Qilin Ransomware

Executive Summary

• First Identified: July 2022
• Threat Type:
  • Ransomware
• Extortion Method:
  • Double extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.
• Most Frequently Targeted Industries:
  • Industrials
  • Professional & Commercial Services
  • Consumer Cyclicals
• Most Frequently Targeted Victim HQ Locations:
  • North America
  • Europe
• Select MITRE ATT&CK Mappings
  • Initial Access
    • Valid accounts, replication through removable media, social engineering (MITRE ATT&CK: T1078, T1091, T1566)
  • Persistence
    • Scheduled tasks, boot or logon autostart execution (MITRE ATT&CK: T1053, T1547)
  • Lateral Movement
    • Replication through removable media (MITRE ATT&CK: T1091)

Description of Qilin Ransomware

Qilin (AKA Agenda) ransomware was first observed in July 2022 and operates using the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom demand is not paid. Qilin maintains variants that are written in both Golang and Rust programming languages. The ransomware operation can target both Windows and Linux variants. Qilin operates as a ransomware-as-a-service (RaaS) and affiliates earn 80% of a payment of ransom demands of less than $3 million and 85% of ransom payments over $3 million.

Qilin affiliates have been observed gaining initial access via social engineering attacks – phishing emails with malicious attachments – and valid credentials that have been leaked and/or purchased.

A purported recruiter for the Qilin operation posted on a Russian-language cybercriminal forum advertising the RaaS, offering positions to qualified affiliates, and stating that affiliates are not allowed to target CIS countries. This rule is commonly observed in ransomware operations.

The Qilin affiliates have multiple options in the Qilin panel, indicating the ransomware is customizable for each victim. Affiliates can create and edit blog posts that contain information about attacked companies that have not paid a ransom, create accounts for members of their team by entering their nickname and credentials, and access support for the ransomware. Operators can customize the directories that will be skipped, files that will be skipped, processes that will be killed, mode of encrypting, and list of VMs that will not be killed/shut down.

The Linux variant is compiled with GCC 11 in the ELF64 format and is 1.32MB in size. This variant, similar to the Windows variant, provides a number of options for the affiliates to ensure that the right files are encrypted.

Qilin ransomware offers multiple encryption methods, which are also configurable by the affiliate through the panel. One option uses AES-256 encryption to encrypt the files on the victim’s system and uses RSA-2048 to encrypt the generated key. Files are appended with a new random extension. The Linux version uses OpenSSL, and the public key is hardcoded at the address 0x004EB3A8. The statically linked OpenSSL library is used to facilitate the loading of the public key.

In August 2024, security researchers with Sophos reported that the Qilin ransomware group targeted a victim via compromised credentials and the dwell time in the victim environment was 18 days. The operators edited the domain policy to introduce a logon-based Group Policy Object (GPO) containing two items: A PowerShell script, IPScanner.ps1, and a batch script, logon.bat.

The combination of the two scripts resulted in harvesting of credentials saved in Chrome browsers on machines connected to the network. This activity indicates that Qilin is likely changing tactics to include credential harvesting rather than exfiltrating large amounts of victim-specific data.