Qilin ransomware operates as an advanced affiliate program within the Ransomware-as-a-Service (RaaS) model. The ransomware currently uses a rust-based malware known for its evasive and customizable nature. By targeting victims with tailored attacks, Qilin maximizes disruption through methods like altering file extensions and terminating specific processes.
The ransomware also uses a double extortion strategy, threatening to release stolen data even after the demanded ransom is paid. Promoted on the dark web, Qilin's data leak site has data from numerous victims, including the UK-based publisher and social enterprise, the Big Issue Group. Let’s look at Qilin’s tactics and techniques, as well as recommendations on how organizations can remain safe from the group.
As previously stated, Qilin operates as a Ransomware-as-a-Service (RaaS) affiliate program, deploying rust-based ransomware to attack its targets. The ransomware was initially discovered in 2022 after the group targeted a leading Australian based information technology service organization. Qilin’s attacks are highly customized for each victim, using methods such as changing file extensions and terminating specific processes to maximize damage.
Initially, Qilin was targeting organizations at random. However, their focus has shifted to critical infrastructure and operational technology (OT) companies. In 2023, they attacked 21 companies, including five in the OT sector. Notably, in June 2023, they targeted Clarity Water Technologies, LLC, a Dubai-based OT company specializing in industrial and commercial water treatment. Additionally, they attacked six other companies and leaked some of their data.
Qilin's victims are spread across various countries, including Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, the Netherlands, UAE, the UK, and the U.S.
Qilin uses phishing emails with malicious links to infiltrate victims' networks and extract sensitive data. Once inside, Qilin moves laterally through the victim's infrastructure to find sensitive data for encryption.
During the encryption phase, Qilin places ransom notes in each compromised directory, detailing instructions for obtaining the decryption key. Next, the ransomware attempts to disrupt recovery efforts by rebooting systems and halting server-specific processes. The operators use a double extortion strategy, where they not only encrypt a victim’s data but also exfiltrate sensitive information. They demand a ransom for the decryption key and threaten to release the stolen data if the ransom is not paid. The ransomware offers various encryption modes, all of which are controlled by the attackers.
Qilin ransomware, also known as Agenda, provides customization features such as altering file extensions and terminating specific processes and services. It offers various encryption modes, including skip-step, percent, and fast, giving the operators flexibility in their attacks.
According to Cyberint, the rust-based ransomware is effective due to its ability to evade detection and its complexity, which allows for easy customization across different operating systems, including Windows and Linux. The Qilin ransomware group is also capable of producing versions for both Windows and ESXi environments. Currently, Qilin’s origins and the identity of their affiliates is unknown.
Image 1: Qilin Attacks by Country
Source: TSectrio
Qilin operates a dark web page where they post detailed information about their victims. This includes the victim's name, date of attack, description, related images, and sensitive data. If the ransom is not paid, they also release the victim's data on this site. They have listed information about 22 victims on their Onion site so far, and some of this data has been publicly leaked.
As of May 2023, the data leak site featured information from 12 companies located in various countries that you see in the chart above: Australia, Brazil, Canada (2 victims), Colombia, France, the Netherlands, Serbia, the United Kingdom, Japan, and the United States (2 victims).
On November 28, 2023, Qilin took credit for a cyberattack on Yanfeng Automotive Interiors, a leading global automotive parts supplier. As of February 2024, the U.S has suffered from various Qilin attacks, including Upper Marion Township, Etairos Health, Kevin Leeds, CPA, and Commonwealth Sign. In March 2024 Qilin was responsible for other attacks, such as:
In May 2024, Dr. Charles A. Evans and the Charles Evans Center (CEC) Health Care were targeted in a cyber attack orchestrated by Qilin. This ransomware attack resulted in 2.7 GB of sensitive data being stolen, including financial records, confidential documents, and passports. Despite no ransom demand, Qilin chose to publicly release the healthcare organization’s stolen data.
Dr. Evans is affiliated with the CEC Health Care, an organization that provides medical, dental, and behavioral health care services to medically underserved individuals in Nassau and Suffolk County, New York.
Qilin ransomware has evolved into a dangerous cyber threat, targeting critical infrastructure and operational technology companies. Their recent attack on Dr. Charles A. Evans and the Charles Evans Center (CEC) Health Care is a good example of the group’s recklessness.
Hospitals and healthcare organizations nationwide fall victim to ransomware attacks daily. Outdated software, exposed endpoints, and inadequate employee security training make these organizations particularly vulnerable to cyberattacks. Unfortunately, threat actors are well aware of the healthcare sector's vulnerabilities and are exploiting every opportunity to launch attacks.
Qilin’s use of rust-based ransomware, which is difficult to detect, along with their double extortion tactics, makes them a risk to a range of industries globally. Recent attacks on high-profile targets highlights the sophistication of Qilin’s tools, tactics, and techniques. Also, their ability to infiltrate networks through phishing emails, move laterally to find critical data, and customize their ransomware demonstrates their advanced capabilities.
To remain safe from Qilin ransomware, organizations must adopt a multi-faceted approach to cybersecurity. Here are a few recommendations on how you keep your organization from becoming the next victim of Qilin.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Qilin ransomware:
SHA256
Qilin Group Ransomware Attack on Dr. Charles A. Evans (halcyon.ai)
Qilin AKA Agenda | A Must watch ransomware group in 2023 (sectrio.com)
Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyberattacks (darkreading.com)
Qilin Ransomware 2024: Tactics & Threats | Pragma
Qilin ransomware gang claims cyber attack on the Big Issue | Computer Weekly
Qilin Ransomware: Get the 2024 Lowdown (cyberint.com)
Ransomware hits The Big Issue. Qilin group leaks confidential data (bitdefender.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.