Qilin (Agenda) Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: 2022
Origin / attribution: Russia-linked RaaS
Known aliases: Agenda, Qilin.B
Common initial access: Phishing, purchased initial access, ScreenConnect and VPN flaws
TTPs & tradecraft: Rust-based encryptor, ESXi + Windows variants, configurable per-affiliate; aggressive data-leak blog.
Notes: Responsible for the 2024 Synnovis attack that disrupted UK NHS pathology services.

publicTop countries hit

United States633

France80

Canada74

United Kingdom60

Germany53

Italy49

Spain47

Japan34

factoryTop sectors targeted

Not Found543

Manufacturing202

Technology143

Healthcare135

Business Services108

Financial Services78

Construction67

Transportation/Logistics54

historyRecent named victims

The Great Cookie

Agriculture and Food Production · 19 Apr 2026

Nanometrics

US · Technology · 19 Apr 2026

Henley

GB · Not Found · 19 Apr 2026

HS Technology Group

Technology · 18 Apr 2026

HBX Group

SG · Not Found · 17 Apr 2026

Clearwater Marine Aquarium

US · Consumer Services · 15 Apr 2026

Limkon

Not Found · 15 Apr 2026

Gruppo ICM SPA

IT · Not Found · 15 Apr 2026

Herth+Buss

DE · Manufacturing · 13 Apr 2026

Després Mécanique Mobile

FR · Business Services · 13 Apr 2026

J Brand

US · Consumer Services · 13 Apr 2026

PGDIS.PAPETIQUE PRO

Manufacturing · 13 Apr 2026

Alternativa de Moda SAS

CO · Consumer Services · 13 Apr 2026

Frutcola Olmué

CL · Agriculture and Food Production · 13 Apr 2026

Basalt Dentistry

Healthcare · 13 Apr 2026

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockQilin (Agenda) defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on Qilin (Agenda)'s latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried Qilin (Agenda) will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call