Qilin (Agenda) Ransomware

Qilin, also known as Agenda, is a sophisticated and adaptable Ransomware-as-a-Service (RaaS) group that has rapidly gained notoriety in the cyber threat landscape. First observed in July 2022, Qilin has evolved from its initial Golang variant to a more robust Rust-based version, showcasing advanced malware and evasion techniques. The group is known for its highly customizable attacks, tailoring its methods to specific victim environments, and has recently made headlines with high-profile attacks, particularly in the healthcare sector. This article provides a deep dive into Qilin's origins, tactics, techniques, and procedures (TTPs), targets, attack campaigns, and, most importantly, the defense strategies organizations can employ to protect themselves.

Origins & Evolution

Qilin ransomware first appeared in July 2022, initially known as Agenda. It quickly garnered attention due to its use of the Go programming language (Golang), which allowed for cross-platform compatibility, targeting both Windows and Linux systems. By September 2022, the group rebranded to Qilin, coinciding with the release of a more advanced Rust-based version. This shift to Rust improved the ransomware's efficiency, stealth, and ability to evade detection.

The name "Qilin" itself is derived from a mythical Chinese creature, often depicted as a chimerical beast with features resembling a dragon, unicorn, and deer, symbolizing strength and adaptability. Despite the Chinese name, the group is believed to be of Russian origin. This is supported by the fact that Qilin excludes Commonwealth of Independent States (CIS) countries from its targets, a common practice among Russian-speaking ransomware groups. Furthermore, Qilin actively recruits affiliates through hacker forums, often using the Russian language.

The evolution from Agenda to Qilin demonstrates the group's commitment to continuous improvement and adaptation. The introduction of the Rust variant, along with the RaaS model, has significantly broadened Qilin's reach and impact, making it a more dangerous and persistent threat. The transition has also introduced advanced obfuscation, renaming functions, altering control flows, and string encryption to avoid detection by IoCs.

Tactics & Techniques

Qilin operates as a Ransomware-as-a-Service (RaaS), meaning the core developers create and maintain the ransomware, while affiliates are responsible for deploying it and conducting attacks. This model makes attribution and tracking TTPs more complex, as different affiliates may employ varying methods. However, some common tactics and techniques are associated with Qilin:

* Spear Phishing: Targeted emails containing malicious attachments or links are a primary infection vector. Learn more about the types of phishing attacks.

* Exploitation of Exposed Applications/Interfaces: Affiliates leverage vulnerabilities in publicly accessible applications and services, particularly Citrix and Remote Desktop Protocol (RDP). They have been observed to exploit vulnerabilities in products like Fortinet and Veeam Backup & Replication. Specific CVEs include CVE-2023-27532 (Veeam).

* External Remote Services: Utilizing Brute-Forcing attacks on VPN endpoints (with log deletion post intrusion.) Understand what is brute force.

* User Execution (Malicious File): Deploying ransomware payloads, often disguised, and requiring a password for execution. The password can be SHA-256 hashed for comparison. Command-line arguments are used for customization.

* Valid Accounts (Domain Accounts): Gaining access through the exploitation of public PoCs (Proof of Concept). Read about privilege escalation attack and how to prevent them.

* Access Token Manipulation: Achieving SYSTEM-level access, using tools like an embedded Mimikatz module for credential dumping. Targeting processes like lsass.exe, winlogon.exe, and wininit.exe. Leveraging stolen tokens for elevated process spawning and symbolic link manipulation for stealth.

* Indicator Removal: Deleting system logs (PowerShell, Windows System logs) before encryption. A dedicated thread consistently cleans up Windows Event Logs. Essential Windows directories for security monitoring can be found.

* Impair Defenses: Disabling or modifying security tools. The ransomware configuration can specify processes and services to terminate through process_black_list and win_services_black_list.

* Account Discovery (Domain Account): Performing domain enumeration. Using Get-ADComputer in PowerShell to gather information. Installing RSAT-AD-PowerShell if needed.

