With the rise in cyberattacks targeting Healthcare and Public Health (HPH) entities, a previously published threat profile from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) on the Qilin ransomware group is being highlighted. Qilin, also known as Agenda Ransomware, is a ransomware-as-a-service (RaaS) operation active since 2022. Believed to originate from Russia, Qilin targets a range of industries worldwide—including healthcare, manufacturing, legal services, and finance. The group uses spear phishing, exposed remote access tools like RDP and Citrix, and Remote Monitoring and Management software to gain access, deploying ransomware variants written in Go and Rust that target both Windows and Linux systems, including VMware ESXi servers.
Qilin leverages double extortion tactics, demanding ransom payments while threatening to leak sensitive data on its dark web leak site. Typical ransom demands have ranged from $50,000 to $800,000. In the U.S., affected organizations include hospitals, dental clinics, radiology companies, home healthcare providers, and medical specialty practices across different states.
HHS has published a set of voluntary Healthcare and Public Health Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices which can be used in establishing cybersecurity controls and assisting in the prevention, response and recovery from ransomware attacks. For more information about the ransomware group, refer to the HC3’s Qilin Threat Profile.