In March 2023, Group-IB’s Threat Intelligence team accessed the Qilin ransomware (Agenda ransomware) group and discovered that it is a Ransomware-as-a-Service affiliate program using Rust-based ransomware to target victims.
Qilin ransomware employs personalized attack strategies, including modifying file extensions and terminating targeted processes, to optimize the impact of their attacks on individual victims.
The Rust variant of Qilin ransomware is particularly powerful due to its evasive nature, strong encryption capabilities, and flexibility to customize malware for various operating systems, including:-
- Windows
- Linux
- ESXi
Observations from Group-IB Threat Intelligence experts reveal that Qilin ransomware is promoted on the dark web, featuring a proprietary DLS with distinct company IDs and leaked account information.
Qilin Ransomware Operator
Qilin ransomware operators employ a double extortion method, encrypting and exfiltrating sensitive data, demanding payment for decryption, and promising non-disclosure of stolen information while retaining control over different encryption modes.
Qilin ransomware employs phishing emails with malicious links to initiate network infiltration, exfiltrate sensitive data, and subsequently explore the victim’s infrastructure for critical information to encrypt.
The threat actors implant a ransom note within every compromised system directory during the encryption procedure. The ransom note implanted by the threat actors contains the complete guide for purchasing the decryption key for the victims.
Qilin ransomware may further complicate data recovery by attempting to reboot systems in normal mode, stop server-specific processes, and, if encryption is successful, use a double extortion technique to demand payment and prevent the release of stolen data.
Group-IB researchers found that Qilin ransomware not only targets victims but also posts their data on the group’s DLS, with data from 12 companies across multiple countries identified in May 2023:-
- Australia
- Brazil
- Canada
- Colombia
- France
- Netherlands
- Serbia
- United Kingdom
- Japan
- The United States
Qilin’s Admin Panel
Group-IB discovered that Qilin ransomware operates as a Ransomware-as-a-Service (RaaS) and offers its affiliates an administrative panel to manage attacks, with further analysis of the program’s inner workings and admin panel made possible after Group-IB’s infiltration in March 2023.
In total there are six sections under which the affiliates’ panel of the Qilin ransomware group is divided, and here they are mentioned below:-
Section 1: Targets
While this section in Qilin’s administrative panel provides details on targeted companies and ransom amounts and enables affiliates to generate customized samples of Qilin ransomware with different configurations.
Here below, we have mentioned all the details that could be configured:-
- name of the company
- ransom amount
- waiting period for a ransom payment
- the timezone of the company
- information about the company’s revenue from the Zoominfo website
- announcement
- description of the attacked company
- content of the ransom note
- the directories that will be skipped
- the files that will be skipped
- the extensions that will be skipped
- the processes that will be killed
- the services that will be stopped
- login credentials of accounts
- safe mode excluded hosts
- mode of encrypting
- extensions that will be encrypted
- list of virtual machines (VMs) that will not be killed/shut down
Section 2: Blogs
Within this designated section, associates can generate and modify blog posts featuring details regarding targeted organizations that have failed to fulfill the demanded ransom.
Section 3: Stuffers
Qilin’s “Stuffers” section allows attackers to perform the following tasks:-
- Create accounts for their team members
- Control their level of access
- Enable them to witness all attacks
- Build ransomware samples
- View victim chats
Section 4: News
As of April 2023, no updates or published posts were found in the News section of Qilin ransomware, where operators typically share information regarding their ransomware partnership.
Section 5: Payments
Qilin ransomware affiliates can withdraw ransom money from the Payments block, which includes details about the balance of their wallets, transactions, and fees to the ransomware group.
Section 6: FAQs
It is also possible for affiliates to access support and documentation in the FAQ section, as it provides detailed information about a variety of things, such as:-
- The type of infections
- How to use the malware
- Additional information about the targets
Recommendations
- Increase the level of security by adding more layers.
- Make sure that you have a “backup” plan in place.
- Make sure to use a reputable business email protection service.
- Implement a solution that is capable of detonating advanced malware.
- Make sure to patch your connected devices with the latest available patch.
- It is important to train your employees.
- Identify and control vulnerabilities in the system.
- Whenever you receive a ransom note, do not pay it.
