SBN

QILIN Ransomware Report 

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization. 

Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key

QILIN Ransomware Report - Sectrio
QILIN Ransomware Report  – Sectrio

Ransomware Details & Working 

It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS. 

Here are some pointer’s to be noted: 

  • Ransomware is written in Go and Rust programming languages. 
  • It Reboots the system in safe mode and stops the process and services running on the servers. 
  • They use AES-256 encryption to encrypt the files and RSA-2048 for encrypting the generated key. 
  • After successful encryption, the encrypted files are renamed as a company ID indicated in the runtime configuration.  
  • They customize the ransomware sample for each victim and most samples are 64-bit Windows PE file written in Go. 

Victim Selection  

First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.  

As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States. 

image - Sectrio
QILIN Ransomware Report  – Sectrio

Fig1: Victim Countries 

As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries. 

Darkweb Analysis  of Qilin Ransomware

Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site. 

They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.  

Also Read: How to get started with OT security

Let’s go through their Darkweb site

 Qilin Darkweb front page where they publish the information about their victims.  

image 2 - Sectrio
QILIN Ransomware Report  – Sectrio
image 5 - Sectrio
QILIN Ransomware Report  – Sectrio

Login page present in the Qilin ransomware site 

They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image) 

image 4 - Sectrio
QILIN Ransomware Report  – Sectrio
image 1 - Sectrio
QILIN Ransomware Report  – Sectrio
image 3 - Sectrio
QILIN Ransomware Report  – Sectrio

IOCs 

76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e 

fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039 

Mitigation For Securing OT Environment: 

Remediations 

  • Multi-factor Authentication 
  • Data Backup 
  • Employee Awareness and Training 
  • Email Security 
  • Patch Management 
  • Network Segmentation 
  • Advanced Threat Detection 
  • Incident Response Readiness 

Reference 

https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

https://www.trendmicro.com/en_in/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html

https://www.group-ib.com/blog/qilin-ransomware/

Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert.

See our IoT and OT security solution in action through a no-obligation demo

Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio

Comprehensive Asset Discovery with Vulnerability and Threat Assessment 1200 × 630px
Comprehensive Asset Discovery with Vulnerability and Threat Assessment 1200 × 630px

This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.

*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Sectrio. Read the original post at: https://sectrio.com/qilin-ransomware-report-2023/