Cybersecurity analysts have identified a highly advanced iteration of the Qilin ransomware, exhibiting greater sophistication and new strategies to evade detection.
This latest variant is being monitored by the cybersecurity firm Halcyon, and it is designated as Qilin.B.
“Importantly, Qilin.B now employs AES-256-CTR encryption for systems equipped with AESNI capabilities, while still utilizing Chacha20 for those without this feature,” the Halcyon Research Team explained in a report shared with The Hacker News.
“Furthermore, RSA-4096 with OAEP padding is employed to protect encryption keys, rendering file decryption without access to the attacker’s private key or captured seed values futile.”
Qilin, also referred to as Agenda, first gained attention in the cybersecurity field during the July/August 2022 period, with its initial versions coded in Golang before transitioning to Rust.
A report from May 2023 by Group-IB highlighted that the ransomware-as-a-service (RaaS) model allows affiliates to retain 80% to 85% of each ransom payment, provided they successfully engage with a Qilin recruiter.
Recent incidents associated with the Qilin operation have underscored its capability to steal credentials saved within Google Chrome browsers on a select number of compromised devices, marking a shift away from conventional double extortion tactics.
Halcyon’s analysis of Qilin.B samples indicates its enhancement over previous versions, with improved encryption capabilities and refined operational methods.
This includes implementing AES-256-CTR or Chacha20 for encryption and taking measures to avoid detection by terminating services linked to security applications, routinely clearing Windows Event Logs, and self-deleting.
Moreover, it features the ability to terminate processes associated with backup and virtualization solutions like Veeam, SQL, and SAP, and erase volume shadow copies, complicating recovery efforts.
“The combination of Qilin.B’s advanced encryption features, efficient defense evasion strategies, and persistent disruption of backup systems positions it as a particularly menacing variant of ransomware,” Halcyon stated.
The persistent and evolving nature of ransomware threats is reflected in the continual adaptation techniques exhibited by ransomware groups.
This includes the emergence of a new toolset based on Rust used to deploy the emerging Embargo ransomware, which notably terminates installed endpoint detection and response (EDR) solutions using the Bring Your Own Vulnerable Driver technique.
Both the EDR killer, labled MS4Killer by ESET due to its resemblances to the open-source s4killer tool, and the ransomware itself are executed via a malicious loader named MDeployer.
“MDeployer is the primary malicious loader Embargo employs to infect machines within a compromised network, facilitating the subsequent ransomware execution and file encryption,” researchers Jan Holman and Tomáš Zvara remarked. “MS4Killer is expected to continue operating indefinitely.”
“Both MDeployer and MS4Killer are developed using Rust, a trend consistent with the language choice for the ransomware payload, indicating Rust is the preferred language among the group’s developers.”
Data from Microsoft reveals that 389 healthcare institutions in the U.S. have fallen victim to ransomware attacks this fiscal year, incurring costs of up to $900,000 daily due to the resulting downtime. Notable ransomware gangs involved in targeting hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
“Among the 99 healthcare organizations that acknowledged paying the ransom and disclosed the amounts, the median payment reached $1.5 million, with the average around $4.4 million,” the technology giant reported.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.