Qilin
Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provider to multiple London NHS trusts — which forced cancellation of 1,134 planned operations and 2,194 outpatient appointments and was cited by SCMP UK as a contributing factor in a patient death. Synnovis refused the $50M ransom; 400GB of patient data was published on Qilin's DLS on 20 June 2024.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
2 events- ReportHigh2026-04-01·Comparitech / Paubox aggregated tracking
Qilin emerges as the most-active healthcare ransomware brand of Q1 2026
Q1 2026 healthcare ransomware tracking attributed 23 claimed attacks (4 confirmed) to Qilin across U.S. and German healthcare providers — making Qilin the most- active brand against the sector for the quarter. Aggregate Q1 2026 healthcare-sector tracking recorded 120 ransomware attacks across all brands (a 14% decline from Q4 2025) but the average ransom demand surged to $16.9M, up from $577,800 the prior quarter — a strategic shift toward fewer, more-selective targets with higher capacity to pay. Qilin's persistent healthcare focus since the June 2024 Synnovis incident represents the clearest sustained vendor-style specialisation in the post-2024 ransomware market.
healthcaresector-trendransom-demand - CompromiseCritical2024-06-03·Synnovis
Qilin ransomware compromise of Synnovis disrupts London NHS care
Qilin operators compromised Synnovis, the pathology-services joint venture serving Guy's and St Thomas', King's College Hospital, and Lewisham and Greenwich NHS Trusts in London. Synnovis-dependent blood testing across seven hospitals was knocked offline; trusts cancelled 1,134 planned operations and 2,194 outpatient appointments in the first 13 days. Qilin published 400GB of patient data on its DLS on 20 June 2024 after Synnovis refused a $50M ransom demand. UK regulators later cited the incident as a contributing factor in a patient death.
healthcareransomwareukpatient-impact
Indicators of compromise
2 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| SHA-256 | family · Agenda/Qilin Qilin ransomware Windows sample referenced in vendor emulation packs (AttackIQ, MyCERT) drawing on Group-IB's Qilin Revisited 2024 technical analysis. | Jul 16, 2024 | Group-IB |
| Name | family · Agenda/Qilin Original Go-based ransomware family name used by Qilin affiliates from mid-2022 before the Rust rewrite. Group-IB and SentinelOne both track Qilin/Agenda as one lineage; the operators encrypted Synnovis pathology systems on 3 June 2024 causing the south-London NHS hospital outage. | Aug 24, 2022 | SentinelOne |
Leak-site activity (unverified)
full feed →Recent victim disclosures posted by this group on its leak site, via ransomware.live. These are unverified attacker claims — ransomware crews routinely fabricate, double-post, or inflate victims. Surface only.
- 05-18Gartengestaltung Muller eUAT
- 05-18RCR Industrial FlooringAU
- 05-17Buckeye PaperUS
- 05-17Musée du Bas-Saint-LaurentCA
- 05-17Fruits QueraltES
- 05-17Monir Precision MonitoringCA
- 05-17The Taylor ProvisionsGB
- 05-17Salter HealthCareGB
- 05-17Majlis Perbandaran Alor GajahMY
- 05-17PNSB Insurance Brokers Sdn BhdMY
- 05-17Comercial Echave Turri LimitadaCL
- 05-16CLINICA AVELLANEDA MEDICAL CENTERAR
- 05-15Turner SupplyUS
- 05-15NR Engineering Co., Ltd.TH
- 05-15Australian College of Business IntelligenceAU
- 05-15Menzies GroupAU
- 05-15B.Care Medical CenterPH
- 05-15Common Part GroupingsUS
- 05-15Foot SolutionsUS
- 05-14Schulte-Lindhorst GmbH & Co.DE
Related actors
shared ATT&CK techniques- RU · Russia8Base4 shared techniques
- ?? · UnknownAkira4 shared techniques
- ?? · UnknownHive4 shared techniques
- ?? · UnknownRansomHub4 shared techniques
- ?? · UnknownALPHV/BlackCat3 shared techniques
- RU · RussiaDarkSide3 shared techniques
References
cite this page
Threat Intel Tracker. (2026-05-19). Qilin — actor profile. Retrieved from https://threatintel.local/actors/qilin