Threat Intel Banner
Ransomware Hits Last Week Chart

Qilin Ransomware

Emerging in July 2022, Qilin ransomware, also known as Agenda, has established itself as a formidable threat actor in the cybercrime landscape. This ruthless malware operates using a double extortion model, crippling victims by encrypting their data and threatening to leak it on the dark web if ransom demands aren't met. While the exact origins of Qilin remain unclear, security researchers believe it might be linked to a cybercriminal group operating as as-a-service. This group offers its ransomware tools and expertise to affiliates who launch attacks against various targets.

Tactics, Techniques, and Procedures (TTPs):

Qilin isn't a one-trick pony. It possesses a diverse arsenal of tactics, techniques, and procedures (TTPs) to infiltrate and compromise systems. Here's a glimpse into its malicious toolkit:

  • Phishing Attacks: Deceptive emails designed to trick users into clicking malicious links or downloading infected attachments are a common entry point. These emails may appear to be from trusted sources such as delivery companies, financial institutions, or even colleagues.
     
  • Exploiting Unpatched Vulnerabilities: Qilin actively seeks out unpatched vulnerabilities in software and operating systems to gain unauthorised access to networks. This underscores the importance of keeping all software and systems updated with the latest security patches.
     
  • Remote Desktop Protocol (RDP) Exploitation: Like other ransomware strains, Qilin can exploit weaknesses in RDP configurations to gain access to a system. RDP allows remote access to a computer, and misconfigured settings can create a vulnerability for attackers.
     
  • Brute-Force Attacks: In some instances, Qilin may attempt to gain access through brute-force attacks, where it systematically tries different combinations of usernames and passwords until it cracks the login credentials. This highlights the importance of using strong passwords and enabling multi-factor authentication (MFA) where possible.
     
  • Living-off-the-Land Techniques: Like many malware strains, Qilin can utilise legitimate system administration tools for malicious purposes. This makes detection more challenging as these tools may appear as normal system activity.
     
  • Data Exfiltration: Before encryption, Qilin often exfiltrates sensitive data like financial records, personal information, and intellectual property. This stolen data serves as additional leverage in extortion attempts, putting pressure on victims to pay the ransom.
     
  • Strong Encryption: The malware utilises robust encryption algorithms to render files inaccessible. Decrypting them without the attacker's key is extremely difficult, if not impossible. This effectively cripples a victim's operations until a decision is made.
     

A Global Reach with Focused Targets:

Qilin ransomware demonstrates a lack of geographical bias, targeting victims worldwide. Here are some examples of its reach and the damage it has caused:

  • Critical Infrastructure: Security researchers have observed that Qilin targets critical infrastructure sectors like power grids and transportation systems. A successful attack on such infrastructure could have devastating consequences.
     
  • Healthcare Organisations: Hospitals and other healthcare providers have also fallen victim to Qilin attacks. The disruption caused by encrypted medical records and operational systems can severely impact patient care.
     
  • Educational Institutions: Schools and universities haven't been spared either. Data breaches involving student information or disruption of educational services can have serious consequences.
     

Leak Site: Qilin ransomware maintains a leak site on the dark web where they threaten to publish stolen data if the ransom is not paid.

Ransom Note: The Qilin ransomware has many different ransom notes for every victim. One of the ransom notes is given below:

A computer screen with textDescription automatically generated

The emergence of Qilin ransomware underscores the ever-evolving threat landscape of cybercrime. Its use of readily available tools combined with its focus on double extortion tactics, highlights the need for organisations to prioritise robust cybersecurity measures. Here are some crucial steps organisations can take to mitigate the risk of Qilin ransomware and similar threats:

  • Regular Backups: Maintain secure, offline backups of critical data to facilitate recovery in case of a ransomware attack.
     
  • Patch Management: Implement a rigorous patch management system to ensure all software and operating systems are updated with the latest security patches.
     
  • Multi-Factor Authentication (MFA): Enable MFA for all user accounts wherever possible. MFA adds an extra layer of security by requiring a second verification factor beyond just a username and password.
     
  • Security Awareness Training: Educate employees on identifying phishing attempts and other social engineering tactics used by attackers. Regular training can significantly reduce the risk of human error leading to breaches.
     
  • Endpoint Security Solutions: Deploy endpoint security solutions that can detect and prevent malware infections at the device level. These solutions can act as a first line of defence against Qilin and other malware threats.


Kill Chain:

Tactic 
Technique ID 
Technique Name 
Initial Access
T1078
T1566
T1190
Valid Accounts
Phishing
Exploit Public-Facing Application
Execution
T1059
T1053
Command and Scripting Interpreter
Scheduled Task/Job
Persistence
T1136
Boot or Logon Initialization Scripts
Privilege Escalation
T1068
T1548
Exploitation of Vulnerabilities
Abuse Elevation Control Mechanism
Defence Evasion
T1562
T1027
T1070
Impair Defences
Obfuscated Files or Information
Indicator Removal
Credential Access
T1555
T1003
Credentials from Password Stores
OS Credential Dumping
Discovery
T1049
T1083
System Network Connections Discovery
File and Directory Discovery
Lateral Movement
T1072
T1570
Software Deployment Tools
Lateral Tool Transfer
Collection
T1119
Automated Collection
Exfiltration
T1567
Exfiltration Over Web Service
Command-and-Control
T1219
T1090
Remote Access Software
Proxy
Impact
T1486
T1485
T1490
T1561.001
Data Encrypted for Impact
Data Destruction
Inhibit System Recovery
Data Wipe

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description
http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/           
http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion           
http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog           
http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/           
https://wikileaksv2.com
URLs (Onion)
Leak Site
e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527
55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6
555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4