Cybersecurity researchers have unearthed an advanced version of the Qilin ransomware, which exhibits increased sophistication and evasion tactics.
The latest variant, identified as Qilin.B, has been meticulously analyzed by cybersecurity firm Halcyon, shedding light on its enhanced capabilities.
“Notably, Qilin.B now showcases the utilization of AES-256-CTR encryption for systems with AESNI capabilities, while also supporting Chacha20 for systems lacking this feature,” mentioned the Halcyon Research Team in an exclusive report shared with The Hacker News.
“Moreover, the ransomware employs RSA-4096 with OAEP padding to protect encryption keys, rendering file decryption without the attacker’s private key or captured seed values virtually impossible.”
The Qilin ransomware, also referred to as Agenda, initially surfaced within the cybersecurity realm in July/August of 2022, with early iterations coded in Golang before transitioning to Rust.
A report released in May 2023 by Group-IB unveiled that the ransomware operates on a ransomware-as-a-service (RaaS) model, enabling affiliates to pocket between 80% to 85% of each ransom payment received.
Recent cyber assaults linked to this ransomware campaign have involved the exfiltration of credentials stored in Google Chrome browsers on selected compromised endpoints, indicating a deviation from the typical double extortion methodologies.
Halcyon’s analysis of Qilin.B samples demonstrates a significant evolution from its predecessors, showcasing enhanced encryption capabilities and refined operational strategies.
This upgrade involves the integration of AES-256-CTR or Chacha20 for encryption, along with deliberate steps to thwart analysis and detection by terminating security-related services, incessantly wiping Windows Event Logs, and self-deleting.
The ransomware is also equipped to terminate processes associated with backup and virtualization platforms such as Veeam, SQL, and SAP, nullify volume shadow copies, thereby complicating recovery endeavors.
“Through its blend of fortified encryption mechanisms, adept defense evasion methodologies, and persistent disruption of backup systems, Qilin.B emerges as a highly perilous ransomware variant,” highlighted Halcyon.
The insidious and unyielding nature of ransomware threats is underscored by the continuous evolution observed in the tactics employed by ransomware factions.
An instance of this progression is the unveiling of a novel Rust-based toolset that has been utilized to distribute the nascent Embargo ransomware, preceded by the neutralization of endpoint detection and response (EDR) solutions on the target host using the Bring Your Own Vulnerable Driver (BYOVD) methodology.
Both the EDR killer, codenamed MS4Killer by ESET due to its resemblance to the open-source s4killer tool, and the ransomware are executed through a malicious loader known as MDeployer.
“MDeployer serves as the primary malicious loader utilized by Embargo to infiltrate machines within the compromised network – it facilitates the subsequent phases of the attack, culminating in ransomware execution and file encryption,” detailed researchers Jan Holman and Tomáš Zvara in a comprehensive report.
“MS4Killer is designed to run indefinitely, optimizing the ransomware’s impact on the target systems.”
“Both MDeployer and MS4Killer, along with the ransomware payload itself, are crafted in Rust, indicating a strong preference for this language among the group’s developers.”
Microsoft data reveals that 389 healthcare organizations in the U.S. fell victim to ransomware assaults this fiscal year, resulting in daily losses of up to $900,000 due to operational downtime. Notable ransomware groups targeting healthcare institutions include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
“Ninety-nine healthcare entities that admitted to paying the ransom disclosed a median payment of $1.5 million, with an average payment of $4.4 million,” as per Microsoft.