executive summary

Qilin ransomware operates as an advanced affiliate program within the Ransomware-as-a-Service (RaaS) model. The ransomware currently uses a rust-based malware known for its evasive and customizable nature. By targeting victims with tailored attacks, Qilin maximizes disruption through methods like altering file extensions and terminating specific processes.

The ransomware also uses a double extortion strategy, threatening to release stolen data even after the demanded ransom is paid. Promoted on the dark web, Qilin's data leak site has data from numerous victims, including the UK-based publisher and social enterprise, the Big Issue Group. Let’s look at Qilin’s tactics and techniques, as well as recommendations on how organizations can remain safe from the group.

tir snapshot

  • Qilin (also known as Agenda) operates as a Ransomware-as-a-Service (RaaS) affiliate program, deploying a rust-based ransomware to attack its targets.
  • Qilin's attacks are highly customized for each victim, using methods such as changing file extensions and terminating specific processes to maximize damage.
  • Initially, Qilin ransomware was targeting organizations at random. However, their focus has shifted to critical infrastructure (healthcare) and operational technology (OT) companies.
  • Qilin's operators use a double extortion strategy, where they not only encrypt a victim's data but also exfiltrate sensitive information. They demand a ransom for the decryption key and threaten to release the stolen data if the ransom is not paid.
  • Qilin ransomware provides customization features such as altering file extensions and terminating specific processes and services.
  • Qilin ransomware has evolved into a dangerous cyber threat, targeting critical infrastructure and operational technology companies.
  • Qilin's use of rust-based ransomware, which is difficult to detect, along with their double extortion tactics, makes them a risk to a range of industries globally.
  • To remain safe from Qilin ransomware, organizations must adopt a multi-faceted approach to cybersecurity.

 

 

qilin ransomware

As previously stated, Qilin operates as a Ransomware-as-a-Service (RaaS) affiliate program, deploying rust-based ransomware to attack its targets. The ransomware was initially discovered in 2022 after the group targeted a leading Australian based information technology service organization. Qilin’s attacks are highly customized for each victim, using methods such as changing file extensions and terminating specific processes to maximize damage.

Initially, Qilin was targeting organizations at random. However, their focus has shifted to critical infrastructure and operational technology (OT) companies. In 2023, they attacked 21 companies, including five in the OT sector. Notably, in June 2023, they targeted Clarity Water Technologies, LLC, a Dubai-based OT company specializing in industrial and commercial water treatment. Additionally, they attacked six other companies and leaked some of their data.

Qilin's victims are spread across various countries, including Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, the Netherlands, UAE, the UK, and the U.S.

 

TTPS

Qilin uses phishing emails with malicious links to infiltrate victims' networks and extract sensitive data. Once inside, Qilin moves laterally through the victim's infrastructure to find sensitive data for encryption.

During the encryption phase, Qilin places ransom notes in each compromised directory, detailing instructions for obtaining the decryption key. Next, the ransomware attempts to disrupt recovery efforts by rebooting systems and halting server-specific processes. The operators use a double extortion strategy, where they not only encrypt a victim’s data but also exfiltrate sensitive information. They demand a ransom for the decryption key and threaten to release the stolen data if the ransom is not paid. The ransomware offers various encryption modes, all of which are controlled by the attackers.

Qilin ransomware, also known as Agenda, provides customization features such as altering file extensions and terminating specific processes and services. It offers various encryption modes, including skip-step, percent, and fast, giving the operators flexibility in their attacks.

According to Cyberint, the rust-based ransomware is effective due to its ability to evade detection and its complexity, which allows for easy customization across different operating systems, including Windows and Linux. The Qilin ransomware group is also capable of producing versions for both Windows and ESXi environments. Currently, Qilin’s origins and the identity of their affiliates is unknown.

 

 

attacks

 

Image 1: Qilin Attacks by Country

Qilin Attacks by Country

Source: TSectrio

 

Qilin operates a dark web page where they post detailed information about their victims. This includes the victim's name, date of attack, description, related images, and sensitive data. If the ransom is not paid, they also release the victim's data on this site. They have listed information about 22 victims on their Onion site so far, and some of this data has been publicly leaked.

As of May 2023, the data leak site featured information from 12 companies located in various countries that you see in the chart above: Australia, Brazil, Canada (2 victims), Colombia, France, the Netherlands, Serbia, the United Kingdom, Japan, and the United States (2 victims).

