Threat Briefing: Understanding and Defending Against Russian Ransomware Group Qilin

By Cian Heasley, Threat Intelligence Lead, Adarma  

In response to recent activity by ransomware group Qilin, Adarma’s Threat Team has developed a comprehensive threat profile of the group. This profile is designed to help you understand the origins, techniques and motivations of this criminal enterprise.

This threat profile provides an overview of our findings on this group and a series of recommendations to strengthen your organisation’s defences against similar threat groups. If you would like to discuss our threat intelligence services, please contact the Adarma Threat Team at hello@adarma.com.

Qilin, also known as Agenda, is believed to be a Russian ransomware group that operates Ransomware-as-a-Service (RaaS), providing affiliates with tools and support to conduct ransomware attacks. This RaaS model has enabled Qilin to rapidly expand its reach and impact by leveraging the skills and resources of various cybercriminals. The Qilin ransomware family includes several variants, such as those written in Golang and Rust for targeting Windows systems. Since December 2023, a specially developed version has been created to attack Linux virtual machines on VMware ESXi hypervisors. This is significant because, unlike many ransomware groups that typically use the leaked Babuk source code for ESXi attacks, Qilin has developed their own custom code for this purpose.

Active since July 2022, the group has emerged as a significant threat in the cybersecurity landscape. It targets large enterprises and high-value targets with double extortion attacks. The group has also targeted organisations in the healthcare and education sectors in Africa and Asia, as well as the United Kingdom, United States, Canada, Brazil, France, and Japan. The group advertises itself on the Russian-speaking forum Ransom Annon Market Place, also known as RAMP for short.

Qilin has been attributed to attacks against Upper Marion Township (Pennsylvania) and Etairos Health in the US, and Yanfeng Automotive Interiors in China. The group also attacked the Neurology Center of Nevada in the US late last year and ‘Attentive Care and Treatment’, which provides physical rehabilitation and healthcare services to the elderly in the Netherlands, earlier in 2023. Most recently, the group was linked to the attack on third-party medical testing and diagnostics provider, Synnovis (the largest in Europe). This caused major health providers across London to issue an emergency declaration to postpone non-emergency patient care and defer operations requiring blood transfusion to other unaffected hospitals.

Qilin’s Tactics and Techniques

1. Initial Access and Lateral Movement: Qilin often gains initial access through phishing emails containing malicious links. Once inside the network, they move laterally, exploiting vulnerabilities to escalate privileges and access sensitive data.
2. Data exfiltration and encryption: employing a double extortion technique, Qilin exfiltrates sensitive data before encrypting it. This strategy pressures victims to pay the ransom by publicly threatening to release the stolen data. Sometimes, the data is released even if the ransom is paid.
3. Customisable ransomware: The group’s affiliates can customise ransomware samples via Qilin’s administrative panel, adjusting settings such as the ransom amount, waiting period, and specific files or directories to target or exclude. This flexibility makes Qilin a potent threat across different environments and industries.
4. Defence evasion: Qilin affiliates are known to disable security software by using bring-your-own-vulnerable-driver (BYOVD) techniques via publicly available tools that are marketed on cybercrime forums.
5. Lateral tool transfer: To distribute their ransomware executables throughout a compromised network, Qilin is known to use AD GPOs to create scheduled tasks on systems that then trigger the encryption process simultaneously across all affected systems.

How to Detect and Defend Against Qilin/Agenda Ransomware

1. Security tools: Phishing is Qilin’s primary initial access vector, so mail filtering and phishing detection platforms will be extremely useful in preventing infection of employee devices, which can act as a beachhead in your network.
2. Network traffic: Monitoring suspicious outgoing requests for web resources with a web proxy can help identify successful phishing attacks connecting to command and control infrastructure for the next stage of a compromise. Utilising threat intelligence can automatically link known malicious domains, IP addresses, or specific URLs to events seen in your logs, thereby pinpointing problems before they can escalate.
3. Security audits: It is important to ensure that the necessary security measures are in place to protect against common ransomware techniques. This includes having appropriate security controls enabled and properly configured. Additionally, disable RDP where possible and enforce multi-factor authentication on eligible accounts.
4. Backup and recovery: Business Continuity and Disaster Recovery (BC/DR) plans must include verified and documented backup and restoration processes. If regular communication solutions are disrupted or compromised, there should be an agreed-upon company solution for out-of-band (OOB) communications.
5. Education and training: It’s important to provide phishing training to employees to ensure they can recognise and safely report potential phishing emails. This helps add the emails to blocklists and perform appropriate remediation for others who may have received the same email.

Qilin exemplifies the growing sophistication of cyber threats. To mitigate the risk posed by such adversaries, organisations must adopt robust security measures, including employee training on phishing, regular backups, and advanced threat detection systems.

It is vital that security teams are alert to the risks associated with the group. Groups like this can grow and adopt more advanced tactics as they absorb affiliates with technical knowledge from other RaaS operations.