Qilin Ransomware: Get the 2024 Lowdown

Qilin operates as an affiliate program for Ransomware-as-a-Service, employing a Rust-based ransomware to target victims. Qilin ransomware attacks are often tailored for each victim to maximize their impact, utilizing tactics like altering filename extensions of encrypted files and terminating specific processes and services.

The Rust variant is particularly effective for ransomware attacks due to its evasion-prone and hard-to-decipher characteristics, making it easier to customize malware for Windows, Linux, and other operating systems. Importantly, the Qilin ransomware group can generate samples for both Windows and ESXi versions.

Qilin advertises its ransomware on the dark web, featuring a proprietary DLS that includes unique company IDs and leaked account details, as noted by Group-IB Threat Intelligence experts.

Operators of Qilin employ a double extortion technique, involving the exfiltration of a victim’s sensitive data in addition to encrypting it. They demand payment for a decryptor and threaten to release stolen data even after the ransom is paid. Qilin ransomware offers various encryption modes, all controlled by the operator.

Victimology

Qilin ransomware activities extend to posting victim data on the group’s DLS. In May 2023, Qilin’s DLS contained data from 12 companies across various countries, including Australia, Brazil, Canada (2 victims), Colombia, France, Netherlands, Serbia, United Kingdom, Japan, and the United States (2 victims).

On November 28, 2023, the Qilin ransomware group claimed responsibility for a cyber attack on Yanfeng Automotive Interiors, one of the world’s largest automotive parts suppliers. The threat actors target companies in all sectors, with many attacks featuring customization in process termination and file extension changes to maximize impact.

Recent US attacks include Upper Marion Township, Etairos Health, Kevin Leeds, CPA and Commonwealth Sign in the US in February 2024. In March 2024 so far International Electro Mechanical Services in the US, Felda Global Ventures Holdings Berhad in Malaysia, Bright Wires in Saudi Arabia, PT Sarana Multi Infrastruktur (Persero) in Indonesia and Casa Santiveri in Spain have been hit.

Qilin Malware, Toolset & TTPs

Qilin targets victims through phishing emails containing malicious links to gain a foothold in the victim’s network and exfiltrate sensitive data. After gaining initial access, Qilin typically moves laterally across the victim’s infrastructure, searching for essential data to encrypt.

During the encryption process, the actors place a ransom note in each infected directory, providing instructions on how to purchase the decryption key. They may attempt to reboot systems in normal mode and stop server-specific processes to make it harder for the victim to recover their data. If the ransomware operator successfully encrypts a victim’s files, a double extortion technique is employed to increase potential revenue.

The Agenda (Qilin) ransomware offers customization options, including changing filename extensions and terminating specific processes and services. It supports several encryption modes configured through the encryption setting, displaying the different encryption modes available: skip-step, percent, and fast.

Origins and Affiliates

No specific indications of origin or affiliates are currently available.

About Cyberint

Cyberint, the Impactful Intelligence company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Cyberint Argos platform’s patented technology provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web. A team of global military-grade cybersecurity experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into major incidents.

Global customers, including Fortune 500 leaders across all major market verticals, rely on Cyberint to protect themselves from an array of external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.