{
	"id": "8b94a03c-f48a-41e6-9737-9b9497587945",
	"created_at": "2026-04-06T00:15:05.995604Z",
	"updated_at": "2026-04-10T03:29:39.800951Z",
	"deleted_at": null,
	"sha1_hash": "f35239471372e39d1345e884974c27f67fb1aef0",
	"title": "Qilin Ransomware Analysis: Critical TTPs and Defense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89005,
	"plain_text": "Qilin Ransomware Analysis: Critical TTPs and Defense\r\nBy Sıla Özeren Hacıoğlu\r\nPublished: 2025-02-14 · Archived: 2026-04-05 23:50:32 UTC\r\nQilin is a ransomware group that emerged in July 2022 and operates under a Ransomware‑as‑a‑Service (RaaS)\r\nmodel. The group quickly gained notoriety following its high‑profile $50 million ransom demand during an\r\nassault on Synnovis—a leading pathology services provider—which resulted in significant disruptions across key\r\nNHS hospitals in London. Originally an offshoot of the Agenda ransomware (developed in Go), Qilin has evolved\r\ninto a more robust, Rust‑based variant that incorporates advanced techniques in malware construction and\r\nevasion.\r\nIn this blog, we will analyze the tactics, techniques, and procedures (TTPs) of the Qilin ransomware group,\r\nproviding detailed insights into their operational evolution, methods of attack, and the potential defense strategies\r\nthat can help mitigate their impact.\r\nAnalyzing Qilin Ransomware's Advanced Tactics, Techniques, and Procedures\r\n(TTPs)\r\nThis section provides a comprehensive analysis of these TTPs, offering insights into how Qilin Ransomware\r\noperates and the tools they employ.\r\nTA0001: Initial Access Methods\r\nAdversaries operating the Qilin ransomware adopt a multi-pronged strategy to breach target networks, relying on\r\nboth misconfigurations and software vulnerabilities. Their techniques, while tailored to specific environments,\r\necho methods observed in other high-profile ransomware groups, underscoring a broader trend in cyber intrusions.\r\nT1133 External Remote Services\r\nOne common approach of Qilin ransomware operators involves targeting remote access services, particularly\r\nwithin Fortinet devices. In many deployments, organizations run firewall clusters with varied software versions—\r\na practice that can inadvertently leave one or more units exposed to known security flaws. Once a FortiGate\r\ndevice is compromised, attackers can exploit its SSL VPN functionality to pivot deeper into the network, often\r\nmoving laterally to failover servers that maintain connectivity even during service disruptions. \r\nAdditionally, brute-force attacks on VPN endpoints are sometimes deployed to gain unauthorized entry, although\r\nattackers typically erase log data post-intrusion, complicating forensic validation of these attempts.\r\nT1190 Exploit Public-Facing Application\r\nTL:DR;\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 1 of 9\n\nExploited CVE: CVE-2023-27532\r\nAffected Product: Veeam Backup \u0026 Replication Veeam Cloud Connect\r\nDescription: Vulnerability in Veeam Backup \u0026 Replication component allows encrypted credentials stored\r\nin the configuration database to be obtained.\r\nPoC for Exploitation: Publicly Available on Github\r\nSolution Builds:\r\n12 (build 12.0.0.1420 P20230223)\r\n11a (build 11.0.1.1261 P20230227)\r\nAnother known initial access vector used by Qilin involves compromising internet-exposed applications. A\r\npertinent example is the exploitation of the CVE-2023-27532 vulnerability in Veeam Backup \u0026 Replication\r\nsoftware. \r\nBy taking advantage of this security flaw, attackers can retrieve encrypted credentials stored within the\r\nconfiguration database, effectively bypassing standard authentication protocols. This technique not only grants\r\naccess to the backup infrastructure but also paves the way for broader network compromise.\r\nTA0002: Execution\r\nT1204.002 – User Execution: Malicious File\r\nUpon gaining access to the network, the ransomware payload is systematically deployed to the C:\\temp directory,\r\nwhere it is stored under the filename w.exe—a commonly observed tactic used to blend in with legitimate system\r\nfiles.\r\nThe ransomware executable is designed to require a specific password, which is passed as a command-line\r\nargument during execution. This password is subsequently hashed using the SHA-256 cryptographic algorithm,\r\nand the resulting hash is compared against a pre-defined hash value embedded within the ransomware's\r\nconfiguration. If the hashes match, the ransomware proceeds with its execution; otherwise, it terminates.\r\nAt this point, you might ask: can the password be cracked if it is embedded in the .conf file?