The Qilin ransomware group, known in its early stages as Agenda, has rapidly evolved into one of the most prolific and
sophisticated ransomware-as-a-service (RaaS) operations active in 2025. Emerging in mid-2022, Qilin has demonstrated a
consistent capacity for innovative and aggressive extortion techniques.

The group’s ransomware has undergone multiple iterations, moving from Golang to Rust, and now includes advanced
capabilities such as intermittent encryption and ESXi targeting. In parallel with its technical evolution, Qilin has adopted
increasingly aggressive extortion strategies, including legal harassment and reputational coercion; these tactics signal a
shift towards what may be termed ‘quadruple extortion’.

Qilin’s expansion into a fully-fledged RaaS platform in early 2023 marked a turning point in its operational scale. With an
extensively customisable affiliate panel and active recruitment across underground forums, the group has attracted a
capable network of affiliates. This distributed structure has enabled a sharp escalation in activity throughout 2024 and
2025, with Qilin consistently ranking among the most prolific ransomware groups by monthly victim disclosures.
Targeting patterns show a focus on high-value, data-reliant sectors such as healthcare, manufacturing, legal services, and
critical infrastructure. Qilin’s global footprint includes confirmed incidents across North America, Europe, Latin America,
and Asia-Pacific. The group avoids targets in the Commonwealth of Independent States (CIS), a likely indication of a
Russian nexus.