Origins and Background
Qilin — also tracked as Agenda — emerged in mid-2022 as a RaaS operation with an unusually technical profile for an early-stage group. Their initial ransomware payload was written in Go, designed for cross-platform deployment against both Windows servers and Linux/VMware ESXi environments. A Rust rewrite followed within 18 months, improving execution speed and evasion characteristics.
Unlike larger operations such as LockBit or RansomHub, Qilin operated with a relatively small affiliate network through most of 2023 and early 2024, maintaining tight control over affiliate quality and target selection. The group advertised on Russian-language cybercrime forums under terms that required affiliates to demonstrate existing access capability — they were not recruiting opportunistic actors but experienced network intrusion specialists.
The operation gained significant global attention in June 2024 with an attack that had consequences far beyond a typical enterprise ransomware incident.
The Synnovis Attack
On 3 June 2024, Qilin affiliates deployed ransomware against Synnovis, a pathology services provider that processes blood tests and transfusions for NHS England, including King’s College Hospital, Guy’s and St Thomas’ NHS Foundation Trust, and a network of South East London GP practices.
The attack was not aimed at a hospital network directly — Synnovis is a joint venture between SYNLAB and NHS trusts that handles laboratory analysis for the NHS. Encrypting its systems didn’t just take down an IT environment. It disrupted the entire blood testing and transfusion service across a major section of the NHS.
The consequences were documented extensively: thousands of operations and appointments postponed, blood transfusion services severely disrupted, a public appeal for blood donors, and an NHS England major incident declaration. The British Library had been attacked by Rhysida in October 2023. The Royal Mail by LockBit. But Synnovis demonstrated a different category of impact — not just corporate disruption but patient care at scale.
Qilin published approximately 400GB of patient data, including blood test results and patient details. No ransom was paid.
The Chrome Credential Innovation
What made the Synnovis attack technically notable — beyond its scale of impact — was a technique discovered by Sophos incident responders in the aftermath: Qilin had deployed a custom script that harvested saved credentials from Chrome browser profiles on infected endpoints before the encryption phase began.
The script was distributed via Group Policy to domain-joined machines, ran at logon, and wrote harvested credentials from %LocalAppData%\Google\Chrome\User Data\Default\Login Data (Chrome’s SQLite credential store) to a shared network location for collection. Session cookies were extracted alongside plaintext passwords.
This is technically straightforward — Chrome’s credential database is accessible to any process running as the logged-in user, and there are no secrets protecting the file itself beyond the Windows DPAPI encryption that wraps stored credentials. Any malware with user-level access can read it. What was notable was the operational deployment at scale before encryption, as a deliberate intelligence-collection phase, not just credential cleanup.
The implication: Qilin victims should assume that every saved browser credential in their environment was collected and is being actively used or sold, in addition to whatever data was exfiltrated for double-extortion purposes.
Technical Profile
Ransomware Capabilities
Qilin’s Rust variant includes:
- ESXi targeting: native Linux binary capable of encrypting virtual machine disk files (
.vmdk,.vmem,.vmsn,.vmsd) and stopping running VMs before encryption - Configurable file extension targeting: affiliates can tune which file types are encrypted and which are skipped
- Shadow copy deletion: standard anti-recovery measure on Windows targets
- Self-deletion: payload removes itself after execution to complicate forensics
- Intermittent encryption: partial file encryption option for faster deployment against very large file stores
The cross-platform capability is significant. Many ransomware operations have a strong Windows focus and treat ESXi targeting as a secondary capability. Qilin’s ESXi module is mature and has been used in multiple confirmed attacks.
Initial Access Patterns
Affiliate intrusion methods have varied across confirmed incidents, but the dominant patterns are:
- Exploitation of internet-facing VPN appliances and remote desktop infrastructure
- Phishing leading to credential capture and VPN access
- Purchase of pre-existing access from initial access brokers
- Exploitation of unpatched vulnerabilities in edge devices (F5, Citrix, Fortinet appliances have all appeared in incidents attributed to Qilin affiliates)
The group has shown willingness to conduct patient dwell time — establishing access and moving laterally over days or weeks before deploying ransomware, maximising their understanding of the target environment.
Affiliate Economics
Qilin operates a standard double-extortion model: encrypt and exfiltrate, then demand ransom with the threat of data publication on their Tor leak site. Their affiliate commission terms have been reported at 80/20 (80% to affiliates, 20% to operators) — competitive but not exceptional.
The group does not have a known “no hospitals” policy. The Synnovis attack was not an accident or a case of affiliate non-compliance with a stated policy — it was deliberate targeting of health infrastructure.
2025-2026 Activity
Qilin has maintained consistent activity through 2025 and into 2026, with confirmed incidents across healthcare, manufacturing, legal services, and financial institutions in Europe, North America, and the Asia-Pacific region. Victim volume has increased, suggesting either affiliate network growth or more aggressive targeting thresholds.
The group’s connection to The Gentlemen — a newer RaaS operation that has grown rapidly — is through a former Qilin affiliate who founded the latter group after a dispute over commission terms. This pattern of RaaS talent mobility means TTPs observed in Qilin campaigns may appear in related operations, and vice versa.
Detection and Defence
Key controls for organisations concerned about Qilin:
Credential hygiene: Implement policies preventing browsers from saving corporate credentials. Enterprise password managers should replace browser credential stores entirely. The Chrome harvesting technique is effective precisely because credential hygiene in most organisations is poor.
ESXi hardening: Restrict administrative access to ESXi hosts to a dedicated management network; enable lockdown mode to prevent direct SSH access; maintain offline backups of VM configurations and critical VMs that are not accessible from domain-joined systems.
VPN and remote access: Apply patches for all internet-facing remote access infrastructure promptly — this is consistently the most common initial access vector across all ransomware affiliates. Enable MFA on all VPN and RDP access without exception.
Endpoint detection for Group Policy abuse: Monitor for unusual Group Policy objects being created, especially those containing scripts or PowerShell that reference credential files, local AppData paths, or network shares. GPO creation outside of normal change windows should generate an alert.
Qilin is not a declining group looking for a final payday. They are technically capable, actively recruiting, and willing to target healthcare infrastructure. The Synnovis attack demonstrated what that combination looks like at scale.