Widely attributedUnknown

Qilin

Russian-speaking ransomware group detected in 2022, originally using the Agenda ransomware. Known for attacks on NHS hospitals in London. Operates RaaS model with Go-based ransomware.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

3.3

Moderate signal strength

Mentions5

Sources3

High conf.3

Last seenJun 2026

First observed

—

Last active

—

Origin

Russia

Aliases

Techniques

Campaigns

Russia

TargetsHealthcareCritical Infrastructure

RegionsGlobal

Attribution signals

5 mentions · 3 sources

#1attributed tohigh

Unspecified

socradar

Jun 2026

"~30% of all LATAM ransomware victims attributed to Qilin"

#2actively targetedhigh

TTP matchVictimology

mandiant

May 2026

"ransomware operators, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure"

#3taken responsibilityhigh

Unspecified

checkpoint

May 2026

"Ransomware group Qilin has taken responsibility for a cyber-attack targeting German political party Die Linke"

#4led bymoderate

Unspecified

checkpoint

May 2026

"ransomware activity was led by Akira, Qilin, and Safepay"

#5unspecified

Malware

cyberscoop

May 2026

Hedge terms observed

actively targetedattributed toled bytaken responsibility