Threat Intelligence
The Quiet Weapon: Inside a Qilin Ransomware Attack
Qilin has come a long way since emerging in 2022. This Ransomware-as-a-Service operation has grown into one of the most active and damaging threats facing enterprise organizations today, with a particular focus on healthcare, manufacturing, and education. The disruption it leaves behind is real: delayed surgeries, exposed patient records, halted production lines, and millions of customer records compromised.
Thrive’s Cyber Security Incident Response Team (CIRT) recently completed technical analysis of a current Qilin variant, and what they found raises the bar for what defenders need to be prepared for. A single executable orchestrates the entire attack chain, start to finish, without ever triggering a traditional security alert. This post breaks down how it works, why conventional defenses miss it, and the detection rules you can put to work today.
An Evolving Ransomware Group
Qilin, also tracked as Agenda, has operated under a Ransomware-as-a-Service model since 2022. In that time, it grew into one of the most active ransomware groups targeting enterprise environments. Qilin has been attributed to ~14-18% of all ransomware attacks in 2025. Additionally, Qilin had ~30% more victims in 2025 (approx. 958) than its competitor group, Akira (with approx. 717 victims in 2025).
Qilin’s top targeted sectors include healthcare, manufacturing, and education sectors. Most notably, in early June 2024, Synnovis was targeted, who is the UK National Health Service’s pathology provider. This affected multiple hospitals within the NHS, delaying blood tests, surgeries, and appointments for patients. Also, the provider reported that “some of the stolen data did include elements of personal information such as an NHS number, name, or date of birth.”
Another notable case of Qilin ransomware occurred in September 2025, when Asahi Group Holdings was targeted. Asahi Group Holdings is a major beverage manufacturer and brewery in Japan. This affected the manufacturer’s order processing system, as well as delaying shipments. According to the manufacturer, personal information about 1.5+ million customers were exposed. This information included items such as names, dates of birth, physical addresses, and phone numbers.
Primary attack vectors utilized by Qilin include phishing, backup service vulnerabilities, network device software vulnerabilities, and exposed web applications. In some cases, infostealers or remote monitoring software is used to deploy the malware to a vulnerable host.
Qilin follows a unique formula for their ransomware operations that sets it apart from other ransomware groups. Qilin generates unique per-victim file extensions for encryption, and a campaign of emails and phone calls to maximize pressure on victims to pay the ransom. Exfiltration and leaking of these files on the dark web are observed in some cases as well.
Thrive’s CIRT has analyzed a variant of the Qilin ransomware. What sets the analyzed variant apart is its scope. This variant’s controller is a single Windows executable that coordinates encryption, destroys recovery options, moves laterally across Windows hosts, and can independently take down ESXi hosts. The whole chain runs without deploying additional executables beyond the initial controller.
Attack Phases
The CIRT’s analysis reconstructed the full execution sequence from sandbox detonation and forensic artifacts. Based on the CIRT’s analysis, the attack is conducted in four phases.
| PHASE | DETAIL |
| Phase 1: Initial Access | The controller requires a command-line password to execute. This is an anti-forensics measure designed to defeat automated sandbox analysis. In the investigated incident, the ransomware registered itself for persistence under a Windows Run key, embedding the password in the registry value. An EDR solution captured the full command line, allowing the CIRT to access the credential needed to detonate the sample safely. |
| Phase 2: Environment Prep | On launch, the controller locks a mutex (preventing duplicate execution), outputs its running configuration, then immediately begins disabling recovery infrastructure. It deletes all Volume Shadow Copies, stops and permanently disables the Volume Shadow Service, enables outbound SMB connections, and runs a PowerShell loop periodically throughout execution to clear all Windows Event Logs. |
| Phase 3: Encryption | File encryption uses a hardware-aware hybrid scheme: AES-CTR mode on systems with AES-NI CPU support, ChaCha20 on systems without. Symmetric key material is wrapped with an embedded RSA public key. The corresponding private key is absent from the binary, making recovery without the attacker’s key infeasible. Encrypted files receive a unique per-victim extension. Ransom notes are then dropped into every affected directory with the format “README-RECOVER-[fileExtension],” where [fileExtension] is the victim-specific file extension for encrypting files. |
| Phase 4: Lateral Movement | The controller runs two concurrent spread paths. On Windows networks, it uses embedded PsExec resources to stage binaries to admin shares, install a service on remote hosts, and execute the ransomware laterally. No pre-installed PsExec is required. Simultaneously, embedded PowerShell logic uses VMware.PowerCLI and Posh-SSH to authenticate to vCenter, enumerate every ESXi host, enable SSH, upload a payload to /tmp/, disable execution restrictions, and trigger encryption across the entire hypervisor fleet. |
Why Traditional Defenses Miss This
Every command included in this attack is legitimate. This attack utilizes a technique known as living-off-the-land binaries (LOLBINS). The VSS deletion uses a built-in Windows utility. The PsExec spread uses a signed Sysinternals tool. The VMware compromise uses official PowerShell modules. There is no custom malware binary on the network beyond the controller itself, and the controller only runs once, then hands off to native tooling for everything that follows.
