Thursday, March 28, 2024

Qilin’s RaaS Program Advertised on Dark Web Along with Compromised Company Details

In March 2023, Group-IB’s Threat Intelligence team accessed the Qilin ransomware (Agenda ransomware) group and discovered that it is a Ransomware-as-a-Service affiliate program using Rust-based ransomware to target victims.

Qilin ransomware employs personalized attack strategies, including modifying file extensions and terminating targeted processes, to optimize the impact of their attacks on individual victims.

The Rust variant of Qilin ransomware is particularly powerful due to its evasive nature, strong encryption capabilities, and flexibility to customize malware for various operating systems, including:-

  • Windows
  • Linux
  • ESXi

Observations from Group-IB Threat Intelligence experts reveal that Qilin ransomware is promoted on the dark web, featuring a proprietary DLS with distinct company IDs and leaked account information.

Qilin Ransomware Operator

Qilin ransomware operators employ a double extortion method, encrypting and exfiltrating sensitive data, demanding payment for decryption, and promising non-disclosure of stolen information while retaining control over different encryption modes.

Qilin ransomware employs phishing emails with malicious links to initiate network infiltration, exfiltrate sensitive data, and subsequently explore the victim’s infrastructure for critical information to encrypt.

The threat actors implant a ransom note within every compromised system directory during the encryption procedure. The ransom note implanted by the threat actors contains the complete guide for purchasing the decryption key for the victims.  

Qilin ransomware may further complicate data recovery by attempting to reboot systems in normal mode, stop server-specific processes, and, if encryption is successful, use a double extortion technique to demand payment and prevent the release of stolen data.

Group-IB researchers found that Qilin ransomware not only targets victims but also posts their data on the group’s DLS, with data from 12 companies across multiple countries identified in May 2023:-

  • Australia
  • Brazil
  • Canada 
  • Colombia
  • France
  • Netherlands
  • Serbia
  • United Kingdom
  • Japan
  • The United States

Qilin’s Admin Panel

Group-IB discovered that Qilin ransomware operates as a Ransomware-as-a-Service (RaaS) and offers its affiliates an administrative panel to manage attacks, with further analysis of the program’s inner workings and admin panel made possible after Group-IB’s infiltration in March 2023.

In total there are six sections under which the affiliates’ panel of the Qilin ransomware group is divided, and here they are mentioned below:-

Section 1: Targets

While this section in Qilin’s administrative panel provides details on targeted companies and ransom amounts and enables affiliates to generate customized samples of Qilin ransomware with different configurations.

Here below, we have mentioned all the details that could be configured:-

  • name of the company
  • ransom amount
  • waiting period for a ransom payment
  • the timezone of the company
  • information about the company’s revenue from the Zoominfo website
  • announcement
  • description of the attacked company
  • content of the ransom note
  • the directories that will be skipped
  • the files that will be skipped
  • the extensions that will be skipped
  • the processes that will be killed
  • the services that will be stopped
  • login credentials of accounts
  • safe mode excluded hosts
  • mode of encrypting
  • extensions that will be encrypted
  • list of virtual machines (VMs) that will not be killed/shut down

Section 2: Blogs

Within this designated section, associates can generate and modify blog posts featuring details regarding targeted organizations that have failed to fulfill the demanded ransom.

Section 3: Stuffers

Qilin’s “Stuffers” section allows attackers to perform the following tasks:-

  • Create accounts for their team members
  • Control their level of access
  • Enable them to witness all attacks
  • Build ransomware samples
  • View victim chats

Section 4: News

As of April 2023, no updates or published posts were found in the News section of Qilin ransomware, where operators typically share information regarding their ransomware partnership.

Section 5: Payments

Qilin ransomware affiliates can withdraw ransom money from the Payments block, which includes details about the balance of their wallets, transactions, and fees to the ransomware group.

Section 6: FAQs

It is also possible for affiliates to access support and documentation in the FAQ section, as it provides detailed information about a variety of things, such as:-

  • The type of infections
  • How to use the malware
  • Additional information about the targets

Recommendations

Here below we have mentioned all the recommendations offered by the cybersecurity analysts:-

  • Increase the level of security by adding more layers.
  • Make sure that you have a “backup” plan in place.
  • Make sure to use a reputable business email protection service.
  • Implement a solution that is capable of detonating advanced malware.
  • Make sure to patch your connected devices with the latest available patch. 
  • It is important to train your employees.
  • Identify and control vulnerabilities in the system.
  • Whenever you receive a ransom note, do not pay it.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles