Qilin: Top Ransomware Threat to SLTTs in Q2 2025

In Quarter 2 (Q2) of 2025, Qilin became the most active ransomware targeting U.S. State, Local, Tribal, and Territorial (SLTT) government entities, with nearly a quarter of all incidents attributed to its operation. The ransomware group’s mature operation and high attack tempo present a near-term threat to U.S. SLTTs for significant disruptions due to network-wide encryption and associated recovery efforts. Qilin ransomware attacks also involve a high likelihood of data theft. Qilin pressures U.S. SLTTs with ransom demands as high as half a million dollars for a decryption key and a “promise” to not share sensitive data.

This blog post provides a threat actor profile, reviews the U.S. SLTT impact, and covers reported attack techniques and resources to help organizations prevent and respond to ransomware incidents from actors like Qilin.

Who Is Qilin?

Qilin, also known as “Agenda,” is a double extortion Ransomware-as-a-Service (RaaS) group first observed in 2022, per Bleeping Computer. Double extortion means that in addition to encrypting data and holding the decryption key for ransom, threat actors also steal data and threaten to sell or release it as an additional form of leverage against victims. As reported by Sophos, Qilin operates a data leak site on both Tor and the open internet, where it names and shames victims to apply additional pressure in extracting a ransom. RaaS means that the Qilin operation has a core group of cybercriminals who develop and advertise their tools and infrastructure to other cybercriminals to conduct attacks. The cybercriminals signing up for the service are known as affiliates. Qilin affiliates reportedly earn up to 80–85% of the ransoms extracted while kicking the other 15–20% up to the group’s leadership.

In Q2 2025, Qilin replaced RansomHub as the most active ransomware targeting U.S. SLTTs, increasing from 9% of reported incidents to the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) in Q1 to 24% in Q2. This is a significant development because RansomHub was the leading ransomware for the previous three quarters. Open-source reporting from GBHackers, The Hacker News, and Qualys indicates many former RansomHub affiliates switched to the Qilin (RaaS) operation after the RansomHub operation suddenly went inactive in April, helping make Qilin one of the top ransomware threats across all sectors.

Qilin's Impact to U.S. SLTTs

Between December 2023 and June 30, 2025, members reported 29 Qilin U.S. SLTT ransomware incidents to the MS-ISAC, with 55% of those incidents reported in Q2 2025. This timeline highlights how quickly this threat emerged from operating in the background to becoming the most prolific ransomware targeting public organizations. The MS-ISAC observed a wide range of U.S. SLTT victims, including municipal governments, county governments, education (both K-12 and higher education), healthcare, and emergency services (e.g., law enforcement).

One of the U.S. SLTT incidents reported to the MS-ISAC started with a phishing email containing a malicious link. After gaining initial access, the adversary targeted a user account with a weak password and unnecessary admin access. The attackers then created new admin accounts that they used to encrypt data network-wide. The ransom demand in this incident was $500,000, but the victim refused to pay.

The CIS Cyber Incident Response Team (CIRT) completed an incident response case with a U.S. SLTT impacted by Qilin ransomware. The entity reported all their servers were encrypted, and a ransom note from Qilin informed them that their sensitive information would be placed on its data leak blog. Further details from this incident response case will be made available to MS-ISAC members.

In other incidents reported to the MS-ISAC, Qilin threat actors claimed to exfiltrate up to 500 GB of data in their double extortion attacks, including sensitive information such as personally identifiable information (PII) and financial data.

Tactics, Techniques, and Procedures of the RaaS Group

Since Qilin is a RaaS offering, affiliate tactics, techniques, and procedures (TTPs) are likely to vary across incidents. That said, SOCRadar shares that common initial access vectors Qilin affiliates leverage include phishing, exploiting public-facing applications, and using external remote services, such as Remote Desktop Protocol (RDP). An April 2025 phishing incident analyzed by Sophos involved a fake alert sent to a managed service provider (MSP) for the ScreenConnect remote monitoring and management tool. In this incident, the attackers phished the administrative credentials for ScreenConnect to gain access to the MSP environment. The Qilin threat actors then used the initial access to launch downstream ransomware attacks on the MSP’s customers.

According to threat intelligence company PRODAFT, on June 5, 2025, “Threat actors [were] actively exploiting FortiGate vulnerabilities (CVE-2024-21762, CVE-2024-55591, and others) to deploy Qilin ransomware.” Additionally, incident response firm OP Innovate assesses with high confidence that threat actors tied to Qilin infrastructure exploited CVE-2025-31324, a vulnerability in SAP NetWeaver Visual Composer, before the vulnerability was made public. The vulnerability has a CVSS score of 10 due to ease of exploitation and impact, with threat actors often uploading web shells in their attacks.

Qilin TTPs are also likely to vary after initial access, but according to Cybereason, the RaaS offering reportedly provides affiliates a robust affiliate panel, malicious infrastructure, and ransomware binaries written in Rust and C. In the OP Innovate report, researchers explained Qilin threat actors are known to use Cobalt Strike for post-exploitation. In separate reporting, cybersecurity company Trend Micro observed the group using the SmokeLoader malware and a .NET compiled loader called NETXLOADER. Furthermore, Sophos observed Qilin using other Windows tools in environments, including PsExec, NetExec from GitHub, and WinRM. Sophos also reported Qilin using WinRAR to collect files and prep them for exfiltration via easyupload[.]io.

Collective Defense Against RaaS Groups Like Qilin

To augment your defense against Qilin, join the MS-ISAC as a paid member. MS-ISAC members received early reporting on the Qilin ransomware threat at the time of its emergence, including in a Quarterly Threat Report and on the Monthly Membership Call. Additionally, MS-ISAC members regularly receive more detailed reports tailored for U.S. SLTT network defense operators and decision-makers, including specific incident response findings and indicators of compromise. This information is intended to provide actionable threat intelligence that directly supports proactive defense and informed decision making.

Ready to bolster your ransomware defenses with the CIS CTI team supporting you?