When Huntress analysts investigated a Qilin ransomware attack with limited post-infection visibility, they demonstrated how meticulous forensic analysis can reconstruct a complex attack chain from minimal data. Their investigation, described as having “pinhole” visibility, revealed rogue ScreenConnect access, failed information stealer attempts, and the precise ransomware execution path1. This case exemplifies how security teams can overcome limited logging to uncover critical attack details through correlation of multiple data sources.
The Qilin ransomware operation (formerly known as Agenda) has evolved since its 2022 emergence into one of the most prolific Ransomware-as-a-Service (RaaS) threats targeting healthcare, manufacturing, and increasingly small-to-medium-sized businesses2. Operating with a sophisticated affiliate model that offers 80-85% profit sharing, Qilin provides attackers with customizable ransomware binaries and infrastructure in exchange for a cut of ransom payments2. Recent developments show Qilin affiliates collaborating with groups like Scattered Spider and exploiting critical Fortinet vulnerabilities CVE-2024-21762 and CVE-2024-55591 to gain initial access3.
Reconstructing the Attack Chain from Limited Data
The Huntress investigation began with a single compromised endpoint where traditional security monitoring provided limited visibility into the full attack progression. By correlating Windows Event Logs, PCA logs, and AmCache.hve artifacts, analysts identified a rogue ScreenConnect instance with the IP address 94.156.232[.]40 and instance ID 63bbb3bfea4e2eea1. This remote access tool served as the primary persistence mechanism and conduit for transferring additional attack tools including r.ps1, s.exe, and ss.exe to the compromised system. The investigation revealed that while initial intrusion attempts included information stealer deployment, the main ransomware payload was ultimately deployed remotely against network shares rather than directly on the initially compromised endpoint.
This reconstruction methodology proves particularly valuable when facing sophisticated adversaries who employ log deletion techniques. Qilin ransomware includes self-deletion capabilities using commands like cmd.exe /C timeout /T 10 & del <process path> and attempts to clear Windows event logs2. The correlation of multiple data sources becomes essential when individual log streams are incomplete or partially destroyed during the attack lifecycle.
Qilin’s Technical Capabilities and Attack Flow
Qilin operates through a comprehensive attack chain that begins with initial access through compromised VPN credentials or rogue RMM software installation. Cisco Talos investigations detail how attackers use password-protected folders containing credential theft toolkits including Mimikatz, NirSoft utilities, and custom scripts like !light.bat that enable WDigest credential caching via registry modification4. The batch file executes SharpDecryptPwd to harvest saved credentials from applications including WinSCP, FileZilla, Chrome, and TeamViewer, with stolen data formatted and exfiltrated via SMTP using a VBScript (pars.vbs) encoded in windows-1251 Cyrillic encoding4.
Lateral movement typically employs embedded, signed copies of PsExec contained within the ransomware binary itself, along with RDP enablement through registry modifications and open network share creation4. For defense evasion, Qilin affiliates use open-source tools like dark-kill and HRSword to disable Endpoint Detection and Response (EDR) solutions by loading kernel drivers. Talos researchers observed heavily obfuscated PowerShell scripts that, when decoded, disable AMSI, TLS certificate validation, and enable Restricted Admin mode for RDP4. The ransomware also includes a destructive embedded PowerShell script that interacts with vCenter to disable HA/DRS, reset ESXi root passwords, enable SSH, and upload/execute the ransomware payload on all hypervisors.
Exfiltration and Encryption Techniques
Data exfiltration precedes encryption in Qilin attacks, with Talos identifying the use of Cyberduck, an open-source file transfer client, to move data to cloud storage services like Backblaze4. Cyberduck history files showed configurations for split/multipart uploads of large files, while attackers used mspaint.exe and notepad.exe to manually review and select sensitive information before exfiltration. WinRAR compresses stolen data using commands like WinRAR.exe a -ep1 -scul -r0 to create archives without recursively processing subdirectories4.
The encryption phase employs a cross-platform encryptor written in Rust or Golang that uses AES-NI if supported, otherwise falling back to ChaCha202. Pre-encryption activities include terminating a blacklist of security and backup-related processes/services via dedicated threads, deleting Volume Shadow Copies using vssadmin.exe delete shadows /all /quiet, and optionally rebooting into Safe Mode to bypass security software. Post-encryption, Qilin changes desktop wallpapers using the SystemParametersInfoW API, enumerates printers via PowerShell Get-Printer to print ransom notes to physical devices, and attempts log deletion and self-deletion2.
