Qilin operates a RaaS model, distributing its Rust-based ransomware payload. Engages in double extortion, exfiltrating data before widespread system encryption. Exploits public-facing application vulnerabilities and abuses RDP for initial access. Utilizes Cobalt Strike for C2 and tools like Rclone for data exfiltration. Seeks to delete backups and disable recovery to ensure ransom payment.
Chronology and Evolution
-
Late 2022: Initial emergence as ‘Agenda’ with a focus on healthcare organizations. The group emerged under the name Agenda, utilizing a ransomware payload. Their initial operations predominantly targeted the healthcare sector, seeking to exploit system criticality and recovery urgency. This allowed them to test and refine their TTPs in high-pressure environments.
-
Early 2023: Rebranding to Qilin and adoption of the Rust-based payload. The group officially changed its name to Qilin, marking a significant evolution. They introduced a new ransomware payload written in Rust, offering greater flexibility and evasion capabilities. This transition also involved adopting a more formal RaaS model.
-
Mid-2023: Development and deployment of Linux and ESXi variants. Qilin expanded its arsenal with specific variants for Linux and VMware ESXi environments. This capability allowed them to target critical virtualization infrastructures, increasing the potential impact. Focusing on ESXi demonstrates increasing sophistication in disabling VM backups and recovery.
-
Late 2023: Increased activity and focus on large enterprises. The group intensified its operations, targeting larger, higher-revenue organizations. They refined their initial access and exfiltration techniques, seeking to maximize ransom payments. This phase demonstrated greater operational maturity and a more aggressive victimization strategy.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | Gains initial access by exploiting vulnerabilities in internet-exposed software, such as FortiOS SSL-VPN (CVE-2022-42475). |
| Credential Access | Once inside, the Qilin group employs tools like Mimikatz to dump credentials from LSASS. They also search for credentials in insecure internal databases and browser caches. |
| Persistence and Evasion | Establishes persistence by creating new scheduled tasks to execute ransomware or C2 beacons. They modify registry keys to auto-start their executables upon system boot. |
| Lateral Movement | For lateral movement, Qilin abuses standard protocols like SMB and RDP with compromised credentials. They employ tools such as PsExec to execute payloads on remote systems efficiently. |
| Exfiltration | Data exfiltration is a critical phase of Qilin’s double extortion strategy. They use Rclone to synchronize large volumes of data with cloud storage services, such as MEGA or Dropbox. |
| Encryption | Ransomware utilizes a combination of symmetric and asymmetric encryption. It employs ChaCha20 for rapid encryption of individual files. |
| Impact and Destruction | Impact is maximized by deleting backup and system restore points. The group executes vssadmin.exe delete shadows and wmic shadowcopy delete to eradicate volume snapshots. |
Initial Access
Gains initial access by exploiting vulnerabilities in internet-exposed software, such as FortiOS SSL-VPN (CVE-2022-42475). They also leverage internet-exposed RDP access, often via brute-force or stolen credentials. Targeted phishing to obtain valid credentials is another common vector, facilitated by Initial Access Brokers.
Credential Access
Identity compromise is core to Qilin operations. Threat actors typically perform LSASS dumping via tools like Mimikatz or Procdump, aiming to harvest cached credentials, NTLM hashes, Kerberos tickets, or browser-stored passwords. Active Directory enumeration is also frequently used to identify high-privilege targets.
These credentials enable easier lateral movement and privilege escalation within the domain.
Persistence and Evasion
Qilin prioritizes stealthy persistence via scheduled tasks and the misuse of legitimate RMM tools.
Establishes persistence by creating new scheduled tasks to execute ransomware or C2 beacons. They modify registry keys to auto-start their executables upon system boot. Creating local user accounts with elevated privileges is also a common method.
Lateral Movement
SSH access to ESXi hosts is also utilized to compromise virtual infrastructure.
Exfiltration
Data exfiltration is a critical phase of Qilin’s double extortion strategy. They use Rclone to synchronize large volumes of data with cloud storage services, such as MEGA or Dropbox. They may also set up temporary attacker-controlled staging servers. The goal is to obtain sensitive information to increase pressure on the victim.
Encryption
The Qilin encryptor implements a multithreaded hybrid model protecting data with symmetric algorithms like AES-256 or ChaCha20, wrapping the per-file key with RSA-2048 or RSA-4096. Depending on the target (Windows, Linux, or VMware ESXi), variants use partial or optimized encryption modes with specialized key exchange protection.
