New information has emerged regarding the Qilin ransomware group’s operations and Ransomware-as-a-Service (RaaS) program.
In their latest research study, Group-IB's threat intelligence team said it infiltrated and analyzed Qilin’s inner workings, revealing insights into its targeting of critical sectors and the sophisticated techniques they employed.
Qilin, also known as Agenda ransomware, has emerged as a significant threat since its discovery in August 2022, according to the study.
Read more on Agenda here: Agenda Ransomware Switches to Rust to Attack Critical Infrastructure
Employing Rust and Go programming languages, Qilin has been actively targeting companies in critical sectors with highly customized and evasive ransomware attacks, explained Nikolay Kichatov, threat intelligence analyst at Group-IB.
“The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS,” Kichatov explained. “It is important to note that the Qilin ransomware group has the ability to generate samples for both Windows and ESXi versions.”
These attacks have not only encrypted victims’ data but also involved the exfiltration of sensitive information, enabling the threat actors to utilize a double extortion technique.
By accessing Qilin’s admin panel, Group-IB’s researchers said they gained unprecedented insights into the affiliate structure and payment mechanisms within the Qilin RaaS program. The affiliate panel, divided into sections such as Targets, Blogs, Stuffers, News, Payments and FAQs, provides a comprehensive understanding of the network’s coordination and management.
Furthermore, Group-IB’s analysis of Qilin’s dark web presence has revealed that between July 2022 and May 2023, the group posted information about 12 victims on their dedicated leak site. These victims span various countries, including Australia, Brazil, Canada, Colombia, France, Netherlands, Serbia, the United Kingdom, Japan and the United States.
The research also provided valuable recommendations to prevent and defend against Qilin ransomware attacks. These include implementing multi-factor authentication (MFA), maintaining robust data backup strategies, leveraging advanced malware detection solutions, prioritizing security patching, conducting employee training and actively monitoring vulnerabilities.
Qilin was mentioned recently in a SentinelOne advisory as one of the threat groups increasingly targeting Linux systems.