threatintel
actor tracker
All actors

Qilin

qilin · primary source: Other · first observed 2022
?? · UnknownRansomwareLow confidencelast cited Mar 31, 2026 · 4mo ago

Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provider to multiple London NHS trusts — which forced cancellation of 1,134 planned operations and 2,194 outpatient appointments and was cited by SCMP UK as a contributing factor in a patient death. Synnovis refused the $50M ransom; 400GB of patient data was published on Qilin's DLS on 20 June 2024.

Aliases

AgendaOther

Motivations

financial gain

Target sectors

healthcaremanufacturingeducationprofessional services

Target countries

GBUSFRDEAUCA

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Qilin
  • Unknown
  • financial gain
Infrastructure
Victim
  • healthcare
  • manufacturing
  • education
  • GB
  • US
  • +1 more

MITRE ATT&CK techniques

Timeline

2 events
  1. ReportHigh2026-04-01·Comparitech / Paubox aggregated tracking

    Qilin emerges as the most-active healthcare ransomware brand of Q1 2026

    Q1 2026 healthcare ransomware tracking attributed 23 claimed attacks (4 confirmed) to Qilin across U.S. and German healthcare providers — making Qilin the most- active brand against the sector for the quarter. Aggregate Q1 2026 healthcare-sector tracking recorded 120 ransomware attacks across all brands (a 14% decline from Q4 2025) but the average ransom demand surged to $16.9M, up from $577,800 the prior quarter — a strategic shift toward fewer, more-selective targets with higher capacity to pay. Qilin's persistent healthcare focus since the June 2024 Synnovis incident represents the clearest sustained vendor-style specialisation in the post-2024 ransomware market.

    healthcaresector-trendransom-demand
  2. CompromiseCritical2024-06-03·Synnovis

    Qilin ransomware compromise of Synnovis disrupts London NHS care

    Qilin operators compromised Synnovis, the pathology-services joint venture serving Guy's and St Thomas', King's College Hospital, and Lewisham and Greenwich NHS Trusts in London. Synnovis-dependent blood testing across seven hospitals was knocked offline; trusts cancelled 1,134 planned operations and 2,194 outpatient appointments in the first 13 days. Qilin published 400GB of patient data on its DLS on 20 June 2024 after Synnovis refused a $50M ransom demand. UK regulators later cited the incident as a contributing factor in a patient death.

    healthcareransomwareukpatient-impact

Indicators of compromise

2 indicators
csv
TypeValueFirst seenSource
SHA-256
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
family · Agenda/Qilin
Qilin ransomware Windows sample referenced in vendor emulation packs (AttackIQ, MyCERT) drawing on Group-IB's Qilin Revisited 2024 technical analysis.
Jul 16, 2024Group-IB
Name
Agenda
family · Agenda/Qilin
Original Go-based ransomware family name used by Qilin affiliates from mid-2022 before the Rust rewrite. Group-IB and SentinelOne both track Qilin/Agenda as one lineage; the operators encrypted Synnovis pathology systems on 3 June 2024 causing the south-London NHS hospital outage.
Aug 24, 2022SentinelOne

Leak-site activity (unverified)

full feed →

Recent victim disclosures posted by this group on its leak site, via ransomware.live. These are unverified attacker claims — ransomware crews routinely fabricate, double-post, or inflate victims. Surface only.

  • 07-07Lechner Massivhaus GmbHAT
  • 07-07COP® Vertriebs-GmbH ZentraleDE
  • 07-07Next ClinicsCZ
  • 07-07AccelirateUS
  • 07-06Keystone HomesUS
  • 07-06Precision Steel Services
  • 07-06Answer Precision ToolUS
  • 07-06Wood Ellis & Wood CPAUS
  • 07-06Max FordhamGB
  • 07-06Grupo IntecaMX
  • 07-06LabelDaddyUS
  • 07-03TQ Financial Services
  • 07-03Md LewisUS
  • 07-03Goodwill ManasotaUS
  • 07-03SitmaticDE
  • 07-03SisintPT
  • 06-29Kunert FashionDE
  • 06-29Musashino UniversityJP
  • 06-29KALIACT ANCHETA et AssocisFR
  • 06-29Metal Sur FaminAR

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-07-14). Qilin — actor profile. Retrieved from https://threatintel.local/actors/qilin

latest cited activity · 2026-04-01 · 2 cataloged indicators