Threat Bulletin: Qilin (aka Agenda) Ransomware – Evidence & TTPs

Latest Posts
Education
Threats

Threat Bulletin: Qilin (aka Agenda) Ransomware – Evidence & TTPs

by Billy Austin

3 min read

Overview

Qilin (also tracked as Agenda) is an active ransomware-as-a-service operation impacting both SMB and Enterprise environments. Recent campaigns demonstrate a mature, configuration-driven encryptor designed to maximize operational disruption by disabling recovery mechanisms, enumerating network-accessible data, and encrypting files at scale.

Static Analysis & Variant Context

Qilin represents a class of modern enterprise ransomware that prioritizes reliability and speed over heavy obfuscation. Observed variants commonly leverage embedded configuration data, standardized Tor-based negotiation workflows, and pre-encryption disruption of backup, database, and messaging services.

Absence of Script-Based Tradecraft (Key Differentiator)

Notably, static string inspection did not reveal embedded usage of PowerShell, CMD, or common system utilities such as vssadmin or wbadmin. This absence suggests Qilin relies on direct Windows API calls rather than shell-based execution, reducing command-line artifacts and enabling quieter operation in heavily monitored environments. From a defender perspective, this supports the conclusion that the analyzed binary is a late-stage encryptor payload rather than an initial access or lateral movement component.

Evidence of Analysis

1 – Entropy Profile: Unpacked Binary Indicator

The entropy distribution across executable sections shows moderate and consistent entropy levels, with all major sections explicitly marked as not packed. This differs from many contemporary ransomware families that rely on aggressive packing or runtime unpacking and aligns with Qilin variants that embed configuration data directly within the executable.

2 – Import Structure: Cryptographic, Service, and Network Capability

The import structure reveals statically linked Windows libraries including advapi32.dll, netapi32.dll, mpr.dll, and bcrypt.dll. These imports support capabilities commonly used during pre-encryption preparation, including service control, network resource enumeration (SMB), and internal cryptographic material generation.

3 – Hex-Level Evidence: Negotiation Infrastructure

Hex-level inspection of the binary reveals an embedded Tor (.onion) address used for victim negotiation. The presence of extortion infrastructure in plaintext provides high-confidence evidence of ransomware functionality and supports a double-extortion operating model without requiring execution.

Encryption Characteristics

Indicators suggest a hybrid encryption design combining high-speed symmetric encryption with asymmetric key protection, consistent with modern ransomware operations.

Detection Guidance

Static Detection Example (YARA) – Option A (recommended baseline):

rule Ransomware_Qilin_Agenda_Static_Artifacts_v1
{
meta:
description = “Qilin/Agenda ransomware – tighter static detection using note + Tor + RSA + config-like markers”
author = “Kaseya Labs / Billy Austin”
date = “2026-02”
confidence = “medium-high”

strings:
// Ransom note marker observed in sample
$note = “README-RECOVER-.txt” ascii wide

// Negotiation infrastructure pattern
$onion = ".onion" ascii wide

// Crypto indicator (embedded PEM marker)
$rsa1 = "BEGIN RSA PUBLIC KEY" ascii
$rsa2 = "BEGIN PUBLIC KEY" ascii

// Config-like JSON markers (schema indicators)
$json1 = "\"public_rsa_pem\"" ascii
$json2 = "\"company_id\"" ascii
$json3 = "\"process_black_list\"" ascii
$json4 = "\"win_services_black_list\"" ascii

// Optional incident-scoping marker (enable for a single victim/cluster)
// $victim = "MmXReVIxLV" ascii wide

condition:
uint16(0) == 0x5A4D and
$note and $onion and
1 of ($rsa) and 2 of ($json)
// and $victim // Uncomment to scope to a specific victim/cluster
}

Notes: The optional $victim string can be enabled for incident scoping (e.g., a single victim extension/company_id). Leave it commented for broader family-level coverage.

MITRE ATT&CK Mapping Summary

T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1083 – File and Directory Discovery
T1027 – Obfuscated Files or Information

Why This Matters

Qilin illustrates how modern ransomware blends operational disruption with efficient encryption and standardized extortion workflows. The combination of unpacked structure, direct API usage, and embedded negotiation infrastructure provides defenders with multiple opportunities to identify and disrupt ransomware activity prior to widespread encryption.

Kaseya Coverage

Both Datto EDR and RocketCyber include coverage for these artifacts.

Billy Austin

VP, Security Solutions

Billy Austin brings more than 30 years of security expertise to Kaseya, through the acquisition of the RocketCyber SOC where he served as President & Co-founder. 



Previously, Mr. Austin was the co-founder of iScan Online, acquired by LogicNow / SolarWinds. Prior to both successful startup ventures, Mr. Austin spent over a decade as the Chief Security Officer in the vulnerability management industry. Prior to the latest software startups, he founded the cellular intercept binary system used to detect and decipher conversations for the intelligence community. 



He is a frequent speaker on the topics of exploits, threats and attacks with a history of developing successful security startup technologies. Mr. Austin holds an Applied Science degree from Mountain View College and was a contributing author to the SANS/FBI Top 10 exploits and vulnerabilities.