\r\nSHA-256 is widely regarded as a robust cryptographic hash function. If the password chosen is sufficiently\r\ncomplex (i.e., has high entropy), then cracking the hash via brute force or dictionary attacks becomes\r\ncomputationally infeasible with current technology. Essentially, the design assumes that any attempt to reverse-engineer or “crack” the hash will be thwarted by the sheer complexity of the password.\r\nAdditionally, the ransomware supports optional command-line arguments that can be utilized to activate or modify\r\nspecific functionalities. \r\nThese arguments may include parameters for customizing encryption routines, defining target directories, enabling\r\npersistence mechanisms, or configuring communication with a command-and-control (C2) server. This modular\r\ndesign allows the ransomware to adapt its behavior based on the attacker's objectives, making it more versatile\r\nand potentially more dangerous.\r\nTA0004: Privilege Escalation\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 2 of 9\n\nT1078.002 Valid Accounts: Domain Accounts\r\nThere are publicly available proofs of concept that demonstrate how to exploit CVE-2023-27532 to gain access to\r\nthe backup server.\r\nWhile these exploits have been successfully demonstrated, there is no confirmed evidence that Qilin operators\r\nhave specifically used the exact exploit linked here.\r\nA Publicly Known Proof of Concept for CVE-2023-27532\r\nT1134 Access Token Manipulation\r\nFollowing its initial execution, the ransomware initiates privilege escalation to achieve SYSTEM-level access, a\r\ncritical step for gaining unrestricted control over the compromised system. This is accomplished through the use\r\nof an embedded Mimikatz module, a well-known tool for credential dumping and token manipulation. The\r\nmodule specifically targets critical Windows processes such as \r\nlsass.exe (Local Security Authority Subsystem Service), \r\nwinlogon.exe (Windows Logon Application), and \r\nwininit.exe (Windows Initialization Process) to extract user tokens. These tokens, which represent the\r\nsecurity context of privileged accounts, are then impersonated or stolen to facilitate the creation of new\r\nprocesses with elevated privileges.\r\nOnce the Qilin ransomware successfully acquires the stolen token, it leverages this elevated security context to\r\nspawn new processes. This allows the malware to bypass standard user access controls (UAC) and execute\r\nmalicious operations with the highest level of system authority, such as disabling security software, encrypting\r\nfiles across restricted directories, or establishing persistence mechanisms.\r\nIn addition to token manipulation, the Qilin ransomware employs advanced techniques to manipulate symbolic\r\nlinks, a feature of the Windows file system that allows for the redirection of file paths. Specifically, it configures\r\nthe system to resolve symbolic links for both remote and local objects using the following commands:\r\nfsutil behavior set SymlinkEvaluation R2R:1 (enables remote-to-remote symbolic link resolution)\r\nfsutil behavior set SymlinkEvaluation R2L:1 (enables remote-to-local symbolic link resolution)\r\nThis combination of token manipulation and symbolic link exploitation enhances the ransomware's ability to\r\noperate stealthily and extend its reach across networked environments, making detection and mitigation more\r\nchallenging.\r\nTA0005: Defense Evasion\r\nT1070 Indicator Removal\r\nAs part of its defense evasion strategy, the Qilin ransomware employs a multi-phase approach to eliminate\r\nforensic artifacts and evade detection. Prior to initiating the encryption process, it systematically deletes all system\r\nlogs to prevent security tools and analysts from identifying its initial execution and lateral movement. Once the\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 3 of 9\n\nencryption process is complete, the ransomware further erases all system events, targeting critical logs such as\r\nWindows PowerShell and Windows System logs. This ensures that traces of its malicious activities, including\r\ncommand execution, process creation, and file modifications, are thoroughly obfuscated.\r\nTo maintain persistent stealth, the ransomware operates a separate thread dedicated to periodically cleaning\r\nWindows Event Logs. This thread executes a PowerShell command designed to enumerate and clear all event logs\r\nwith recorded entries. \r\nThe command is structured as follows:\r\n\"powershell\" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -\r\nExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique )\r\n{[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}\r\nThis script retrieves a list of all event logs with recorded entries (Get-WinEvent -ListLog *), filters them based on\r\ntheir record count, and iteratively clears each log using the EventLogSession.ClearLog method. By leveraging\r\nPowerShell's native capabilities, the ransomware ensures comprehensive log removal while minimizing the risk of\r\ntriggering security alerts associated with the use of external tools.