An RSA-4096 public key is used to encrypt each file’s ChaCha20 key. This makes recovery without the attacker’s private key virtually impossible.
Impact and Destruction
Impact is maximized by deleting backup and system restore points. The group executes vssadmin.exe delete shadows and wmic shadowcopy delete to eradicate volume snapshots. They disable Windows recovery with bcdedit /set {default} recoveryenabled No. This ensures victims cannot restore files from local copies.
Victims and Geography
Victims are distributed globally, with a high concentration in North America and Europe. The group selects high-revenue targets, regardless of sector. They show no specific geographic preference, but rather a focus on payment capability. This approach maximizes the likelihood of successful extortion.
Sources
- SentinelOne — Qilin Ransomware: Unveiling The Linux/ESXi Threat
- BleepingComputer — Qilin Ransomware hits multiple companies
Target Sectors
Sectors in which the Qilin group has concentrated its attacks.
El grupo busca instituciones de salud por la criticidad de sus sistemas. Los datos de pacientes son altamente sensibles y valiosos en el mercado negro. Interrumpir servicios de atención médica presiona a las víctimas para pagar rápidamente.
Las empresas de manufactura son objetivos por su dependencia de los sistemas operativos. La interrupción de la producción genera pérdidas económicas masivas y urgencia. Buscan propiedad intelectual y datos de diseño para la exfiltración.
Las instituciones educativas albergan grandes volúmenes de datos personales de estudiantes y personal. Además, sus presupuestos pueden ser limitados, lo que las hace vulnerables. La interrupción de las operaciones académicas crea una presión inmediata.
El sector financiero es atractivo por la riqueza y la sensibilidad de la información. Qilin busca acceder a datos bancarios, inversiones y registros de clientes. Un ataque exitoso puede tener un impacto reputacional devastador.
Las empresas de tecnología son atacadas por su propiedad intelectual y bases de código. El grupo intenta robar secretos comerciales y datos de desarrollo. La interrupción de los servicios tecnológicos puede afectar a numerosos clientes downstream.
Las firmas de abogados manejan información confidencial de clientes, incluyendo acuerdos y estrategias. Qilin busca estos datos altamente sensibles para extorsión. El compromiso de tales datos puede tener graves consecuencias legales y reputacionales.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
This rule detects the execution of the Mimikatz binary or its renamed components. Mimikatz execution is a strong indicator of credential theft attempts. Early detection is crucial to prevent escalation.
EventType = 'Process Creation' AND (TgtProcName In ('mimikatz.exe', 'mimi.exe', 'procdump.exe') OR TgtProcCmdLine ContainsCIS ('lsass' AND 'full'))Detects Rclone execution from unusual locations or with exfiltration arguments. Using Rclone to send large volumes of data to cloud destinations is suspicious. This rule helps identify active data exfiltration.
EventType = 'Process Creation' AND TgtProcName = 'rclone.exe' AND TgtProcCmdLine Contains Any Case Insensitive ('copy', 'sync', 'mega:', 'dropbox:', 'onedrive:', 's3:')Monitors the creation of new scheduled tasks that execute suspicious scripts or binaries. Qilin attackers use scheduled tasks to maintain access. This rule identifies the creation of persistence mechanisms.
EventType = 'Process Creation' AND TgtProcName = 'schtasks.exe' AND TgtProcCmdLine Contains Any Case Insensitive ('/create', '/sc', '/tn', '/tr') AND TgtProcCmdLine Contains Any Case Insensitive ('.exe', '.dll', '.ps1')Detects the execution of `vssadmin.exe delete shadows` or similar commands. This command is commonly used by ransomware to prevent file recovery. Its detection is critical for identifying the final phase of an attack.
EventType = 'Process Creation' AND TgtProcName = 'vssadmin.exe' AND TgtProcCmdLine Contains Any Case Insensitive ('delete', 'shadows')Identifies PsExec execution to move and execute code on remote systems. Qilin uses this tool to distribute its payload. Detection helps contain ransomware spread.
EventType = 'Process Creation' AND TgtProcName = 'psexec.exe' AND TgtProcCmdLine Contains Any Case Insensitive ('\\', '-s', '-accepteula')This rule detects the execution of the SoftPerfect 'netscan.exe' or 'spns.exe' binary. The Qilin group uses it for internal network reconnaissance. Its presence on a client's network is often anomalous and suggests malicious activity.
EventType = 'Process Creation' AND TgtProcName In ('netscan.exe', 'spns.exe') AND TgtFilePath Contains Any Case Insensitive ('SoftPerfect')