Qilin, which is thought to have originated in Russia, has been operational since mid-2022 and has affected over 300 companies across more than 12 countries.
When infected by Qilin (or any other type of ransomware), your systems will display a notice similar to the example shown here. This indicates that a cybercriminal group is holding your data and systems hostage, demanding payment in exchange for their release.
Just as you wouldn’t disturb a crime scene after a break-in at your office, the same rule applies to a cyber-attack. If you encounter a ransomware incident, treat your digital environment as a crime scene and refrain from making any changes.
Allowing a digital forensic investigation to take place is essential for properly understanding the attack. This is not something to be handled by your IT team or managed service provider. Instead, contact specialised Digital Forensic experts, available around the clock, to guide you through the process, just as you would call the police in a physical break-in scenario.
If you see a message on your system resembling the one mentioned above, it’s likely that you’ve fallen victim to a Qilin ransomware attack.
Qilin, a Ransomware-as-a-Service (RaaS) group, was first identified in July 2022. Also known by its former name "Agenda," it is thought to have emerged from Russia. This group primarily targets large corporations and high-value entities, particularly within the healthcare and education sectors. The ransomware is written in Rust and/or Go, taking advantage of their complex structures to facilitate the development of malware compatible with multiple operating systems, including Windows and Linux.
Qilin typically strikes through phishing and spear-phishing campaigns, exploiting vulnerable applications and services such as Citrix and Remote Desktop Protocol (RDP). The group employs a double extortion strategy, using various encryption methods to hold victims’ data hostage. They demand payment for decryption and threaten to release stolen data if the ransom is not paid.
Qilin employs a method known as double extortion, which intensifies the pressure and urgency of their ransom demands. In this approach, the attackers not only encrypt the victim's data but also threaten to leak or sell it if their demands are not met.
This two-pronged threat increases the likelihood of the targeted organisation complying with the ransom request.
Qilin is believed to have started its operations in 2022. However, like many other cybercriminal groups, it has previously operated under a different name, making the exact founding date of Qilin uncertain.
So far, Qilin has claimed responsibility for 664 attacks.
Solace Cyber’s track record includes hundreds of successful response recoveries, providing Digital Forensic Incident Response services, 24x7x365.
"Higher education institutions are particularly vulnerable, with 97% identifying a breach or attack in the past year."
When a cyber incident occurs, take these immediate actions:
Solace Cyber acts as your specialist digital forensics partner in Australia, helping restore normal operations swiftly. Our response includes:
Recovery timelines typically range from 2 weeks to 2 months, depending on the incident's scope.
Solace Cyber delivers global risk and security services across Australia, specialising in travel, crisis support, and offshore risk management. The organisation runs a fully staffed security operations centre around the clock and maintains an internal intelligence unit that produces routine daily and weekly updates. The business is certified to ISO 27001, ISO 14001, ISO 45001, and ISO 9001 standards.
Founded in the UK in 2021, Solace Cyber has grown its presence throughout Australia, concentrating on cyber incident handling, including digital forensics, incident response, ransomware events, information security, and wider risk management, supported by managed security services. The senior leadership team has more than two decades of combined experience across security and IT.
s
%+
Specialist forensic investigation and secure restoration demand focused expertise that standard IT departments rarely possess. Your internal teams excel at day-to-day technology support, but ransomware response requires dedicated capabilities they typically lack.
Consider these key challenges facing in-house teams:
We created Solace Cyber specifically to address ransomware incidents through our structured 6-phase methodology:
Our comprehensive forensic investigation begins at phase 2, forming the foundation of your business continuity plan. This detailed analysis proves essential for:
We execute our evidence examination according to a carefully structured protocol designed to identify root causes quickly. This discovery directly informs our eradication strategy and recovery plan, while building the evidence base for potential legal action. Through legal proceedings, we can help secure court orders preventing criminals from publishing your data, effectively nullifying their ransom demands.
Throughout your incident response, our Digital Forensic and Incident Response specialists maintain continuous coordination. Your dedicated Incident Manager and technical leads deliver regular progress updates, manage risk documentation, and operate within your change control frameworks from initial triage through final recovery.
At Solace Cyber, our support goes beyond just recovery. Once your business operations are back up and running, we work closely with you to improve your cybersecurity strategy, adopting a threat-informed approach. This includes applying our in-depth process, which is specifically designed to identify and mitigate cyber threats and vulnerabilities in a thorough, systematic manner.
The Qilin ransomware may have infiltrated your system through several potential methods, including:
To reduce the risk of similar attacks, we recommend implementing the following measures:
After the Qilin attack is resolved, Solace Cyber advises updating your business continuity plan based on the insights gained from the incident and recovery process.
The Qilin ransomware entered your system by one of several ways:
We recommend you adopt policies to:
After recovering from Qilin, Solace Cyber recommends that you update your business continuity plan to account for lessons learnt during this attack & recovery.
The financial impact of a ransomware breach can be significant, with average costs around £500K. Smaller breaches, such as those involving email data, typically cost around £50K. The longer it takes to detect and resolve the breach, the higher the costs become. A critical balance must be struck between preserving the environment for forensic analysis and quickly recovering to minimise business disruption.
Cybersecurity insurance claims can be complex, covering a range of expenses such as investigation costs, remediation, legal fees, business interruption, criminal and employment liabilities, and ransom payments. While the insurance industry plays a role in helping businesses recover, cyber insurance is often volatile, and many policies are not properly validated.
Navigating these complexities requires expertise, and Solace Cyber can provide the necessary support.
Cybercriminal groups like Qilin receive payments from affiliates to deploy their ransomware, which is known for its swift encryption capabilities. Even after paying the ransom, the chances of successfully decrypting files and restoring data are slim, which highlights the importance of having a ransomware incident response team in place.
Important Reminder: It is illegal to pay individuals who are on the financial sanctions list. This list is constantly updated, so it’s important to stay informed.
Yes, it's possible that some of the lost data may qualify as "Personal Data" of your customers. It remains your legal obligation to protect this data, even if it has been compromised.
Your insurer or legal advisor will provide guidance on the necessary actions and next steps in handling this situation.
Solace Cyber has extensive experience working with insurers and legal experts and can support you in managing these relationships during this challenging time.
A ransomware attack is one of the most severe threats to your business, as it can:
In the event of a business disruption, identifying your position within the supply chain and maintaining operations becomes challenging. If the disruption continues, ensuring business continuity becomes even more critical. After restoring systems and data, it’s vital to address any backlog of work and establish future operational protocols.
Ransomware is one of the leading causes of business incapacitation, second only to receivership.
Under Australian law, organisations experiencing ransomware attacks must report incidents to both the Australian Signals Directorate (ASD) and the Office of the Australian Information Commissioner (OAIC), particularly when personal information is compromised, ensuring regulatory compliance and coordinated national response.
Keep calm and step away from your systems.
Avoid restoring files or altering data in any way, as doing so may complicate recovery efforts.
Reach out to Solace Cyber now on +61 (0) 282 786100 or submit our contact form to have an expert return your call.
We’ll take swift action to minimise downtime and restore stability to your operations.
Solace Cyber helps companies across Australia recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 08830710
Solace Cyber
Zensec Ltd,
60 Martin Place,
Sydney,
NSW 2000
Telephone
Please note that calls may be recorded for security and training purposes.