On November 28, 2023, Qilin took credit for a cyberattack on Yanfeng Automotive Interiors, a leading global automotive parts supplier. As of February 2024, the U.S has suffered from various Qilin attacks, including Upper Marion Township, Etairos Health, Kevin Leeds, CPA, and Commonwealth Sign. In March 2024 Qilin was responsible for other attacks, such as:

  • International Electro Mechanical Services in the U.S.
  • Felda Global Ventures Holdings Berhad in Malaysia
  • Bright Wires in Saudi Arabia
  • PT Sarana Multi Infrastruktur (Persero) in Indonesia
  • Casa Santiveri in Spain

In May 2024, Dr. Charles A. Evans and the Charles Evans Center (CEC) Health Care were targeted in a cyber attack orchestrated by Qilin. This ransomware attack resulted in 2.7 GB of sensitive data being stolen, including financial records, confidential documents, and passports. Despite no ransom demand, Qilin chose to publicly release the healthcare organization’s stolen data.

Dr. Evans is affiliated with the CEC Health Care, an organization that provides medical, dental, and behavioral health care services to medically underserved individuals in Nassau and Suffolk County, New York.

 

 

defense

Qilin ransomware has evolved into a dangerous cyber threat, targeting critical infrastructure and operational technology companies. Their recent attack on Dr. Charles A. Evans and the Charles Evans Center (CEC) Health Care is a good example of the group’s recklessness.

Hospitals and healthcare organizations nationwide fall victim to ransomware attacks daily. Outdated software, exposed endpoints, and inadequate employee security training make these organizations particularly vulnerable to cyberattacks. Unfortunately, threat actors are well aware of the healthcare sector's vulnerabilities and are exploiting every opportunity to launch attacks.

Qilin’s use of rust-based ransomware, which is difficult to detect, along with their double extortion tactics, makes them a risk to a range of industries globally. Recent attacks on high-profile targets highlights the sophistication of Qilin’s tools, tactics, and techniques. Also, their ability to infiltrate networks through phishing emails, move laterally to find critical data, and customize their ransomware demonstrates their advanced capabilities.

To remain safe from Qilin ransomware, organizations must adopt a multi-faceted approach to cybersecurity. Here are a few recommendations on how you keep your organization from becoming the next victim of Qilin.

  • Require multifactor authentication to protect employees’ accounts from being used by attackers to obtain account credentials. This will help stop attackers from using the credentials to escalate privileges and move laterally within the network.

  • Perform daily backups and keep them offline to avoid losing data.

  • Disrupt network movements/investigation by creating separated segments of network, clear access hierarchy, and additional security for active directory, domain admin, and local domains.

  • Relying on outdated tools and point solutions will compromise your network or system. Better technology exists to detect complex attacks like Qilin ransomware.

  • Use anti-ransomware technology as a prevention method. Deploy prevention that works like next-generation antivirus and explicit anti-ransomware technology.

  • Reduce the target by including these technical practices: close vulnerabilities, augment security hygiene, create and enforce strong general policies, and sustain backup and recovery practices.

  • Prevent lateral movement by implementing network hierarchy protocols with network segregation and decentralization.

  • Educate your employees on the dangers of spearphishing and how they could be putting your organization at risk.

 

 

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Qilin ransomware:

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
  • Avertium uses KnowBe4 as a professional service for user awareness training. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

 

 

MITRE MAP

Qilin Ransomware MITRE Map

 

INDICATORS OF COMPROMISE (IOCs)

SHA256

  • 73b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579a
  • afe7b70b5d92a38fb222ec93c51b907b823a64daf56ef106523bc7acc1442e38
  • dd50d1f39c851a3c1fce8abdf4ed84d7dca2b7bc19c1bc3c483c7fc3b8e9ab79
  • e4cbee73bb41a3c7efc9b86a58495c5703f08d4b36df849c5bebc046d4681b70

 

 

 

Supporting Documentation

Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script - LevelBlue - Open Threat Exchange (alienvault.com)

Qilin Group Ransomware Attack on Dr. Charles A. Evans (halcyon.ai)

Qilin AKA Agenda | A Must watch ransomware group in 2023 (sectrio.com)

Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyberattacks (darkreading.com)

Gain new-found insights into Qilin Ransomware, their Data Leak Site (DLS) and operations targeting critical industries | Group-IB Blog

Qilin Ransomware 2024: Tactics & Threats | Pragma

Qilin ransomware gang claims cyber attack on the Big Issue | Computer Weekly

Qilin Ransomware: Get the 2024 Lowdown (cyberint.com)

Agenda (Qilin) - SentinelOne

Ransomware hits The Big Issue. Qilin group leaks confidential data (bitdefender.com)

 

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

Looking for your next read? 
Check out the eBook, "The Decline in Ransomware in 2023 + The Threats Ahead"

 
Chat With One of Our Experts




Threat Report Ransomware-as-a-Service ransomware Ransomware gang Ransomware Groups Qilin Ransomware Blog