Cybersecurity researchers have discovered an advanced version of the Qilin ransomware that features increased sophistication and evasive tactics.
The new variant is tracked by cyber security company Halcyon under the alias Qilin.B.
“Notably, Qilin.B now supports AES-256-CTR encryption for AESNI-capable systems, while retaining Chacha20 for systems without such support,” Halcyon Research Team said in a report shared with The Hacker News.
“Additionally, RSA-4096 with OAEP padding is used to protect the encryption keys, making it impossible to decrypt the files without the attacker’s private key or derived seed values.”
Tilin, also known as Agendafirst came to the attention of the cybersecurity community in July/August 2022, with initial versions written in Golang before moving to Rust.
Group-IB’s May 2023 report revealed that the Ransomware-as-a-Service (RaaS) scheme allows its affiliates to receive 80% to 85% of each ransom payment after it infiltrates the group and manages to strike up a conversation with Qilin Recruiter .
Recent attacks connected prior to the ransomware operation, credentials stored in Google Chrome browsers on a small set of compromised endpoints were stolen, suggesting a departure from typical two-pronged ransomware attacks.
Samples of Qilin.B analyzed by Halcyon show that it is based on older iterations with additional encryption capabilities and improved operational tactics.
This includes using AES-256-CTR or Chacha20 for encryption, in addition to taking steps to resist analysis and detection by stopping services related to security tools, constantly clearing Windows event logs, and removing yourself.
It also includes features to stop processes associated with backup and virtualization services such as Veeam, SQL, and SAP, and remove shadow copies of volumes, making recovery more difficult.
“Qilin.B’s combination of advanced encryption mechanisms, effective defense evasion tactics, and persistent failures of backup systems make Qilin.B a particularly dangerous ransomware variant,” Halcyon said.
The pernicious and persistent character The threat posed by ransomware is evidenced by the constantly evolving tactics displayed by ransomware groups.
An example of this is the discovery of a new Rust-based toolkit that was used to deliver Embargo ransomware, which boots but not before terminating Endpoint Detection and Response (EDR) solutions installed on the host with Bring Your Own Vulnerable Driver (BEUD) technique.
Both are EDR killers, codenamed MS4Killer by ESET due to its similarity to open source s4killer tool, and the ransomware is launched using a malicious loader called MDeployer.
“MDeployer is the main malicious loader that Embargo tries to deploy on machines in a compromised network – it facilitates the rest of the attack, which leads to the execution of ransomware and file encryption,” researchers Ian Holman and Tomasz Zwara said. “MS4Killer is expected to run indefinitely.”
“Both MDeployer and MS4Killer are written in Rust. The same is true for the ransomware payload, assuming Rust is the primary language for the group’s developers.”
According to data shared by Microsoft, 389 U.S. healthcare facilities were hit by ransomware attacks this fiscal year, costing them up to $900,000 a day in downtime. Some of the ransomware groups known to strike hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
“Of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million and the median payment was $4.4 million,” the tech giant said. said.
