Researchers out new Qilin ransomware-as-a-service variant
Ransomware developers are used to their malware being detected. Once defenses against it have been built, they revise and update their code to circumvent those defenses. Then developers deploy an updated version in renewed attacks, often with increased sophistication, to evade detection and achieve their malicious objectives.
That cycle has started anew with the Qilin ransomware-as-a-service operation, according to a new report from the cybersecurity firm Halcyon about the group’s updated and upgraded variant.
Researchers at the firm warned Thursday that “Qilin.B” is a “more advanced” ransomware variant that boosted encryption and evasion techniques to the big game hunters’ arsenal.
“Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” the report noted.
The Qilin ransomware operation first emerged in July 2022 after rebranding a previous variant known as Agenda and rewriting the malware in Rust. The group is known for multi-million dollar ransoms that target the health care industry.
In June, Qilin caused chaos in the United Kingdom after hitting the pathology company and National Health Service provider Synnovis, leading to the disruption of 3,000 hospital and general practitioner appointments. Qilin also offers affiliates up to 85% of the ransom cut, a generous offer that experts note is likely due to the million-dollar extortion demands.
Qilin’s new variant has additional obfuscation techniques that makes signature-based detection difficult, according to a Halcyon researcher, who requested anonymity due to privacy concerns. The newly written malware appears to be aiming for speed, evasion and persistence, according to the researcher.
The rewrite gives ransomware actors more configuration options and control, Halcyon said. Organizations should have cross-platform security monitoring, including for Linux and VMware’s ESXi hypervisor, and ensure tools can handle Rust-compiled code as well.
Qilin.B has additional encryption capabilities, like AES-256-CTR encryption for systems with AESNI capabilities and RSA-4096 with OAEP padding, all of which make decryption by other means — besides getting the private key — difficult, the report states.
Additionally, the Halcyon researcher said that the rewrite also changed function names, encrypted strings, and used other obfuscation methods to ensure reverse engineering and defense response is more difficult and takes longer. Organizations should ensure behavior detection systems are used, since it was re-tooled to avoid signature-based detection.
Additionally, the report noted that Qilin.B deletes services associated with backups and deletes volume shadow copies, evades system reboots, and, finally, deletes itself after finishing the job.