\r\nNote that this technique not only hinders forensic analysis but also disrupts security monitoring systems that rely\r\non event logs for threat detection and incident response. \r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nWithin the Qilin configuration file, the threat actor can specify substrings or regular expressions for process names\r\nto be terminated, as well as service names to be stopped or denied.\r\nKey configuration parameters include:\r\nprocess_black_list: Substrings of process names targeted for termination.\r\nwin_services_black_list: Substrings/expressions for names of services to be halted or denied.\r\nTA0007: Discovery\r\nT1087.002 Account Discovery: Domain Account\r\nThe ransomware employs a systematic approach to enumerate domain-connected hosts as part of its discovery\r\nphase. \r\nInitially, it executes a PowerShell script designed to query the Active Directory (AD) for a list of all computers\r\njoined to the domain. The script utilizes the Get-ADComputer cmdlet from the ActiveDirectory module, extracting\r\nthe DNSHostName property of each computer object. \r\nThe command is structured as follows:\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 4 of 9\n\n\"powershell\" -Command \"Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -\r\nExpandProperty DNSHostName\"\r\nIf the initial attempt fails—likely due to the absence of the ActiveDirectory module or insufficient permissions—\r\nthe ransomware proceeds to install the RSAT-AD-PowerShell module, a prerequisite for executing Active\r\nDirectory-related cmdlets. \r\nThis is achieved through a series of commands designed to install the necessary tools:\r\n\"powershell\" -Command \"ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'\"\r\nThese commands ensure the installation of the Remote Server Administration Tools (RSAT) for Active Directory,\r\nenabling the ransomware to leverage PowerShell for AD enumeration. Once the module is successfully installed,\r\nthe ransomware retries the initial command to compile the list of domain-connected hosts.\r\nThis multi-step process demonstrates the ransomware's adaptability and persistence in gathering critical\r\ninformation about the target environment. By enumerating domain-connected hosts, the malware can identify\r\npotential targets for lateral movement, privilege escalation, or further exploitation, thereby enhancing its\r\noperational effectiveness within the compromised network.\r\nTA0008: Lateral Movement\r\nT1021.002 Remote Services: SMB/Windows Admin Shares\r\nThe Qilin ransomware exhibits worm-like propagation capabilities across local networks, activated when the -\r\nspread command-line argument is supplied. To facilitate this, it embeds a copy of Sysinternals PsExec (version\r\n2.43) within its payload, which it deploys to the %Temp% directory under a randomly generated filename. This\r\nensures the tool remains undetected by traditional file-based detection mechanisms.\r\nThe malware begins by performing domain reconnaissance to identify potential targets. It then leverages PsExec\r\nto establish connections to each discovered host using the following command:\r\n%Temp%\\\u003cPSEXEC_NAME\u003e.exe -accepteula \\\\\u003cHOST_IP\u003e -c -f -h -d \u003cLOCKER_PATH\u003e \u003cLOCKER_ARGS\u003e\r\n--spread-process\r\nIf user credentials are provided, the command is modified to include authentication details:\r\n%Temp%\\\u003cPSEXEC_NAME\u003e.exe -accepteula \\\\\u003cHOST_IP\u003e -u \u003cUSER_NAME\u003e -p \u003cPASSWORD\u003e -c -f -h -d\r\n\u003cLOCKER_PATH\u003e \u003cLOCKER_ARGS\u003e --spread-process\r\nParameters:\r\nPSEXEC_NAME: Randomly generated filename for the embedded PsExec executable.\r\nHOST_IP: IP address of the target host.\r\nUSER_NAME and PASSWORD: Credentials for authenticating to the target host.\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 5 of 9\n\nLOCKER_PATH: Path to the ransomware executable on the local system.\r\nLOCKER_ARGS: Command-line arguments for launching the ransomware on the remote host.\r\nTo optimize its network propagation, Qilin modifies the Windows registry to increase the number of outstanding\r\nnetwork requests per client. It sets the MaxMpxCt registry parameter to 65535, enabling the malware to maximize\r\nits concurrent connections and accelerate its spread across the network.