This is our first edition of Threat Actor Spotlight. We will be publishing this report periodically to share insights into threat actor activity and how it affects insureds and portfolio.

This edition we will look at Qilin as they have been the most active over the past 30 days and during Q3 according to ZeroFox’s Q3 2025 Ransomware Wrap-Up report.

First, a quick look at the bar chart below for the most active threat actors from the past 30 days.

Why should we care about Qilin?

From an insurance / risk perspective, Qilin:

• is one of the most active ransomware actors against state, local, and municipal entities in the U.S. in 2025. (CIS)
• In the UK, it has targeted critical health / pathology providers that serve NHS hospitals, disrupting surgeries and diagnostic services. (S-RM)

High-level details about Qilin

Qilin (previously called Agenda) is a Ransomware-as-a-Service (RaaS) group. In simple terms, Qilin provides the tools, infrastructure, leak site, and support, allowing criminal “affiliates” to carry out attacks. If a victim pays the ransom, it is shared: the affiliate gets most of it and Qilin takes a cut.

Because of this model, Qilin can scale: many affiliates target many organizations across sectors and countries.

• Vulnerabilities exploited: CVE-2021-44228, CVE-2021-34527, CVE-2021-26855, CVE-2019-19781
• Estimated number of victims: 1505

How Qilin Gets In

It is worth looking at how Qilin gains entry, and what organisations can do to harden their defences. Below are the key “initial access” techniques Qilin use to get into a victim’s systems.

It is worth looking at how Qilin gains entry, and what organisations can do to harden their defences. Below are the key “initial access” techniques Qilin use to get into a victim’s systems.

Method	What It Means in Simple Terms	What Organisations Should Be Alert To
Phishing / Spear‑phishing campaigns	Attackers send emails that appear legitimate (sometimes customised to the recipient) with links or attachments that quietly install malicious software or trick users into giving up credentials.	Warn users to never click suspicious links or open unexpected attachments. Use email filtering, training, phishing simulations.
Exploiting unpatched internet‑facing systems	Some systems are “exposed” to the internet (for example, VPNs, backup systems, firewalls). If they have known software weaknesses (“vulnerabilities”) and the company has not applied patches (updates), attackers can exploit those to break in.	Ensure devices that talk to the internet (VPNs, firewalls, remote access tools) are patched and monitored. Perform regular vulnerability assessments.
Using stolen or leaked credentials (“valid accounts”)	Sometimes credentials (usernames/passwords) get leaked or sold on underground markets. Then attackers log in just as if they were the legitimate user.	Encourage (or require) strong passwords, multi-factor authentication (MFA), and proactive credential monitoring (checking for leaks).
Remote Desktop / VPN access misconfigurations	Remote access protocols (e.g. RDP, VPN access) are intended to allow legitimate staff to access corporate systems remotely. But if misconfigured, left open, or missing extra security, they become a doorway for attackers.	Use MFA on all remote access, restrict remote access to only necessary systems, monitor and alert for anomalous access, enforce strong session controls.
Brute force or credential guessing	Attackers may try many username/password combinations (automatically) until one works, especially on systems exposed to the internet.	Implement account lockouts, rate-limit login attempts, monitor failed login activity.
Exploitation of backup / management software	In some known Qilin attacks, backup or replication software (e.g. Veeam) has had weaknesses that let attackers extract credentials or move deeper into a network. (Group-IB)	Ensure backup / management software is updated, credentials encrypted, and monitored. Limit who can access it.
Supply-chain / Trojanized software	In one example, a distinct threat actor deployed Qilin by tricking victims into installing trojanised versions of legitimate software, games, or packages (e.g. via social media or development ecosystems) (fieldeffect.com)	Be cautious about software sourced from unverified channels. Use code signing, software whitelisting, and vet supply chains.

Once inside, Qilin affiliates typically spend time exploring the network, gathering credentials, and escalating their access before installing ransomware or stealing sensitive data.

What You Can Do To Protect Your Business

Here are practical risk-mitigation steps you can take. While no one mitigation is 100% foolproof, adopting multiple security measures can significantly reduce your attack surface against Qilin-style threats.

1. Enable Multi-Factor Authentication (MFA) Even if a password is compromised, MFA can stop attackers from using stolen credentials. Insist that remote access, VPN, admin accounts, and cloud dashboards all enforce MFA.
   • Without MFA, Qilin has successfully logged into systems using stolen credentials. (Sophos News)
2. Patch and Update Critical Systems Promptly Many attacks exploit known vulnerabilities — ones for which patches exist but haven’t been applied. Clients should establish a patch management process and prioritize systems that are exposed to the internet (VPNs, firewalls, backup servers, remote access).
   • Opt for software time-based one time passwords (TOTP) and hardware based MFA, rather than SMS or push notifications
   • Qilin is known to exploit vulnerabilities in edge devices (firewalls, VPNs) and backup/replication software. (Group-IB)
3. Limit & Monitor Remote Access
   • Only permit remote access where absolutely necessary
   • Monitor remote login attempts, especially failed ones
   • Disable RDP or VPN access when not needed or restrict to specific IP addresses
4. Credential Hygiene & Monitoring for Leaked Credentials
   • Use unique, strong passwords for each system (avoid reuse)
   • Use a password manager
   • Use services that monitor for credential leaks so you know if a username or password appeared in credential data dumps
   • Rotate credentials on high-value accounts periodically
5. User Awareness Training Since phishing is a common entry vector:
   • Train users to recognise suspicious emails (unexpected attachments, spelling mistakes, odd requests)
   • Run regular phishing simulations (send safe “test” phishing emails) to test and reinforce awareness
   • Establish clear policies for reporting suspicious emails
6. Endpoint & Network Monitoring / Detection Capabilities While smaller clients may not have full-scale security operations, they should still:
   • Deploy endpoint detection and response solutions that alerts unusual behaviours
   • Monitor logins, privilege escalations, and file transfers
   • Consider managed detection & response (MDR) services if possible
7. Network Segmentation, Backups & Disaster Recovery Preparation
   • Segment the network so that movement is harder for attackers
   • Maintain offline or air-gapped backups (i.e., backups that cannot be directly accessed from the network)
   • Regularly test backups to ensure they work
   • Develop and rehearse an incident response plan
8. Talk to your Cyber Insurer / Underwriter Early
   • Share your security measures proactively
   • Engage in risk assessments

Key Takeaways

• Qilin is a modern, sophisticated ransomware operation using double extortion, meaning they both encrypt data and threaten data leaks.
• It operates via a RaaS model, which means many attackers have access to its toolkit, increasing its frequency and reach.
• Its initial access methods are: phishing, exploiting weak remote access, using stolen credentials, exploiting unpatched systems; meaning many organisations are vulnerable today.
• The consequences are not just technical: reputational harm, regulatory fines, exposure of sensitive data, and operational downtime make this a serious business risk.
• Being knowledgable about high-risk threat actors like Qilin helps you play a role in defending your organisation from compromise