Latest Qilin.B Ransomware Features Better Evasion and Stronger Encryption

A new Rust-based variant of Qilin ransomware, dubbed 'Qilin.B,' has been detected by researchers at anti-ransomware leader Halcyon, featuring stronger encryption and improved evasion techniques.  

‍

This strain employs AES-256-CTR encryption with AESNI support for faster performance on modern CPUs, while using ChaCha20 for older systems. It also utilizes RSA-4096 to secure encryption keys, making decryption nearly impossible without the private key.

‍

Qilin.B disables key services like Veeam, SQL databases, and antivirus tools, wipes volume shadow copies to hinder recovery, and clears Windows Event Logs to prevent forensic analysis, Bleeping Computer reports.

‍

The ransomware targets local and network directories, creating ransom notes for each affected directory. It modifies the Windows Registry to enable sharing of network drives, maximizing its reach.

‍

While not revolutionary, these features make Qilin.B highly effective, particularly in attacks against large organizations, including past attacks on major hospitals, Court Services Victoria, and Yanfeng.

‍

Takeaway: According to the Halcyon Ransomware Malicious Quartile report, the ransomware group Qilin originally operated under the name Agenda before transitioning into a Ransomware-as-a-Service (RaaS) model in July 2022. Written in both Golang and Rust, Qilin is designed to target Windows and Linux systems.  

‍

Rust, recognized for its security and cross-platform capabilities, enhances performance for concurrent processing, which helps Qilin evade detection and develop variants that attack multiple operating systems.  

‍

The operators behind Qilin are also known to exploit vulnerabilities in applications such as Remote Desktop Protocol (RDP) to gain unauthorized access to victim networks.

‍

The Qilin RaaS provides affiliates with several encryption techniques, including ChaCha20, AES-256, and RSA-4096, allowing them to configure attacks based on specific needs.  

‍

Notably, Qilin's ransomware targets both Windows and Linux environments, with a particular focus on Linux systems running on VMware ESXi hypervisors.  

‍

The Linux variant is compiled using the GCC 11 compiler and employs OpenSSL for public key encryption, ensuring strong encryption of sensitive data during attacks. This technological combination makes Qilin highly effective at infiltrating virtualized Linux infrastructures.

‍

Qilin affiliates have also been observed using credential harvesting techniques, specifically targeting Chrome browser credentials by deploying PowerShell scripts. This tactic typically follows the initial compromise of a network, which is often achieved through phishing campaigns or the use of previously compromised credentials from earlier breaches or dark web marketplaces.

‍

Qilin follows a double extortion model, where they not only encrypt victims' data but also threaten to expose or sell it on their leak site if ransom demands are not met. Their affiliate program is highly incentivized, offering an 80% cut of ransom payments below $3 million and up to 85% for ransoms exceeding $3 million.

‍

The frequency of Qilin attacks surged significantly in the first half of 2024, with the group claiming more than 150 victims by the third quarter. One of their most notable attacks targeted the UK healthcare provider Synnovis, leading to severe disruptions in patient care across the National Health Service (NHS).

‍

Qilin is regarded as a "big game hunter," focusing on high-value targets with the ability to pay substantial ransoms. Their operations often target sectors like healthcare and education.

‍

Ransom demands typically range from $50,000 to $800,000, with affiliates receiving between 80-85% of the total ransom. For larger payments exceeding $3 million, affiliates benefit from an increased share.

‍

Notable victims include Synnovis, NHS Hospitals, Big Issue Group, Ditronics Financial Services, Daiwa House, ASIC S.A., Thonburi Energy Storage, SIIX Corporation, WT Partnership Asia, FSM Solicitors, Etairos Health, Commonwealth Sign, Casa Santiveri.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.