Qilin ransomware:
how to defend your SME

In short: Qilin is ransomware that systematically targets Italian SMEs by entering through VPN appliances that are out of date or lack MFA, encrypting VMware ESXi hypervisors and neutralising backups before the attack. You defend yourself with five measures: patching perimeter appliances, MFA everywhere, network segmentation, EDR on every endpoint and immutable backups with separate credentials.

What Qilin is and why it targets Italian SMEs

CSIRT Italia, part of the ACN (Italian National Cybersecurity Agency), has issued a critical-impact bulletin after recording, since the start of 2026, a significant number of Qilin ransomware attacks aimed predominantly at Italian SMEs, including cloud service providers. These are not isolated episodes, but a systematic campaign across the country.

Qilin operates under the Ransomware-as-a-Service (RaaS) model: those who develop the malware rent it to affiliates who carry out the attacks, splitting the ransom. It uses double extortion— first exfiltrating large amounts of data, then encrypting systems — and payloads written in Rust designed to hit VMware ESXi hypervisors, the heart of virtualisation in a great many SMEs. It is exactly the kind of threat the NIS2 Directive asks organisations to prevent and, in the event of an incident, to report within tight deadlines.

The kill chain in five steps

The CSIRT bulletin describes a recurring attack chain. Understanding it helps to see where to intervene:

• 1Initial access— exploitation of known, unpatched critical vulnerabilities on perimeter appliances and VPNs (in particular Ivanti and Fortinet products), or brute-force attacks on VPN credentials in the absence of MFA.
• 2Use of legitimate tools— for command and control the attackers abuse widely deployed management and remote-support software (such as Atera, Splashtop, ScreenConnect), so as to blend in with normal traffic and evade controls.
• 3Lateral movement and anti-forensics— once they gain a foothold, the attackers move through the network, escalate privileges and systematically delete logs to hamper later investigations.
• 4Neutralisation of backups— before encrypting, they exploit a known vulnerability in backup software (Veeam Backup & Replication) to extract its credentials and delete or render the security copies unusable.
• 5Encryption of ESXi hypervisors— the payload selectively encrypts VMware ESXi hosts, taking down all the company’s virtual machines in one stroke. At that point the ransom demand begins, with the threat of publishing the exfiltrated data.

The five countermeasures recommended by the CSIRT

The good news is that effective defences are known and within reach of an SME. They are the five measures recommended by CSIRT Italia itself:

• 1Prompt patching of perimeter appliances— exposed firewalls, VPNs and gateways must be updated as a priority: they are the first way in. Firewall and network security.
• 2Mandatory MFA everywhere— multi-factor authentication must be enabled on every access, including third-party VPNs: it blocks brute-force attacks on credentials. Digital identity management.
• 3Network segmentation— separating networks, servers and management environments limits lateral movement and prevents the compromise of one endpoint from immediately reaching hypervisors and backups.
• 4EDR on all endpoints and servers— endpoint detection and response intercepts the abuse of legitimate tools and anomalous activity before encryption. EDR and XDR.
• 5Offline or immutable backups, with separate credentials— this is the decisive defence: copies the attacker cannot delete even if they get into the domain. Backup and Disaster Recovery and, for Microsoft 365 data, the dedicated Microsoft 365 backup.

What to do if you suspect a compromise

If you spot suspicious signs — anomalous VPN logins, unauthorised remote-support tools, backups failing for no reason — do not shut down the systems or delete anything: isolate the network, preserve the logs and immediately activate the incident response procedure. For entities within the NIS2 scope, the obligation to notify the CSIRT within tight deadlines also kicks in. Incident Response & Recovery.

How AtWorkStudio helps

The CSIRT’s five countermeasures coincide with the services we deliver every day: identity management and MFA, EDR/XDR, network security, immutable backup and an outsourced CSIRT contact point for managing NIS2 notifications. We start with a security posture assessment based on NIST CSF 2.0 and define the intervention priorities together.

We have been operating from Piacenza since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for SaaS cloud services. We are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.