Qilin (also tracked as Agenda, Water Galura [Trend Micro], and MITRE ATT&CK G1057) is one of the more operationally consequential ransomware operations of the 2022-2024 period, a financially- motivated organized cyber-criminal cluster operating predominantly from Russia and adjacent post-Soviet states. The cluster operated under the Agenda brand identity from August 2022 through approximately mid-2023, then rebranded to Qilin with the rebrand maintained through 2024-2025. Modern vendor consensus widely treats Agenda and Qilin as operationally-continuous cluster identities under different brand identities.
The cluster operates as a ransomware-as-a-service operation with affiliate-controlled monetization, defining cluster operational signature: "publish-or-pay" affiliate-controlled tradecraft where affiliates control the leak-site publication decisions for their respective victim operations rather than central administrator control. The pattern is operationally distinctive among ransomware-as-a-service operations, most peer operations operate with central-administrator control over leak-site publication decisions. The Qilin affiliate-controlled model represents an operational-doctrine signal about cluster organizational structure, affiliates have substantial operational autonomy and the central cluster operates more as service-provider-to-affiliates than as centralized cluster operations.
The model has implications for victim-organization- response decisions because negotiation counterparties are the operator affiliates rather than centralized cluster administrators. The cluster operates Rust-language ransomware variants alongside earlier Golang variants, consistent with broader contemporary cybercrime-cluster patterns following the ALPHV / BlackCat Rust- language ransomware introduction in November 2021. The cluster operates Linux + ESXi ransomware variants alongside the Windows variant.
The cluster's most operationally consequential single operation was the June 2024 Synnovis UK NHS pathology services attack , the most operationally consequential UK healthcare-sector ransomware operation of the 2022-2024 period. Synnovis (a private pathology services provider serving multiple UK NHS hospital trusts including Guy's and St Thomas' NHS Foundation Trust and King's College Hospital NHS Foundation Trust) disruption affected UK NHS blood testing and pathology services for weeks with substantial cascading impact on patient care including cancelled surgeries, blood shortages, and delayed diagnoses. The attack triggered UK government declaration of national-scale healthcare-sector cyber-incident.
Qilin published approximately 400 gigabytes of stolen Synnovis data including patient information on the Qilin leak site after Synnovis refused the approximately $50M USD ransom demand. The attack contributed substantially to elevated UK parliamentary and government attention to NHS-supply-chain ransomware risk. Black Basta involvement in the Synnovis attack was also reported in selected vendor analysis, though primary cluster attribution has been to Qilin.
Additional high-profile documented victims include Royal Berkshire NHS Foundation Trust (UK, May 2024 targeting attempt), Yanfeng (Chinese automotive interior parts supplier, November 2023), Big Issue UK media (April 2024), Brunet Canada pharmacy chain (October 2023), numerous US K-12 school district targets across 2022-2024, and many other commercial and government- sector targets. Operationally the cluster operates Russian-language affiliate- recruitment advertisements on underground forums and explicit avoidance of CIS-state targets including Russia, Belarus, Kazakhstan, and other former Soviet states (the standard operational pattern of Russia-speaking organized cybercrime operations consistent with Russian jurisdictional tolerance of cybercrime targeting Western victims). A handful of operational notes: First, the cluster represents one of the more sustained operationally-consistent ransomware operations of the 2022-2024 period with the Agenda-to-Qilin rebrand pattern demonstrating cluster-brand-management sophistication.
The cluster has remained one of the more consistent operational performers among contemporary ransomware-as-a-service operations. Second, the affiliate-controlled monetization tradecraft represents one of the more operationally interesting business- model variations in the publicly-tracked ransomware-as-a-service ecosystem. The "publish-or-pay" affiliate-controlled tradecraft contrasts with centralized-administrator-control patterns common among peer operations and represents a meaningful operational- doctrine data point about contemporary RaaS organizational diversity.
Third, the Synnovis attack (June 2024) represents one of the most operationally consequential UK healthcare-sector ransomware operations in the publicly-tracked record alongside the May 2021 Ireland Health Service Executive attack (Conti-attributed, already covered as wizard_spider_conti.yaml) and the May 2024 Ascension Health attack (Black Basta-attributed, already covered as black_basta.yaml). The three healthcare-sector ransomware operations collectively represent substantial Western-healthcare- sector operational impact from contemporary cybercrime clusters. Fourth, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for Qilin / Agenda administrators, consistent with the broader pattern of absence of similar named-individual-attribution for Cl0p, ALPHV / BlackCat, Black Basta, Akira, Play, Medusa, Rhysida, Royal / BlackSuit, RansomHub, and several other contemporary cybercrime clusters.
Only LockBit (Khoroshev), Evil Corp (Yakubets / Turashev), and FIN7 (Dunaev / Hladyr / Kolpakov / Witte) have received named-Russian-national-tier formal attribution among the major contemporary cybercrime clusters covered in this corpus.