Advertising Disclosure: Some links on this site are affiliate links. We may earn a commission when you make a purchase — at no extra cost to you. read our methodology

Qilin Ransomware 2026: What You Need to Know

400+ victims, $50 million ransom demands, and why this matters even if you are not a corporation

THREAT LEVEL: HIGH

400+ organizations hit in 2026

Double extortion • RaaS model • Cross-platform (Windows/Linux/macOS)

What Is Qilin Ransomware?

Qilin — also known by its earlier name Agenda — is a ransomware operation that runs on a Ransomware-as-a-Service (RaaS) model. Think of it like a franchise. The core developers build the malware tools, and “affiliates” (other criminal groups) pay to use them against targets, splitting ransom profits.

The malware itself is written in Golang, which means it runs on Windows, Linux, and macOS without major modifications. It supports multiple encryption modes that operators can configure per-target, making each attack slightly different and harder to build generic defenses against.

What sets Qilin apart from garden-variety ransomware is consistency. They have been operating since at least 2022, and instead of burning out like many groups, they have scaled up. Significantly.

The 2026 Surge in Numbers

According to SWK Technologies' March 2026 cybersecurity recap, Qilin had already claimed more than 400 victims in 2026 by mid-March. That is roughly 5 to 6 organizations hit per day. For context, the group listed over 1,000 victims across all of 2025 — and 2026 is on track to exceed that in half the time.

The ransomware tracker at ransomware.live maintains a running count of Qilin's confirmed victims. The numbers are public and growing.

This is not a fringe threat. Qilin is one of the most active ransomware operations on the planet right now.

How Qilin Attacks Work: Double Extortion

Qilin uses what the industry calls double extortion. Here is the two-step process:

Step 1: Data theft. Before encrypting anything, Qilin operators quietly copy sensitive files off the target network. They might spend days or weeks inside the system, mapping out what is valuable — financial records, customer databases, medical files, intellectual property.

Step 2: Encryption + ransom demand. Once they have copied what they want, they encrypt the victim's systems, locking everyone out. Then they deliver the ransom note: pay us to decrypt your files AND to prevent us from publishing the stolen data on our dark web leak site.

This is why it is called double extortion. Even if a company has perfect backups and can restore their systems without paying, Qilin still holds the stolen data as leverage. “Sure, you got your files back. But do you want your 300 million patient records published online?”

It is a brutal strategy, and it works. Many organizations pay not because they need the decryption key, but because they cannot afford the data leak.

Notable Victims: The Synnovis/NHS Attack

The attack that put Qilin on the mainstream radar was the Synnovis breach. Synnovis provides pathology services to the UK National Health Service (NHS), handling lab work for multiple London hospitals.

Here is what happened:

  • Qilin demanded a $50 million ransom
  • Multiple hospitals had operations disrupted for weeks
  • Thousands of patient appointments were cancelled
  • 400GB of data was exfiltrated, including records from roughly 300 million patient interactions
  • When Synnovis refused to pay, Qilin published the stolen data on their leak site

Let that last number sink in: 300 million patient interactions. That includes lab results, personal details, medical histories. Real people affected by a ransomware gang operating from behind Tor.

This was not an attack on a tech company with resources to absorb the hit. It was an attack on healthcare infrastructure that directly affected patient care.

Who Is at Risk

Qilin does not limit itself to big targets. Their victim list includes:

  • Healthcare organizations: Hospitals, labs, clinics. Medical data sells well on dark markets.
  • Education: Universities and school districts. Often underfunded on security.
  • Government agencies: Municipal governments and public services.
  • Small and medium businesses: Companies with 50-500 employees that have enough data to be valuable but not enough security staff to defend properly.

If you are an individual, you might think this does not apply to you. But consider: if your doctor's office gets hit, your medical records are in that data dump. If your employer gets breached, your payroll information, SSN, and banking details could end up on a leak site. Ransomware is everyone's problem, even if the ransom note lands on someone else's screen.

How to Protect Yourself

You cannot single-handedly stop a ransomware gang. But you can make yourself and your organization a harder target. Here are practical steps that actually matter:

For Individuals

  • Use a password manager with unique passwords for every account. Credential reuse is one of the top entry points for attackers.
  • Enable multi-factor authentication on every account that supports it. Hardware keys are best. Authenticator apps are second best. SMS is better than nothing.
  • Keep your OS and apps updated. Patches close the holes that attackers exploit. The Citrix NetScaler CVE-2026-3055 vulnerability is a fresh example of why patching matters.
  • Use antivirus software with real-time protection. Modern antivirus detects ransomware behavior patterns, not just known signatures.
  • Back up important files to an external drive or cloud service that is not permanently connected to your computer. If ransomware hits, offline backups survive.
  • Do not click links in unexpected emails. Phishing remains the #1 initial access vector for ransomware operators.

For Businesses

  • Segment your network. If one department gets hit, proper segmentation prevents lateral spread to everything else.
  • Deploy endpoint detection and response (EDR) on all workstations and servers.
  • Test your backups regularly. A backup you have never tested is a backup that might not work.
  • Run phishing simulations. Your employees are your weakest link and your first line of defense.
  • Have an incident response plan written, tested, and rehearsed before you need it.
  • Monitor for exposed credentials. Services that scan dark web markets for your company's leaked passwords are worth the investment.
Norton

Norton 360

Best ransomware protection

Get Norton →
Surfshark

Surfshark One

VPN + Antivirus bundle

Get Surfshark →
1Password

1Password

Stop credential reuse

Get 1Password →

The Role of VPNs in Ransomware Defense

Let us be direct: a VPN will not stop ransomware. If you click a phishing link, a VPN cannot save you. If your RDP port is exposed, a VPN on your laptop does not protect the server.

Where VPNs help is in reducing your attack surface:

  • Public Wi-Fi protection: Ransomware operators sometimes use man-in-the-middle attacks on public networks to redirect traffic to malicious download sites. A VPN encrypts that traffic.
  • Remote access security: Enterprise VPNs (when properly patched — see the Citrix NetScaler issue) create encrypted tunnels for remote workers instead of exposing internal services to the internet.
  • DNS-level filtering: Some VPN providers like NordVPN and Surfshark include DNS filtering that blocks known malicious domains before your browser loads them.

A VPN is one layer in a multi-layer defense. Not a silver bullet, but a useful piece of the stack alongside antivirus, password hygiene, and backups.

Frequently Asked Questions

Can Qilin ransomware target individual users?

Yes. While Qilin primarily targets organizations, individuals can be caught in supply chain attacks or phishing campaigns. If your employer or healthcare provider is hit, your personal data may be exposed even if your own device is clean.

Does a VPN protect against ransomware?

A VPN alone does not stop ransomware. But it reduces exposure on public networks, prevents ISP-level traffic interception, and adds a layer of encryption that makes certain attack vectors harder. It is one piece of a larger defense strategy.

Should I pay a ransomware demand?

Law enforcement agencies including the FBI strongly advise against paying ransoms. Payment funds criminal operations and does not guarantee data recovery. Roughly 20% of organizations that pay never get their data back.

What makes Qilin different from other ransomware?

Qilin operates as Ransomware-as-a-Service, is written in Golang for cross-platform attacks, and consistently uses double extortion. Their volume in 2026 (400+ victims) makes them one of the most active groups right now.

How do I know if my data was leaked by Qilin?

Monitor breach notification services like Have I Been Pwned. If your employer or service provider discloses a ransomware incident, assume your data may be compromised and change passwords, enable MFA, and freeze credit if applicable.

JP
Reviewed by , Cybersecurity Analyst | Our Methodology