Evolution and Recent TTP Developments
The Qilin threat continues to evolve with significant developments observed throughout 2024-2025. While known for high-profile healthcare attacks like the 2024 Synnovis breach, S-RM intelligence indicates that most Qilin victims are now small-to-medium-sized businesses in construction, healthcare, and finance sectors3. The group has expanded its extortion channels beyond Tor leak sites to include Telegram and public sites like WikiLeaksV2 to increase pressure on victims. The Qilin.B variant, first observed in 2024, features enhanced encryption and defense evasion capabilities with more robust service termination and self-deletion features4.
Perhaps the most notable development is Qilin’s collaboration with other threat groups, particularly Scattered Spider affiliates who have been observed deploying Qilin’s RaaS platform3. This collaboration between cybercrime organizations complicates attribution and combines different expertise. The ransomware service now includes a “Call Lawyer” feature that provides affiliates access to legal counsel to help negotiate ransoms by informing victims of potential regulatory fines and costs resulting from data breaches3.
Defense and Mitigation Strategies
Effective defense against Qilin requires a layered security approach focusing on the specific Tactics, Techniques, and Procedures (TTPs) observed across multiple investigations. Securing initial access vectors begins with enforcing multi-factor authentication on all VPN, RMM, and critical access points, coupled with prompt patching of VPN appliances and public-facing services. Endpoint hardening should include application control/allowlisting to block unauthorized executables like PsExec, enforcement of the principle of least privilege, and prohibition of default and shared administrative credentials.
Credential protection requires ensuring WDigest credential caching remains disabled, directly countering the attacker’s !light.bat script that enables this feature. Network segmentation should isolate critical infrastructure like VMware vCenter/ESXi management interfaces and domain controllers to limit lateral movement possibilities. Robust monitoring with EDR/XDR solutions should alert on behavior such as VSS deletion, mass file renames, and security service termination, while maintaining frequent, immutable, and offline backups with tested restoration procedures provides resilience against encryption attacks. Organizations should also monitor for large, unusual outbound data transfers, particularly to cloud storage providers using tools like Cyberduck.
| Indicator | Type | Description / Source |
|---|---|---|
| 94.156.232[.]40 | IP Address | Rogue ScreenConnect C2 Server (Huntress) |
| 63bbb3bfea4e2eea | String | Rogue ScreenConnect Instance ID (Huntress) |
| af9925161d84ef49e8fbbb08c3d276b49d391fd997d272fe1bf81f8c0b200ba1 | SHA256 | s.exe (Infostealer) (Huntress) |
| 194.165.16[.]13 | IP Address | Probable Exfiltration Server (Darktrace) |
| 93.115.25[.]139 | IP Address | C2 Server, likely SystemBC (Darktrace) |
| 91.238.181[.]230 | IP Address | C2 Server, likely Cobalt Strike (Darktrace) |
| a157496.exe, 83b87b2.exe | Filename | Suspicious executables (Darktrace) |
| README-RECOVER-<extension>.txt | Filename Pattern | Qilin Ransom Note (Multiple Sources) |
The Huntress investigation demonstrates that even with limited visibility, determined analysis can reconstruct sophisticated ransomware attacks. By correlating multiple data sources including Windows Event Logs, PCA logs, and AmCache.hve, security teams can identify critical attack components like rogue RMM software, tool transfer patterns, and execution methods. As Qilin continues to evolve through collaborations with groups like Scattered Spider, exploitation of new vulnerabilities, and innovative extortion tactics, organizations must maintain proactive, multi-layered security postures that focus on securing initial access vectors, hardening identities and endpoints, and maintaining comprehensive visibility to detect and respond to these complex attacks.
References
- Huntress, “Piecing Together the Puzzle: A Qilin Ransomware Investigation,” Huntress Blog, 2025. [Online]. Available: https://www.huntress.com/blog/piecing-together-the-puzzle-a-qilin-ransomware-investigation
- “Refined Research Data: The Qilin Ransomware Ecosystem,” Consolidated Threat Intelligence Report, 2025.
- S-RM, “Qilin Ransomware: Evolving Tactics and Growing SMB Focus,” S-RM Cybersecurity Intelligence, 2025. [Online]. Available: https://www.s-rminform.com/insights/cyber-security/qilin-ransomware-evolving-tactics
- Cisco Talos, “Qilin Ransomware: Multi-Case TTP Analysis and Defense Recommendations,” Talos Intelligence, 2025. [Online]. Available: https://blog.talosintelligence.com/qilin-ransomware-ttp-analysis/