* Remote Services (SMB/Windows Admin Shares): Qilin exhibits worm-like propagation capabilities (activated via a -spread command-line argument). It embeds Sysinternals PsExec for lateral movement. Domain reconnaissance is performed to identify targets. Registry modifications (e.g., MaxMpxCt) are made to increase network request limits. There's also evidence of using VMware vCenter for self-distribution (-spread-vcenter).

* Using tools like Cobalt Strike, SystemBC RAT, and SliverC2 framework.

* Symmetric Encryption: Files are encrypted using AES-256 CTR (with AES-NI support) or ChaCha20. Find out what is symmetric and asymmetric encryption.

* Asymmetric Encryption: The symmetric key and initialization vector (IV) are then encrypted with an RSA-4096 public key. The attackers hold the corresponding private key, making decryption impossible without it.

* Customizable Encryption Modes: The ransomware operator can configure different encryption modes (e.g., "skip-step," "percent," "fast"), allowing for flexibility and potentially faster encryption.

* Filename Extensions: Encrypted file names are modified according to the affiliate's preferences.

- Impact:

* Inhibit System Recovery: Deleting backups, disabling Volume Shadow Copy Service (VSS) and overwriting free disk space to hinder recovery efforts.

* System Shutdown/Reboot: Rebooting servers to hinder recovery.

Targets or Victimology

Qilin ransomware has demonstrated a broad and opportunistic approach to targeting, affecting organizations across various industries and geographic regions. However, certain sectors have been disproportionately impacted:

Geographically, Qilin's operations have been observed globally, with a notable presence in:

While Qilin's targeting appears opportunistic, the focus on healthcare and critical infrastructure highlights the potential for severe consequences. The double extortion tactic, combined with the potential for significant operational disruption, makes Qilin a particularly dangerous threat.

The group's RaaS model further complicates victimology, as different affiliates may have their own preferences and targeting strategies.

Attack Campaigns

Qilin ransomware has been linked to several high-profile attacks, demonstrating its capabilities and the significant impact it can have on victim organizations. Some notable campaigns include:

These campaigns highlight Qilin's ability to disrupt critical services, cause significant financial damage, and potentially endanger lives, particularly in the healthcare sector. The Synnovis attack, in particular, demonstrates the real-world consequences of ransomware attacks and the challenges faced by healthcare providers in defending against them. The claim of responsibility for over 60 attacks since January 2024 demonstrates significant recent activity.

Defenses

Defending against Qilin ransomware requires a multi-layered approach, encompassing technical controls, employee training, and incident response planning. Here are some key defense strategies:

* Multi-Factor Authentication (MFA): Enforce MFA for all user accounts, especially for remote access and privileged accounts.

* Strong Password Policies: Implement and enforce strong, unique passwords. Regularly require password changes.

* Least Privilege Principle: Grant users only the minimum necessary access rights to perform their job functions.

* Regular Backups: Implement a robust backup strategy, including regular backups of critical data and systems.

* Offline Backups: Store backups offline and offsite to protect them from encryption or deletion by ransomware.

* Immutable Backups: Utilize immutable backups, which cannot be altered or deleted, to ensure data recovery.

* Backup Testing: Regularly test your backup and recovery procedures to ensure they are effective.

* Phishing Awareness: Train employees to recognize and avoid phishing emails, malicious attachments, and suspicious links.

* Social Engineering Awareness: Educate employees about social engineering tactics used by attackers to gain access to systems or information.

By implementing these defense strategies, organizations can significantly reduce their risk of falling victim to Qilin ransomware and other similar threats.

Conclusion

Qilin ransomware represents a significant and evolving threat to organizations worldwide, particularly those in the healthcare, education, and critical infrastructure sectors. Its RaaS model, advanced technical capabilities, and use of double extortion tactics make it a formidable adversary. The recent Synnovis attack serves as a stark reminder of the real-world impact of ransomware and the potential for severe consequences.

However, by understanding Qilin's origins, tactics, and targets, organizations can take proactive steps to defend themselves. A multi-layered security approach, encompassing technical controls, employee training, and incident response planning, is essential for mitigating the risk of Qilin and other ransomware threats. Continuous vigilance, adaptation, and a commitment to cybersecurity best practices are crucial for staying ahead of this evolving threat landscape.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: