Qilin Ransomware Incident Analysis

First reported

22.11.2025 15:45

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Huntress Labs investigated a Qilin ransomware incident where the Huntress agent was installed post-incident on a single endpoint. Analysts pieced together the attack timeline using limited data sources, including managed antivirus alerts, Windows Event Logs, and Program Compatibility Assistant logs. The threat actor used a rogue ScreenConnect instance to deploy malicious files, including an infostealer, and attempted to disable Windows Defender before deploying ransomware.

Timeline

22.11.2025 15:45 1 articles · 23h ago

Qilin Ransomware Incident Analysis
On October 8, 2025, the threat actor accessed the endpoint and installed a rogue ScreenConnect instance. On October 11, 2025, three files were transferred to the endpoint via ScreenConnect. The threat actor attempted to disable Windows Defender and execute malicious files, but both attempts failed. Windows Defender detected attempts to create ransom notes, indicating the ransomware was likely launched from another endpoint.
Show sources

Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
Open in new tab

Information Snippets

The Huntress agent was installed on a single endpoint post-incident on October 11, 2025.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
The threat actor accessed the endpoint on October 8, 2025, and installed a rogue instance of ScreenConnect pointing to IP address 94.156.232[.]40.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
Three files (r.ps1, s.exe, ss.exe) were transferred to the endpoint via the ScreenConnect instance on October 11, 2025.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
The threat actor disabled Windows Defender and attempted to execute s.exe and ss.exe, both of which failed.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
Windows Defender detected attempts to create ransom notes, indicating the ransomware executable was likely launched from another endpoint.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45
Qilin ransomware is a ransomware-as-a-service (RaaS) variant, with affiliates following different attack patterns.
First reported: 22.11.2025 15:45

1 source, 1 article
Show sources
- Piecing Together the Puzzle: A Qilin Ransomware Investigation — www.bleepingcomputer.com — 22.11.2025 15:45