Qilin’s 2025 Playbook, and the Security Gap it Exposes by Lucie Cardiet

**Qilin ransomware-as-a-service** has matured into a high-tempo RaaS operation in 2025, scaling attacks against public agencies, education, healthcare, manufacturing, and large enterprises; the report details Qilin’s operational chain—spearphishing and credential abuse (including RMM exploitation, MFA bombing, SIM swapping) for initial access, foothold and privilege escalation via remote tooling and scheduled tasks, lateral movement and AD/GPO abuse to deploy payloads, staged data exfiltration (rclone, SMB, cloud APIs) for double extortion, and modern, high-performance encryption with anti-forensics (AES-256-CTR, OAEP, AES‑NI, ChaCha20, VSS deletion) to prevent recovery—then recommends unified, behavior-driven, AI-enabled detection across identity, network, and cloud to detect precursors and disrupt campaigns before encryption.