Qilin / Agenda — Rust-based ransomware-as-a-service; Q3 2025 German operational tempo tripled (GTIG); 23 Q1 2026 healthcare claims

actor · actor:Qilin

Coverage timeline

first 2026-05-10 → last 2026-05-10

Briefs

1 distinct

Sources cited

7 hosts

Sections touched

weekly_long_running

Co-occurring entities

see Related entities below

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_long_runningFirst-covered as named operator key (the Die Linke incident was already logged separately). GTIG Europe 2025 documented tripling Q3 2025 German tempo; 13 additional German victims by early 2026; 23 Q1 2026 healthcare claims (per Comparitech). Continuing 2026-Q2 German activity via Die Linke encrypting 1.5 TB.

Where this entity is cited

weekly_long_running1

Source distribution

cloud.google.com2 (22%)
attack.mitre.org2 (22%)
comparitech.com1 (11%)
cybermaxx.com1 (11%)
heise.de1 (11%)
dexpose.io1 (11%)
therecord.media1 (11%)

Related entities

Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
incidentincident:die-linke-qilin-2026×2
Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
actoractor:Akira×1
Germany KRITIS-DachG (CER Directive transposition) in force March 2026 — public administration first time in CI scope; registration deadline 17 July 2026
campaignpolicy:germany-kritis-dachg-2026×1
Groupe 3R (Réseau Radiologique Romand) — Akira ransomware, 48 GB claimed, Swiss medical imaging
incidentincident:groupe-3r-akira-2026×1
The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
actoractor:TheGentlemen×1

All cited sources (9)

Items in briefs about Qilin / Agenda — Rust-based ransomware-as-a-service; Q3 2025 German operational tempo tripled (GTIG); 23 Q1 2026 healthcare claims (3)

Qilin / Agenda RaaS — Die Linke confirms Q2 2026 German activity continuity

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

Current state: GTIG's Europe data-leak landscape (§ 6) documented Qilin tripling Q3 2025 operational tempo in Germany; Die Linke (Germany federal political party) confirmed Qilin encryption with 1.5 TB exfiltrated (covered 2026-05-08), state DPA notified — Qilin German activity continues into 2026-Q2. No public-claim shift or victim-list expansion beyond Die Linke this week. Outstanding question: whether Qilin's targeting of political and civil-society organisations expands into other 2026 EU election cycles.

Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

W1 horizon research added Q1 2026 healthcare quarterly context to the Groupe 3R item in § 1. Across Q1 2026, Akira posted 84 victims in March alone (second-most-active month on record) and claimed 5 healthcare victims; Qilin led healthcare at 23 claims (with RENAFAN GmbH and Suchthilfe direkt Essen gGmbH as Qilin's confirmed German victims), and The Gentlemen at 10 healthcare claims (Comparitech Q1 2026 Healthcare, 2026-04-29 · CyberMaxx Q1 2026). Akira's documented attack chain for healthcare: initial access via unpatched VPN (Cisco ASA, SonicWall, Fortinet) or compromised RDP credentials; lateral movement via T1021.001 Remote Services: Remote Desktop Protocol and T1047 Windows Management Instrumentation; LSASS credential harvesting via comsvcs.dll / Mimikatz; AV termination via PowerTool weaponising the Zemana AntiMalware driver (BYOVD); data exfiltration; double extortion. The cross-finding for Swiss / DACH operators reading after Groupe 3R: at least two ransomware-as-a-service operators (Akira and Qilin) are hitting European healthcare in Q1–Q2 2026 via the edge-device / unpatched-VPN attack surface, and the operator that hits a given hospital is less salient defensively than the shared initial-access funnel they exploit.

Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)

From CTI Daily Brief — 2026-05-08 · published 2026-05-11 · view item permalink →

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.