\r\nIn more advanced scenarios, Qilin extends its propagation capabilities by leveraging VMware vCenterfor self-distribution. This is triggered using the following command-line argument:\r\n-spread-vcenter \r\nThis allows the ransomware to exploit virtualized environments and further expand its reach.\r\nThis multi-faceted approach to lateral movement and propagation underscores Qilin's sophistication, combining\r\ntraditional tools like PsExec with registry manipulation and virtualization platform exploitation to achieve\r\nwidespread network compromise.\r\nTA0040: Impact\r\nT1490 Inhibit System Recovery\r\nWithin the backup management console, the threat actor performs a series of manual operations to compromise\r\nbackup integrity:\r\nDeletes Tape Backups: Erases physical or virtual tape-based backups, effectively removing an essential\r\noffline data recovery mechanism.\r\nDisables Scheduled Backup Jobs: Prevents future automated backups, ensuring that no new recovery points\r\nare created.\r\nRemoves Backup Jobs: Eliminates existing configurations that could potentially be re-enabled or restored.\r\nIn addition, the malware systematically disrupts the Volume Shadow Copy Service (VSS)—a critical Windows\r\nservice that maintains point-in-time copies of data—by executing the following command sequence:\r\n# Initiates the VSS service if it is not already running.\r\nnet start vss\r\n# Changes the startup mode to manual, reducing its resilience against subsequent commands.\r\nwmic service where name='vss' call ChangeStartMode Manual\r\n# Purges all existing shadow copies without prompting for confirmation, effectively erasing historical backup\r\nsnapshots.\r\nvssadmin.exe Delete Shadows /all /quiet\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 6 of 9\n\n# Terminates the VSS service to prevent further operations.\r\nnet stop vss\r\n# Permanently disables the service, ensuring that no new shadow copies can be created.\r\nwmic service where name='vss' call ChangeStartMode Disabled\r\nThis coordinated sequence of actions not only eliminates current backup data but also prevents the creation of new\r\nrecovery points, significantly hindering any efforts to restore lost data in the event of a security breach.\r\nT1486 Data Encrypted for Impact\r\nAfter establishing control of the target system, Qilin ransomware initiates a comprehensive encryption process\r\nthat targets both local files (as defined in its configuration) and all network-shared data. The process begins by\r\nencrypting data stored on the host machine as well as any attached drives, including mapped network shares. The\r\nencryption is carried out in multiple streams using one of the following cryptographic algorithms:\r\nAES-256 CTR: Employed when hardware acceleration is available via AES-NI, ensuring efficient\r\nprocessing and robust encryption.\r\nChaCha20: Used as an alternative in environments where AES-NI hardware support is not present,\r\nproviding a high level of security.\r\nTo secure the cryptographic material, the encryption keys, nonces, and additional parameters are encrypted using\r\nRSA-4096 as specified in the configuration. The resulting RSA-encrypted block is appended to the encrypted file,\r\nthereby safeguarding the keys necessary for decryption and making unauthorized recovery extremely challenging.\r\nIn some instances, the ransomware may perform multiple encryption passes on the same file—a strategy referred\r\nto as \"Multipass mode.\" This mode can operate in different configurations, such as \"fast,\" \"per cent,\" and \"normal\"\r\nmodes, further complicating decryption efforts and ensuring that remnants of the original data are thoroughly\r\nobfuscated.\r\nAfter the encryption phase, Qilin ransomware executes a cleanup routine to overwrite free disk space, thereby\r\neliminating any residual data remnants that could potentially aid in recovery attempts. This is achieved using the\r\nWindows cipher tool with the command:\r\ncipher /w:\"X:\\\"\r\n(where X: represents the target disk).\r\nAdditionally, the ransomware logs detailed execution data, including the encryption status and process specifics,\r\nproviding a comprehensive record of the attack's progression for potential forensic analysis.\r\nT1529 System Shutdown/Reboot\r\nAs a final disruptive measure, the ransomware initiates a reboot of the backup server following encryption—\r\nhindering recovery efforts. In some incidents, the threat actor has also rebooted VPN servers to further disrupt\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 7 of 9\n\noperations.