Incident response · Qilin ransomware
Files renamed to something random? That is how Qilin announces itself.
Qilin (also tracked as Agenda) has been the most active ransomware operation in the world through 2026, and Australian organisations are firmly on its victim list. Unlike most strains it does not use a fixed file extension: every victim gets a unique random one. Its encryption is built for speed, and speed means corners cut, which is where recovery starts.
Recognise it
How to confirm it is Qilin.
Before anything else, keep the encrypted files and every ransom note exactly where they are. They identify the strain, and they are often the raw material a recovery works from.
- File extension
- A random, victim-specific string appended to every encrypted file (for example .MmXReVIxLV); there is no fixed Qilin extension
- Ransom note
- Usually README-RECOVER-<your extension>.txt, dropped across affected folders
- First seen
- 2022 as Agenda, rebranded Qilin; the most active operation globally through 2026
- Australian footprint
- Victims across Australian sectors, including the December 2023 attack on Victoria's court system
Behaviour
What Qilin does to your systems.
Configurable intermittent encryption
Affiliates choose encryption modes: skip-step, percent, and fast. All three deliberately encrypt only part of each large file to finish before detection.
Per-victim builds
Each attack uses a custom binary with its own extension and note, built for the specific victim. The random extension is a Qilin signature in itself.
Backups and shadow copies targeted
Volume shadow copies are deleted and reachable backups are encrypted or wiped before the finale.
Double extortion
Data theft before encryption, publication threats after. The claims in the note should be assessed, not accepted.
Windows, Linux and ESXi
Rust and Go variants cover Windows, Linux and VMware ESXi, so virtual environments are common targets.
Ransomware-as-a-service scale
Hundreds of victims per quarter through 2026. The affiliates vary in skill; the encryption behaviour is consistent.
The honest answer
Can Qilin-encrypted files be recovered?
Frequently, in meaningful part. Every one of Qilin's encryption modes exists to trade completeness for speed: skip-step encrypts alternating chunks, percent encrypts a set fraction, fast touches even less. On large structured files (databases, virtual disks, archives) each of those modes leaves most of the actual data intact on disk. The recovery job is locating those intact regions and rebuilding them into something usable, without the attacker's key.
The honest limits: small files are typically fully encrypted, there is no public decryptor for Qilin, and how much survives depends on which mode the affiliate chose. The encrypted files themselves tell us that, which is why keeping them matters more than anything else you do today.
Send us the strain details and a few sample files and we will tell you within hours what the chosen mode left behind and what looks rebuildable. No rebuilds, no cleanup tools, no payment decisions before that picture exists.
Common questions
Qilin, in plain terms.
Mid-incident and need a straight answer? Call 1300 004 766. A person answers, 24 hours a day.
My files have a random extension I can't find anywhere online. Why?
That is characteristic of Qilin. It generates a unique extension per victim, usually mirrored in the ransom note name (README-RECOVER-<extension>.txt), so searching the extension itself finds nothing. Identify the strain from the note contents and file structure instead, and keep both exactly as they are.
Is there a free Qilin decryptor?
No. There is no public decryptor for Qilin, and its hybrid encryption is not realistically breakable. The workable paths are clean backups, surviving snapshots, and partial-encryption recovery of the data its speed-focused modes never touched.
Can Qilin-encrypted files be recovered without paying?
Often in meaningful part, especially large structured files. Qilin's skip-step, percent and fast modes all deliberately leave regions of large files unencrypted, and those regions can be located, carved and rebuilt. It is an effort with honest limits rather than a promise, and the mode the affiliate chose decides how much survives.
Qilin claims they stole our data. Is that real?
Treat it as unverified until assessed. Qilin does exfiltrate data in most attacks, but the volume and sensitivity claimed in notes and on leak sites are frequently inflated. What was actually taken can usually be established from the evidence on your systems, and that answer drives your notification obligations, so preserve the machines rather than wiping them.
What should we do right now?
Isolate affected machines but keep them on, keep every encrypted file and note, take surviving backups offline, and write a simple timeline. Do not rebuild or run cleanup tools over the evidence. Then call 1300 004 766, any hour, and we will help you work the options in order, with payment last.
Right now
The first hours decide what can be saved.
Isolate the machines, keep the encrypted files, take backups offline, and call before anything gets rebuilt. Australian incident response, answered by a real person.