Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
Qilin remains one of the most active ransomware groups in 2026. Recent reporting links Qilin ransomware deployment to exploitation of Check Point CVE-2026-50751, a critical VPN authentication-bypass vulnerability. Check Point also ranked Qilin as the top ransomware operation in Q1 2026 by listed victims.
CVE-2026-50751
Ransomware-as-a-service
Affiliate-led intrusions
Double extortion
Data theft
Threats to publish stolen data
Windows targeting
Linux targeting
VMware ESXi targeting
AES encryption
RSA encryption
Customizable payloads
Customizable ransom notes
VPN authentication-bypass exploitation
Qilin is a ransomware malware that targets various platforms, including Windows systems.
Qilin encrypts the data of business users using a combination of AES and RSA algorithms.
Qilin ransom demands range from $50,000 to $800,000 in order to decrypt files.
Qilin ransomware is written in programming languages such as Go and Rust.
Qilin has been used in targeted attacks against organizations in healthcare, education, finance, insurance, manufacturing, and professional scientific and technical services.
Qilin ransomware is customizable, allowing attackers to tailor payloads and ransom notes for each victim.
Qilin ransomware was initially observed in July 2022 under the name Agenda.
Qilin operates on a Ransomware-as-a-Service model.
Qilin core developers provide malicious software and infrastructure to affiliates in exchange for a percentage of attack profits.
Despite the Chinese name, Qilin is linked to Russian-speaking cybercriminals.
Qilin affiliates have been recruited on Russian-language forums.
Qilin notably excludes Commonwealth of Independent States countries from its targets.
Qilin includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments.
Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware.
Qilin affiliates have targeted multiple entities worldwide, with the majority of victims in the United States, France, Canada, and the United Kingdom.
Qilin primarily targets the manufacturing, technology, financial services, and healthcare sectors.
Prioritize patching of internet-facing and remote access systems
Harden VPN and external remote services
Enforce multifactor authentication for remote access and privileged accounts
Maintain offline or immutable backups and regularly test restoration
Monitor for backup deletion, recovery inhibition, and abnormal encryption activity
Segment critical systems, including virtualization and ESXi environments
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.