\r\nHow Does Picus Help Against Qilin Ransomware Threat Group?\r\nWe also strongly suggest simulating ransomware groups, including Qilin and the rest of the Top 10 Ransomware\r\nGroups of 2025, to test the effectiveness of your security controls against their attacks using the Picus Security\r\nValidation Platform. You can also test your defenses against hundreds of other ransomware variants, such as\r\nPhobos, ALPHV, and LockBit, within minutes with a 14-day free trial of the Picus Platform.\r\nPicus Threat Library includes the following threats for Qilin Ransomware.\r\nThreat ID Threat Name Attack Module\r\n41029 Agenda Ransomware Campaign Variant - 2 Windows Endpoint\r\n55934 Agenda Ransomware Campaign Variant - 1 Windows Endpoint\r\n22877 Qilin Ransomware Download Threat Network Infiltration\r\n90918 Qilin Ransomware Email Threat E-mail Infiltration\r\nDefense Strategies Against Qilin Ransomware Attacks\r\nBelow are four key defense strategies to help mitigate the threat posed by Qilin ransomware attacks:\r\nTimely Patch Management and Vulnerability Mitigation\r\nEnsure all systems—especially those exposed to public networks—are regularly updated. Patching vulnerabilities\r\nin commonly targeted applications (e.g., Fortinet devices or Veeam Backup \u0026 Replication software) minimizes\r\nentry points for attackers exploiting known CVEs. This proactive approach reduces the risk of initial access\r\nthrough exploited weaknesses. \r\nDeploy Advanced Endpoint Detection and Response (EDR) Solutions\r\nUse EDR and next-generation antivirus tools that monitor for unusual behaviors—such as unauthorized process\r\nexecution, log clearance, and lateral movement. These solutions can detect the atypical command executions and\r\nprivilege escalation techniques employed by Qilin ransomware, helping to isolate and remediate compromised\r\nendpoints early in the attack chain. \r\nContinuously Test and Validate Security Controls\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 8 of 9\n\nEnhance your security posture by regularly testing the effectiveness of your prevention and detection controls. Use\r\nBreach and Attack Simulation (BAS) solutions, such as the Picus Security Control Validation (SCV) product, to\r\nsimulate real-world attack scenarios. This continuous validation process reveals control gaps and provides\r\nactionable recommendations, ensuring that your defenses remain robust against evolving threats.\r\nImplement Network Segmentation and a Zero Trust Model\r\nLimit lateral movement by segmenting networks and enforcing strict access controls. With a zero trust approach—\r\nincluding multi-factor authentication and least privilege access—if an endpoint is breached, attackers are confined\r\nto a limited portion of the network. This containment helps prevent the spread of ransomware across critical\r\nsystems. \r\nMaintain Regular, Immutable Offline Backups and an Incident Response Plan\r\nRegularly back up critical data using air-gapped or immutable storage that ransomware cannot alter or delete.\r\nCoupled with a well-practiced incident response plan (including network isolation procedures), this strategy\r\nensures you can restore systems quickly, even if attackers disable local recovery options like Volume Shadow\r\nCopies. \r\nBy integrating these layered defenses, organizations can significantly reduce the risk and potential impact of Qilin\r\nransomware attacks.\r\nConclusion\r\nThe Qilin ransomware group continues to prove its disruptive capability by leveraging advanced techniques—\r\nfrom initial access via vulnerable Fortinet devices and exploitation of public-facing applications, through\r\nmeticulous execution and lateral movement, to the final devastating impact on system recovery and data\r\nencryption.\r\nUnderstanding these detailed techniques is critical for cybersecurity professionals to implement robust defenses\r\nand countermeasures. As ransomware threats evolve, continuous vigilance, proactive monitoring, and\r\ncomprehensive incident response planning are key to protecting critical infrastructure against adversaries like\r\nQilin.\r\nSource: https://www.picussecurity.com/resource/blog/qilin-ransomware\r\nhttps://www.picussecurity.com/resource/blog/qilin-ransomware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/qilin-ransomware"
	],
	"report_names": [
		"qilin-ransomware"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434505,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f35239471372e39d1345e884974c27f67fb1aef0.pdf",
		"text": "https://archive.orkl.eu/f35239471372e39d1345e884974c27f67fb1aef0.txt",
		"img": "https://archive.orkl.eu/f35239471372e39d1345e884974c27f67fb1aef0.jpg"
	}
}