Tech News
← Back to articles

Piecing Together the Puzzle: A Qilin Ransomware Investigation

2025-11-22 | original
read original related products more articles

Written by Lindsey O’Donnell-Welch, Ben Folland, Harlan Carvey of Huntress Labs.

A big part of a security analyst’s everyday role is figuring out what actually happened during an incident. We can do that by piecing together breadcrumbs–whether that’s through logs, antivirus detections, and other clues–that help us understand how the attacker achieved initial access and what they did after.

However, it’s not always cut and dry: sometimes there are external factors that limit our visibility. The Huntress agent might not be deployed across all endpoints, for example, or the targeted organization might install the Huntress agent after a compromise has already occurred.

In these cases, we need to get creative and look at multiple data sources in order to determine what actually happened.

Recently, we analyzed an incident where both of the above factors were true: on October 11, an organization installed the Huntress agent post-incident, and initially on one endpoint.

When it comes to visibility, this incident was less about looking through a keyhole, and more akin to looking through a pinhole. Even so, Huntress analysts were able to derive a great deal of information regarding the incident.

The Qilin incident: What we started with

The Huntress agent was installed on a single endpoint following a Qilin ransomware infection. What does that mean from the perspective of an analyst trying to figure out what happened?

We had limited clues to start: there was no endpoint detection and response (EDR) or SIEM telemetry available, and Huntress-specific ransomware canaries weren’t tripped. Because we were also on one endpoint, our visibility was limited to the activity that had occurred on that specific endpoint within the broader environment’s infrastructure.

As a result, all Huntress analysts had to start with to unravel this incident was the managed antivirus (MAV) alerts. Once the Huntress agent was added to the endpoint, the SOC was alerted to existing MAV detections, some of which are illustrated in Figure 1.

... continue reading

Related:
China reaches energy milestone by "breeding" uranium from thorium
Las Vegas First Responders Lean on AT&T's FirstNet to Stay Connected During the F1 Race
Iran's Capital Is Moving. The Reason Is an Ecological Catastrophe
Deja Vu: Salesforce Customers Hacked Again, Via Gainsight
We Induced Smells With Ultrasound

© 2025 GoKawiil