identified as “Devman” when they included “Pwn3d By Qilin & Devman” in one of their victim posts. The affiliate also revealed the ransom demand of $60,000 USD and included an onion link to “DEVMANS_BLOG,” a different Tor data leak site.
In March 2025, a new extortion group appeared called Arkana Security. Arkana launched a new data leak site and claimed to have stolen over 2 million customer records from WideOpenWest (WOW!), a major US internet service provider. Later, on Arkana’s Tor data leak site, the “About & Contact” page displayed a Qilin Network logo, suggesting an affiliation between the two groups.
In June 2025, Qilin’s administrator, Haise, posted to RAMP announcing plans to add a “call lawyer” legal assistance feature to the RaaS panel. This pseudo-legal service was framed as legal advice to help affiliates manage extortion negotiations and increase pressure on victims, reflecting the maturing of the RaaS ecosystem.
By performing legal assessments to classify stolen data, the extortionists aimed to emphasize compliance risks and regulatory exposure under frameworks such as GDPR, CCPA, and HIPAA as well as applicable laws by jurisdiction.
Qilin’s goal is to push victims to pay by convincing them that lawsuits and reputational damage would be costlier than the ransom.
In July 2025, a Telegram channel called “@EuropolRewards” appeared, claiming to be Europol. It offered rewards of up to $50,000 for information leading to the arrest of Qilin administrators “Haise” and “XORacle.” Europol later confirmed to SecurityWeek that this Telegram channel was a scam and not affiliated with the law enforcement agency.
It remains unclear who was behind this campaign. One theory is that Qilin itself launched it to find out what investigators already knew about their identities so that they can improve their operational security (OPSEC). Another is that rival cybercriminals wanted to expose Qilin admins, potentially to hand the information to law enforcement in the hopes that they are arrested or sanctioned.
In late January 2025, Qilin affiliates (tracked by Sophos as STAC4365) launched a cleverly crafted phishing email campaign posing as authentication alerts for a Managed Service Provider’s ScreenConnect RMM tool.
Victims who clicked the link were redirected to a malicious phishing site that intercepted both login credentials and MFA one-time passwords (OTPs), granting the attackers super-admin access to the MSP's environment.
Once inside, the attackers:
Qilin RaaS is unusual and interesting for several reasons. Its affiliates range from state-sponsored North Korean threat actors to members of SCATTERED SPIDER, as well as Devman and Arkana. Healthcare remains a key target, consistent with FIN12’s past focus on hospitals.
Qilin has been absorbing affiliates from disrupted groups like LockBit and ALPHV/BlackCat. And there are signs that its infrastructure is unable to keep up with the volume of attacks conducted by its users. Its administrators are also innovating by expanding through the Qilin Network and introducing legal intimidation tactics via the “call lawyer” feature.
As a result, Qilin represents one of the most dangerous and adaptive RaaS threats active today.
Qilin Data Leak Site:
Qilin Victim Portal:
Qilin Affiliate Portal:
Qilin Clearnet Site:
Mitigating ransomware attacks requires regular reviews of detection systems and system resiliency. Cybercriminals like Qilin affiliates will continue to rely on similar tactics, techniques, and procedures (TTPs).
In the SANS FOR589 class, students learn to:
Sign up for a FOR589 sample on SANS.org or register for FOR589: Cybercrime Investigations now to develop actionable intelligence skills to defend against the most notorious cybercriminals.
Will has revolutionized cyber threat intelligence by co-founding Curated Intelligence and exposing ransomware operations like Black Basta. His expertise in infiltrating dark web communities has advanced how we dismantle cybercriminal networks.
Read more about Will Thomas