Security researchers have unveiled more information about the Qilin ransomware group, which recently targeted the healthcare sector with a $50 million ransom demand.
The attack on Synnovis, a pathology services provider, significantly impacted several key NHS hospitals in London earlier this month.
Since its identification in July 2022, Qilin has gained notoriety for offering Ransomware-as-a-Service (RaaS) on underground forums, starting in February 2023.
Initially evolving from the Agenda ransomware written in Go, Qilin has since transitioned to Rust, reflecting a shift towards more robust and efficient malware construction.
Qilin has been remarkably active over the last two years, compromising over 150 organizations across 25 countries and affecting various industries. Previous research has provided insights into the group’s administrative operations and network of collaborators, shedding light on their sophisticated techniques.
Qilin Tactics Explained
Today, Group-IB researchers have published a blog post describing Qilin’s tactics, starting with methods to gain initial access.
The group primarily exploits well-known vulnerabilities in Fortinet devices and the Veeam Backup & Replication software. They also engage in brute force attempts on VPN devices. For execution, Qilin typically places a malicious file in a specific directory, requiring a password to run, which is hashed to match its configuration data.
Privilege escalation is achieved through embedded tools like Mimikatz, allowing the ransomware to steal user tokens and launch processes with elevated privileges. Qilin also excels in defense evasion, systematically deleting system logs and using PowerShell commands to erase traces of its activities. It can disable or modify security tools based on substrings and regular expressions specified in its configuration.
Qilin exploits vulnerabilities to extract credentials and spread laterally across networks using tools like PsExec and VMware vCenter. The impact is severe, as the ransomware inhibits system recovery by deleting backups and shadow copies, encrypting data using robust algorithms such as AES-256 CTR and ChaCha20. The operation concludes with a system reboot, further hindering recovery efforts.
According to the Group-IB analysis, the Qilin ransomware represents a significant threat in the cybersecurity landscape, continually adapting through RaaS partnerships.
“The techniques employed by different operators can vary significantly, making it a continually evolving challenge for security defenses,” the company explained.
Continuous monitoring and in-depth analysis, among other security practices, are essential to stay ahead of this threat actor.