Qilin.B Ransomware

By Mezo in Ransomware

Translate To:

Cybersecurity specialists have identified an enhanced version of the Qilin Ransomware, showcasing greater complexity and refined strategies to avoid detection.

This variant is now cataloged by experts as Qilin.B. Significantly, Qilin.B employs AES-256-CTR encryption on systems with AESNI support, while maintaining the use of Chacha20 on systems without this capability. To protect encryption keys, it integrates RSA-4096 with OAEP padding, ensuring that decryption is infeasible without either the attacker’s private key or the capture of specific seed values.

Table of Contents

The Qilin Threat is Offered via a RaaS Scheme

Initially known as Agenda, the Qilin Ransomware drew attention from the cybersecurity community in July and August 2022. The first versions were developed in Golang but later transitioned to Rust.

According to a May 2023 report, the Ransomware-as-a-Service (RaaS) model for Qilin allocates between 80% and 85% of each ransom payment to its affiliates. Recent attacks attributed to this ransomware operation have focused on harvesting credentials stored in Google Chrome on a select few compromised systems, marking a shift from the usual double extortion tactics.

The Qilin.B Ransomware Displays Expanded Malevolent Capabilities

Analysis of the Qilin.B variant reveals that it builds on previous versions with expanded encryption options and refined operational tactics.

This includes leveraging AES-256-CTR or Chacha20 encryption while actively resisting analysis and detection by shutting down services tied to security tools, routinely clearing Windows Event Logs, and self-deleting after execution. Additionally, it is equipped to terminate processes related to backup and virtualization tools like Veeam, SQL, and SAP and remove the Shadow Volume Copies, making recovery more challenging.

Qilin.B’s advanced encryption, sophisticated evasion techniques, and targeted disruption of backup services position it as a particularly formidable ransomware variant.

The Dangers of Ransomware

Ransomware is still one of the most disruptive cyber threats, impacting individuals and businesses alike. This type of threat works by encrypting files on the targeted system, locking users out of their own data unless a ransom is paid. Ransom requests can range from a few hundred dollars to millions, depending on how valuable the compromised information is to the victim. However, even if a ransom is paid, there’s no certainty the attackers will follow through with a decryption key, leaving victims at a double loss—financially and in data accessibility.

Beyond financial losses, ransomware attacks can seriously disrupt operations. Companies may suffer from prolonged downtime, a loss of customer confidence, and potentially face legal consequences if sensitive data is exposed. The stress and uncertainty of dealing with ransomware can also cause a meaningful emotional toll on both individuals and organizations.

Effective Ransomware Defense Strategies

Routine Backups: One of the strongest defenses is keeping frequent backups of essential files. An organized backup plan, including off-site or cloud-stored snapshots, ensures that files can be recovered if an attack occurs, eliminating the need to pay a ransom.
Reliable Security Software: Using well-regarded security tools that offer real-time protection can help detect and block ransomware before it can compromise your system. Regular updates to these tools ensure they can recognize emerging threats.
Employee Awareness Training: Ransomware attacks often exploit human error through phishing or social engineering. Providing regular training for employees on identifying suspicious emails and links can significantly lower the risk of accidental ransomware infections.
Software and System Updates: Cybercriminals commonly exploit vulnerabilities in outdated software to deploy ransomware. Keeping all systems and applications up-to-date can help prevent these vulnerabilities from being exploited.
Network Segmentation: For organizations, segmenting networks can reduce the spread of ransomware by isolating critical assets. By doing so, companies can contain an attack, protecting sensitive data and minimizing potential damage.
Access Controls: Enforcing strict access permissions limits who can view or modify sensitive files. This reduces the likelihood of unauthorized actions that might result in a ransomware attack.

By incorporating these proactive security measures, users can strengthen their defense against ransomware and reduce the likelihood of falling victim to these damaging attacks.