Cybersecurity researchers have discovered an advanced version of the Qilin ransomware sporting increased sophistication and tactics to evade detection.
The new variant is being tracked by cybersecurity firm Halcyon under the moniker Qilin.B.
“Notably, Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while still retaining Chacha20 for systems that lack this support,” the Halcyon Research Team said in a report shared with The Hacker News.
“Additionally, RSA-4096 with OAEP padding is used to safeguard encryption keys, making file decryption without the attacker’s private key or captured seed values impossible.”
Qilin, also known as Agenda, first came to the attention of the cybersecurity community in July/August 2022, with initial versions written in Golang before switching to Rust.
A May 2023 report from Group-IB revealed that the ransomware-as-a-service (RaaS) scheme allows its affiliates to anywhere between 80% to 85% of each ransom payment after it infiltrates the group and manages to strike a conversation with a Qilin recruiter.
Recent attacks linked to the ransomware operation have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints, signaling a departure of sorts from typical double extortion attacks.
Qilin.B samples analyzed by Halcyon show that it builds on older iterations with additional encryption capabilities and improved operational tactics.
This includes the use of AES-256-CTR or Chacha20 for encryption, in addition to taking steps to resist analysis and detection by terminating services associated with security tools, continuously clearing Windows Event Logs, and deleting itself.
It also packs in features to kill processes linked to backup and virtualization services like Veeam, SQL, and SAP, and delete volume shadow copies, thereby complicating recovery efforts.
“Qilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant,” Halcyon said.
The pernicious and persistent nature of the threat posed by ransomware is evidenced in the ongoing evolutionary tactics demonstrated by ransomware groups.
This is exemplified by the discovery of a new Rust-based toolset that has been used to deliver the nascent Embargo ransomware, but not before terminating endpoint detection and response (EDR) solutions installed on the host using the Bring Your Own Vulnerable Driver (BYOVD) technique.
Both the EDR killer, codenamed MS4Killer by ESET owing to its similarities to the open-source s4killer tool, and the ransomware is executed by means of a malicious loader referred to as MDeployer.
“MDeployer is the main malicious loader Embargo tries to deploy onto machines in the compromised network – it facilitates the rest of the attack, resulting in ransomware execution and file encryption,” researchers Jan Holman and Tomáš Zvara said. “MS4Killer is expected to run indefinitely.”
“Both MDeployer and MS4Killer are written in Rust. The same is true for the ransomware payload, suggesting Rust is the go-to language for the group’s developers.”
According to data shared by Microsoft, 389 U.S. healthcare institutions were hit by ransomware attacks this fiscal year, costing them up to $900,000 per day due to downtime. Some of the ransomware gangs known for striking hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
“Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million,” the tech giant said.