Fraud Management & Cybercrime , Ransomware
Updated Qilin Ransomware Escalates Encryption and Evasion
Rust-Based Ransomware Employs Aggressive Anti-Detection TacticsOperators of a Russian-speaking ransomware group launched a new encryptor with enhanced measures for defeating cyber defenders including wiping logs, disrupting backup systems and stopping decryption without insiders knowledge.
See Also: Live Webinar | Crack the Code on Ransomware: Empowering Your Last Line of Defense
Security researchers first observed the Qilin ransomware-as-a-service gang in July 2022. Also known as Agenda, it became a global phenomenon after carrying out in July an attack against U.K. National Health Services provider Synnovis, an incident that halted tests and operations at hospitals across London (see: Qilin RaaS Group Believed to Be Behind Synnovis, NHS Attack).
Cybersecurity firm Halcyon said Thursday it's uncovered a new variant of group's payload, which its dubs Qilin.B.
Among its improvements: a speedier block cipher algorithm - AES-256-CTR with AESNI capabilities - for newer systems, while retaining the older Chacha20 cipher for victim machines that don't support the faster encryption method. The hackers also protect the encryption keys with RSA-4096 with OAEP padding, "making file decryption without the private key or captured seed values impossible."
AES-256-CTR in Counter mode encrypts data in 128-bit blocks using a 256-bit key, suited for high-speed encryption with hardware support. Chacha20 is a stream cipher that encrypts data byte-by-byte, optimized for software performance and security on diverse devices.
One of Qilin.B's most potent features is its evasion capability. Written in Rust, a language known for its strong security and resilience against reverse engineering, Qilin.B is notably difficult to analyze and trace.
After deployment, the ransomware terminates essential security services, clears Windows Event Logs and ultimately deletes itself from the target system, leaving minimal forensic traces.
Qilin.B initiates by verifying administrative privileges, identifying virtual machine environments and testing for AESNI instruction set support before loading its configuration and ensuring persistence. It establishes itself within the system through a registry entry to auto-run at startup, ensuring reactivation after reboot.
Qilin.B disrupts backup systems once in control, especially by targeting Windows Volume Shadow Copy Service, blocking users from recovering data after encryption. The encryptor targets and disables services commonly associated with security, backup and virtualization tools, including those from vendors like Sophos, Acronis and Veeam.
Encrypted files display a unique extension linked to a "company_id," which affiliates use to identify and track victims. In each encrypted directory, Qilin.B leaves a ransom note titled "README-RECOVER-[company_id].txt" that includes payment instructions and links to a Tor-based site for decryption assistance.