Qilin Ransomware – A Rising Threat to Windows, Linux, and ESXi Systems

As ransomware groups grapple with internal upheavals and external attacks, the cyber threat landscape is witnessing the rise of a new, highly sophisticated actor: Qilin.

This ransomware-as-a-service (RaaS) operation is rapidly expanding its footprint, targeting enterprises with both Windows and Linux systems, especially those running ESXi virtual environments.

Armed with advanced evasion tactics and cross-platform payloads, Qilin has emerged as a significant concern for global security teams.

Technical Sophistication and Cross-Platform Reach

Qilin distinguishes itself from legacy ransomware groups by leveraging custom malware written in Rust for Windows and C for Linux and ESXi systems.

This approach allows Qilin to achieve robust performance, enhanced security, and the flexibility to tailor attacks for different environments.

The ransomware’s administrative panel offers features that streamline affiliate operations: customizable encryption modes, safe-mode execution, log and shadow copy erasure, network propagation, and automated negotiation tools.

For Windows systems, Qilin employs a Rust-based loader that spreads across networks using PsExec, targeting domain computers and leveraging domain privileges.

It clears event logs to evade detection, changes the desktop wallpaper to deliver ransom notes, and even prints demands via network printers.

The malware also dismounts disk images, deletes its own trace post-execution, and contains a hardcoded blacklist of file extensions it avoids encrypting.

On Linux and virtualized environments especially ESXi and Nutanix Qilin’s C-based variant scans for and terminates virtual machines, deletes snapshots, and encrypts critical data.

It uses system commands to manipulate host settings, ensuring its operations are both efficient and stealthy.

Notably, it identifies and targets a wide array of data: virtualization directories (VMware, VirtualBox, Xen, KVM), databases (MySQL, PostgreSQL, Redis, MongoDB, etc.), and container data (Docker).

Expanding Cybercrime Ecosystem

Beyond ransomware, Qilin is building a full-service cybercrime platform. The group offers affiliates spam services, legal guidance, media support, and a petabyte-scale data storage system for exfiltrated information.

Its panel, recently updated with a DDoS option, provides 24/7 support for negotiation, and even includes a “Call Lawyer” feature to pressure victims during ransom talks.

Ransom demands typically range from $50,000 to $800,000, reflecting both the perpetrators’ ambition and financial motivation.

Qilin’s ecosystem and technical capabilities have resulted in over 100 organizations listed on its dark web leak site since early 2025, with more than 50 recent attacks claimed.

The ransomware group also operates data leak websites, including a “WikiLeaks V2” project, used to publish stolen data and exert additional pressure on victims.

Conclusion and Key Indicators

Qilin’s cross-platform payloads, advanced evasion, and affiliate-friendly features position it as a growing threat to enterprises worldwide.

The ransomware uses robust encryption (ChaCha20, AES, and RSA-4096) and is marketed on underground forums as a versatile, highly-configurable attack tool.

Key Indicators of Compromise (IoCs):

• IP Addresses: 185.208.156.157, 185.196.10.19, 80.64.16.87
• Windows Sample Hashes: 31c3574456573c89d444478772597db40f075e25c67b8de39926d2faa63ca1d8, C9707a3bc0f177e1d1a5587c61699975b1153406962d187c9a732f97d8f867c5
• Linux Sample Hashes: 13cda19a9bf493f168d0eb6e8b2300828017b0ef437f75548a6c50bfb4a42a09, a7f2a21c0cd5681eab30265432367cf4b649d2b340963a977e70a16738e955ac

Security teams are urged to monitor for these IoCs, implement advanced endpoint and network protections, and remain vigilant as Qilin continues to evolve its operational tactics.

With its expanding ecosystem and cross-platform reach, Qilin represents a formidable challenge for organizations of all sizes in 2025 and beyond.