The average cost of a healthcare data breach reached $10.1 million in 2024, the highest of any industry for the 14th consecutive year, according to the IBM Cost of a Data Breach Report. It’s likely that that number climbed even higher than 2025 — and sophisticated Ransomware-as-a-Service (RaaS) groups like Qilin are the reason.
Formerly known as Agenda, Qilin has pivoted its operations to focus on high-stakes targets in the medical and public health sectors. This year, Qilin has emerged as a primary threat to healthcare infrastructure due to its adoption of the Rust programming language for its encryption payloads.
The group gained global notoriety following the 2024 attack on Synnovis, which severely disrupted pathology services for the National Health Service (NHS). Qilin’s strategy relies on double extortion, where sensitive patient data is exfiltrated before encryption to provide the attackers with additional leverage during negotiations.
Below, we’ve got an overview of Qilin’s tactics. If you’ve lost data due to a ransomware incident, we’re here to help: Datarecovery.com provides ransomware disaster recovery services for organizations of all sizes, including healthcare providers. Call 1-800-237-4200 or submit a case online to get started.
Technical Analysis: Qilin Attack Vectors and Techniques
Qilin’s transition from Go (Golang) to Rust provides the bad actors with a significant technical advantage.
Rust is a memory-safe language that offers high performance and easier cross-platform compilation, allowing the ransomware to target Windows, Linux, and VMware ESXi environments with the same codebase. The current “Qilin.B” variant uses a combination of AES-256-CTR and ChaCha20 encryption.
To maximize speed and avoid detection by endpoint detection and response (EDR) systems, the ransomware employs intermittent encryption, where it encrypts only every few blocks of data rather than the entire file. Intermittent encryption tends to be good news for data recovery teams, but the nature of the targeted data certainly matters.
The group’s primary attack vectors often involve the exploitation of vulnerabilities in edge-facing hardware and remote access services:
- Credential Harvesting: Qilin affiliates frequently use specialized infostealers to extract credentials from browsers.
- Vulnerability Exploitation: The group targets unpatched vulnerabilities in VPNs and firewalls, such as those documented in CISA’s advisory on Qilin tactics.
- Living-off-the-Land (LotL): Once initial access is gained, the attackers use legitimate administrative tools like PowerShell and PsExec to deploy the ransomware payload and disable backup services.
What to Do if You Suspect a Qilin Infection
If your organization experiences a sudden loss of file access or discovers unauthorized administrative activity, immediate action is required to prevent further spread.
Common indicators of a Qilin infection include:
- File Extensions: Encrypted files are typically appended with a randomized alpha-numeric extension (e.g., .MmXReVIxLV) or, in some cases, the .qilin extension.
- Ransom: Look for a text file named [ID]_readme.txt or RECOVER-[ID]-FILES.txt. The note usually contains a link to a Tor-based victim portal and may include threats to release patient data on the Qilin leak site if the demand is not met.
- System Indicators: Qilin systematically deletes Volume Shadow Copies and clears Windows Event Logs to hinder local forensic analysis.
If these indicators are present, isolate the affected systems by disconnecting them from the network — do not shut them downs. Contact us immediately at 1-800-237-4200. Attempting to use free decryptors or unverified tools can lead to permanent data corruption, especially when dealing with the complex RAID and server architectures common in healthcare environments.
Expert Qilin Ransomware Recovery Services
Datarecovery.com provides specialized incident response and data restoration for organizations targeted by Qilin. We understand the urgency of healthcare recovery and offer a comprehensive approach to restoring clinical operations. Our capabilities include:
- Secure Laboratory Recovery: We utilize proprietary tools to reconstruct encrypted virtual machine disks and complex databases.
- Sanitized Restoration: We ensure that recovered data is free of malware and persistence mechanisms before it is reintroduced to your environment.
- Forensic Analysis: Our team helps identify the point of entry to prevent a secondary attack.
Call 1-800-237-4200 or fill out our online form to speak with a ransomware specialist and begin a free evaluation of your case.
