The Qilin ransomware-as-a-service (RaaS) is a eastern European (Mainly Russian) operation first emerged in mid-2022 under the name Agenda, later rebranding to Qilin by September of that year. It quickly distinguished itself by offering affiliates a robust, customizable platform with malware variants written in both Golang and Rust, enabling attacks across Windows, Linux, and VMware ESXi environments. Like other RaaS schemes, Qilin provides the tools while affiliates execute the intrusions, keeping the majority of ransom payments, typically 80 percent for smaller ransoms and up to 85 percent for multimillion-dollar payouts. The Qilin team collects the remainder as their profit.  
What makes Qilin particularly dangerous is the sophistication of its affiliate dashboard and the breadth of tools it provides. Affiliates can fine-tune how encryption is applied, exclude certain files or machines to avoid detection, and even use percentage-based encryption to speed up operations. Beyond the malware itself, the platform integrates automated ransom negotiations, distributed denial-of-service (DDoS) add-ons, spam distribution, and even intimidation functions such as a “call lawyer” feature designed to pressure victims. Their playbook follows a double-extortion model: data is exfiltrated before being encrypted, and victims face the dual threat of permanent data loss and public leaks if payments are not made. Example Ransomware Note: (This is the actual note from the NV ransomware)