🇷🇺 Qilin

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as Agenda

CategoryRansomware-as-a-Service

AttributionRussia-affiliated (Russian-speaking operators)

First seenJuly 2022 (as Agenda; rebranded Qilin Sept 2022)

StatusActive

Rank#2

Recent victims · last ~9d19

All-time victims1947

Primary targetsHealthcare, Manufacturing, Professional services

Overview

Qilin (formerly Agenda) is a financially motivated Ransomware-as-a-Service operation first seen in July 2022 and operating as RaaS since February 2023. Affiliate recruitment on Russian-language forums and a hard rule against hitting CIS/former-Soviet targets place its operators in Russia or former-Soviet territory. It has held the #1 spot on the ransomware leaderboard for five straight months and out-posts the bottom 50 groups combined — currently 546 claimed victims YTD 2026 (335 over the trailing three months).

Tradecraft

• Double-extortion: exfiltrate, then encrypt; leak on a dedicated leak site (DLS).
• Affiliates keep ~80–85% of proceeds (operator takes 15–20%).
• Spear-phishing of the C-suite for initial access; harvesting of Chrome credentials and VPN credentials.
• Windows Subsystem for Linux (WSL) abuse to evade endpoint detection.

Notable recent victims

• Covenant Health (US healthcare) — 478,188 affected, ~850 GB leaked
• Isuzu Motors (Thailand) — automotive manufacturing
• Central Florida Cosmetic & Family Dentistry (US healthcare)

Assessment

The pace-setter of the current landscape — persistent, well-tooled, healthcare-heavy, and the source of splinter groups (see The Gentlemen). No sign of deceleration into 2026.

Sources

• HHS Health Sector Threat Profile — Qilin
• Check Point — Qilin (Agenda) Deep Dive
• SANS — The Evolution of Qilin RaaS
• SOCRadar — Dark Web Profile: Qilin

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 25 ISOPLUS Qilin Ransomware · unknown · Greece 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed today · Sources: ransomware.live

Jun 24 Cash Canada Qilin Ransomware · unknown · Canada 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 1d ago · Sources: ransomware.live

Jun 23 Lee International Qilin Ransomware · unknown · South Korea 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 2d ago · Sources: ransomware.live DLS

Jun 22 Schumacher Homes Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 22 Central Bank of Libya Qilin Ransomware · unknown · Libya 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 21 Taiwan Sintong Machinery Co., Ltd Qilin Ransomware · unknown · Taiwan 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 4d ago · Sources: ransomware.live DLS

Jun 21 Sivatel Bangkok Qilin Ransomware · unknown · Thailand 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 4d ago · Sources: ransomware.live DLS

Jun 21 Tri-tec Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 4d ago · Sources: ransomware.live DLS

Jun 21 Florida Engineering Services Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 4d ago · Sources: ransomware.live DLS

Jun 20 Central Florida Cosmetic & Family Dentistry Qilin Ransomware · healthcare · US 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Pacific Lamp & Supply Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 19 Roth Industries Qilin Ransomware · unknown · Germany 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 6d ago · Sources: ransomware.live DLS

Jun 19 Sparkle Pools Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 6d ago · Sources: ransomware.live DLS

Jun 19 PJ Daly Contracting Qilin Ransomware · unknown · Ireland 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 6d ago · Sources: ransomware.live DLS

Jun 19 Commune d'Eyguires Qilin Ransomware · unknown · France 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 6d ago · Sources: ransomware.live DLS

Jun 18 THL PROJECT MANAGEMENT SDN. BHD. Qilin Ransomware · unknown · Malaysia 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 18 Homes By J Anthony Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 18 ATCOM Outsourcing Qilin Ransomware · unknown · Chile 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 18 Skupina Don Don - GRUPO BIMBO Qilin Ransomware · unknown · Slovenia 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 18 Makel Companies Group Qilin Ransomware · unknown · Turkey 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 7d ago · Sources: ransomware.live DLS

Jun 16 Golfview Developmental Center Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 9d ago · Sources: ransomware.live DLS

Jun 16 Misericórdia de Santo Tirso Qilin Ransomware · unknown · Portugal 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 9d ago · Sources: ransomware.live DLS

Jun 16 Q Link Wireless Qilin Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 9d ago · Sources: ransomware.live DLS

Jun 15 distinetmurcia.es Qilin Ransomware · services · Spain 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 10d ago · Sources: ransomware.live DLS

Jun 08 Covenant Health Qilin Ransomware · healthcare · US 🟩 Corroborated · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Qilin attack May 2025; ~850GB leaked, 478,188 individuals affected (notifications confirmed) · Sources: The Record / SecurityWeek

Jun 08 The Banyans Health and Wellness Qilin Ransomware · healthcare · Australia 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 08 Kinetic Education Qilin Ransomware · education · Australia 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 08 SatCom CX Qilin Ransomware · marketing services · US 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 08 Isuzu Motors Qilin Ransomware · automotive manufacturing · Thailand 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 08 Opéra Comique Qilin Ransomware · arts-culture · France 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 08 Shipping Association of NY and NJ Qilin Ransomware · maritime-logistics · US 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 17d ago · Sources: ransomware.live DLS

Jun 05 Avcon Jet Qilin Ransomware · aviation · Austria 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 20d ago · Sources: ransomware.live DLS

Jun 05 Trican Well Service Qilin Ransomware · oilfield services · Canada 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 20d ago · Sources: ransomware.live DLS

Jun 05 Don Don Qilin Ransomware · retail · food 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-speaking operators) · #2 active · 1947 total · disclosed 20d ago · Sources: ransomware.live DLS

---

← All threat actors · Full victim database →