| CAPABILITY | CONVENTIONAL RANSOMWARE | QILIN CONTROLLER |
| Detection surface | Custom malware binary triggers EDR signatures | Single controller; subsequent actions use native tools |
| Shadow copy removal | Standalone script or binary | Embedded; runs via cmd.exe as legitimate admin activity |
| Lateral movement | Custom implant or manual credential reuse | Self-contained PsExec resources; no pre-installed tools needed |
| Hypervisor targeting | Separate ESXi payload, manual deployment | Autonomous; vCenter auth → enumerate → upload → execute |
| Event log clearing | Separate cleanup script | Embedded PowerShell loop running throughout execution |
While reviewing this ransomware controller in a Windows environment, the controller does not appear to disable Microsoft Defender or EDR solutions. However, due to its use of built-in applications, no malicious file signatures would be able to be detected by EDR solutions. As for anti-forensics countermeasures, the deletion of Volume Shadow copies and event logs can make forensic investigations intentionally more difficult. Also, this ransomware controller supports Windows Safe Mode, so rebooting into Safe Mode would not prevent the ransomware from executing on startup.
Detection: What Works
The CIRT validated three YARA rules and three Sigma rules against the analyzed ransomware sample. The strongest detection posture comes from correlating events across the chain rather than relying on any single atomic indicator.
YARA Coverage
- Main controller fingerprint: Combines the Qilin family string, unique victim extension marker, ransom note filename pattern, RSA config strings, AES/ChaCha encryption strings, and PsExec/VMware/vCenter strings. Low false-positive rate in triage contexts.
- Embedded PsExec resources: Targets Sysinternals artifacts baked into the binary: the service name, service host string, admin-share key path, and Qilin-specific spread arguments.
- Ransom note content: Targets victim-facing strings embedded in the controller: the Qilin signature, note filename, encryption warning text, Tor recovery guidance, and leak-site reference.
Sigma Coverage
- Shadow copy deletion and log tampering: Covers vssadmin.exe delete shadows /all /quiet and both fsutil SymlinkEvaluation commands. Converts cleanly to SPL and KQL.
- vCenter / ESXi PowerShell spread: Covers VMware.PowerCLI, Posh-SSH, Connect-VIServer, Get-VMHost, Set-SCPItem, TSM-SSH enablement, and the execInstalledOnly bypass command.
- PsExec spread and service staging: Covers psexec.exe, psexesvc.exe, the PSEXESVC service name, admin-share key path patterns, and the “–spread-process” argument.
High-Confidence Correlation Sequence
While tools like PSExec and PowerCLI have legitimate uses, the specific sequence is particularly correlated to Qilin ransomware activity:
- PowerShell imports VMware.PowerCLI or Posh-SSH on a non-VMware-admin host.
- This is followed by PsExec / PSEXESVC staging or vssadmin shadow deletion.
- Finally, ransom notes are created, and bulk file extension changes are conducted during the encryption process.
What Defenders Must Do Now
The Qilin controller’s effectiveness comes not from technical sophistication in any single component, but from the combination: anti-forensics at entry, destruction of recovery paths, native-tool lateral movement, and autonomous hypervisor targeting. Defending against it requires closing gaps at each layer.
- Block “vssadmin.exe delete shadows /all /quiet” via application control or Defender Attack Surface Reduction rules. This command has no legitimate use in production outside of explicit maintenance windows. It should never run silently.
- Restrict PsExec and admin share execution. Audit which systems can run PsExec. Any execution outside of designated jump hosts should trigger an immediate alert.
- Segment VMware management infrastructure from Windows endpoints. vCenter credentials should only be accessible from dedicated management hosts. An endpoint workstation should have no network path to vCenter.
- Alert on PowerShell importing VMware.PowerCLI or Posh-SSH. Flag any import of these modules on systems that are not designated VMware management hosts. This is a high-fidelity indicator in most environments.
- Audit Windows Run keys for –password arguments. The password-protected execution model leaves a consistent persistence artifact. This is detectable before the ransomware executes.
Qilin’s controller-driven approach emphasizes how current ransomware no longer needs to rely on “noisy” malware for execution. Qilin ransomware underscores the weaponization of trusted, built-in software to cause significant downtime for affected users. By enforcing controls at each “layer” of the ransomware operation, these Qilin-style operations can be disrupted before encryption ever takes place.