Live Latest activity →

Qilin - How to Remove

Last updated: 2026-04-21

Incident Response Guide: Qilin Ransomware

Incident Triage Steps

Within the first 30 minutes of suspecting a Qilin ransomware incident, follow these steps to assess scope and impact. Qilin typically spreads via phishing emails with malicious attachments, exploits in public-facing applications, or compromised RDP credentials. Its initial payload often uses living-off-the-land binaries (LOLBins) like PowerShell or WMI for execution.

  1. Isolate the First Reported System: Immediately disconnect the initially reported workstation or server from the network. Do not power it off, as this destroys volatile evidence in memory.
  2. Identify the Initial Access Vector: Check the affected system’s:
    • Email client or webmail logs for suspicious messages with attachments (e.g., .iso, .lnk files) received in the hours before encryption.
    • Application logs (e.g., web server, VPN) for exploitation attempts.
    • RDP authentication logs for unusual successful logins, especially from unfamiliar IPs or outside business hours.
  3. Determine Encryption Scope: Qilin targets specific file extensions and avoids system-critical folders to maintain system stability. Scan network shares and connected drives for files appended with the .qilin extension or a custom extension defined by the threat actor. Use a dedicated, isolated forensic workstation to run searches, not the compromised network.
  4. Check for Data Exfiltration: Qilin operators often exfiltrate data prior to encryption for double-extortion. In the first 30 minutes, look for:
    • Unusually large outbound data transfers (hundreds of GBs) from key servers (file servers, database servers) in the 24-72 hours before encryption began. Check firewall, proxy, and NetFlow logs.
    • Connections to known or suspected Qilin exfiltration endpoints, often cloud storage services or compromised websites. Correlate with process creation logs for tools like Rclone, Megasync, or 7-Zip executing on sensitive systems.
  5. Activate Your IR Plan: Notify your incident response team, legal counsel, and management. Begin documenting all actions taken.

Evidence Collection

Before any containment or remediation actions, collect the following evidence to support forensic analysis and potential legal proceedings.

Volatile Data (From Live Systems):

  • Memory Dump: Use a trusted, external tool to capture the full memory of affected systems. Qilin payloads and encryption keys may reside in RAM.
  • Running Processes: Capture a detailed process listing with command-line arguments. Look for suspicious cmd.exe or powershell.exe instances spawning vssadmin.exe (to delete shadow copies) or bcdedit.exe (to disable recovery).
  • Network Connections: Document all active and recent network connections. Qilin beacons to its C2 and may use tools for lateral movement.

Persistent Artifacts:

  • File System: Preserve samples of encrypted files and the ransom note (typically README.txt or RECOVER-FILES.txt). Collect any suspicious executables, scripts, or DLLs, especially in user Temp directories (%TEMP%, %APPDATA%) or root drives.
  • Registry: Export registry hives. Qilin may create persistence via Run keys or modify services. Check HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\System\CurrentControlSet\Services.
  • Logs: Collect and secure:
    • Windows Event Logs (Security, System, Application, PowerShell Operational).
    • Antivirus/EDR logs.
    • Firewall, proxy, DNS, and SIEM logs for the entire investigation period.
  • Qilin-Specific Indicators: The malware often drops a configuration file containing the victim ID and campaign details. Search for recently created .txt or .ini files in program data or appdata folders.

Containment Procedures

Contain the outbreak to prevent further encryption without destroying evidence.

  1. Network Segmentation:
    • Isolate compromised network segments (e.g., VLANs) by reconfiguring switches or firewalls. If full segmentation isn’t possible, block all SMB (445), RDP (3389), and WinRM (5985) traffic between the affected segment and the rest of the network.
    • Disable Wi-Fi networks if the infection is widespread to contain lateral movement.
  2. Credential Reset:
    • Immediately reset passwords for all domain administrator and local administrator accounts. Qilin often harvests credentials using tools like Mimikatz.
    • Reset passwords for any service accounts observed running suspicious processes.
    • Consider resetting Kerberos tickets (Kerberoasting) by rebooting Key Distribution Center (KDC) services.
  3. C2 and Malware Communication Blocking:
    • At the firewall or network gateway, block traffic to known Qilin C2 IPs and domains identified in your logs or threat intelligence feeds.
    • Implement temporary blocks on outbound connections to common cloud storage APIs and file-sharing sites if exfiltration is suspected, balancing business needs.
  4. Disable Maintenance Tasks: Temporarily disable automated backup tasks or system maintenance jobs that could overwrite evidence or interfere with recovery.

Eradication and Recovery

Eradication must be thorough to prevent re-infection.

  1. Complete Removal: Follow the detailed, step-by-step instructions in the Qilin Removal Guide. This includes:
    • Terminating malicious processes.
    • Removing persistence mechanisms and scheduled tasks.
    • Deleting all malware-related files and registry entries.
  2. Restore from Backups:
    • Validate Backup Integrity: Before restoration, ensure your backups are clean and from a point-in-time before the infection. Scan them with updated antivirus signatures.
    • Rebuild Systems: For severely compromised systems, a full wipe and rebuild from trusted installation media is recommended over in-place restoration.
    • Restore Data: Restore encrypted files from clean backups. Do not pay the ransom.
  3. Verify Clean State:
    • Before reconnecting to the network, perform a full anti-malware scan with an updated EDR solution.
    • Validate system file integrity (e.g., using sfc /scannow on Windows).
    • Monitor the system closely for several days for any signs of residual malicious activity.

Lessons Learned Checklist

After containment and recovery, conduct a formal lessons-learned session to improve defenses.

  • Initial Access: How did Qilin gain entry? Was it a phishing email, an unpatched vulnerability (e.g., in a VPN appliance), or compromised credentials? Review email filtering logs and vulnerability scan reports from the period before the incident.
  • Control Failures: Which security controls failed or were absent?
    • Was multi-factor authentication (MFA) enabled on all external access points (VPN, RDP, OWA)?
    • Were endpoint detection and response (EDR) alerts investigated promptly?
    • Were least-privilege principles enforced? Did the compromised account have excessive network access?
  • Detection Gaps: How long was the threat actor in the network before encryption? Review SIEM and EDR logs for missed IoCs related to Qilin’s behavior: mass file reads, vssadmin deletion, suspicious PowerShell execution.
  • Improvement Plan: Based on gaps, define actionable improvements:
    • Technical: Implement application allowlisting, enhance network segmentation, enforce MFA universally, deploy a robust backup strategy with offline/immutable backups.
    • Process: Update and test the incident response plan. Conduct phishing simulations and user training. Establish clearer thresholds for investigating security alerts.
    • Monitoring: Add specific detections for Qilin TTPs to your SIEM or EDR. Review the Qilin Detection Guide for detailed hunting queries and monitoring recommendations.

For more information on this threat, see the Qilin Overview.

Related

← Qilin Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families