Qilin.B New Variant Disrupts Backups and Evades Detection Tools
Threat Group: Qilin (formerly Agenda)
Threat Type: Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: Weak credentials, network misconfigurations
Malware Used: Qilin.B variant
Threat Score: High (8.5/10) — Due to enhanced encryption, evasion, and the ability to disrupt backup systems.
Last Threat Observation: October 2024, spotted in attacks against healthcare and large enterprises.
Overview
Qilin.B is a new variant of the Qilin ransomware, a RaaS operation. This strain has evolved with advanced encryption techniques and enhanced evasion capabilities. It specifically targets critical systems such as backups and network infrastructure, significantly complicating recovery efforts for organizations. Recent attacks indicate that Qilin.B is particularly dangerous for sectors like healthcare, where downtime can have life-threatening consequences.
Key Details
- Delivery Method: Phishing emails, compromised remote management tools, and leveraging vulnerabilities in enterprise environments.
- Target: Healthcare, industrials, and other high-value sectors.
- Encryption: Uses AES-256-CTR or ChaCha20 for systems lacking hardware acceleration.
- Defense Evasion: Terminates processes linked to security tools (e.g., Sophos, Veeam), clears event logs, and deletes shadow copies to prevent data recovery.
- Credential Theft: Includes scripts to steal credentials stored in browsers like Google Chrome.
- Obfuscation: Deletes its binaries post-encryption and clears logs, making detection and forensic analysis difficult.
Attack Vectors
Qilin.B exploits network misconfigurations and weak credentials, often gaining initial access via phishing or by compromising remote access tools. Once inside, it employs scripts to steal credentials and deploys its ransomware across the network. It targets both local and networked drives and disrupts recovery processes by disabling backups and wiping shadow copies.
Known Indicators of Compromise (IoCs)
- Encrypted files with random extensions.
- Ransom notes typically named
[random_string]-RECOVER-README.txt. - Use of AES-256 for file encryption and RSA-2048 for encrypting keys.
- Network compromises with evidence of Cobalt Strike servers such as URLs like
security-socks[.]expert. - Attacks often involve disabling security defenses like Windows Defender and the use of tools such as PCHunter64.exe for disabling protections and performing reconnaissance.
Qilin.B frequently targets sectors like healthcare and education and uses methods like phishing, RDP-based attacks, and malware dissemination through malicious hyperlinks. It is highly adaptable, allowing attackers to tailor the malware to specific environments
Mitigation and Prevention
- User Awareness: Train employees to recognize phishing attempts.
- Email Filtering: Implement advanced email filtering to block malicious attachments.
- Antivirus Protection: Ensure endpoint detection solutions can detect fileless attacks.
- Two-Factor Authentication (2FA): Enforce 2FA, especially for privileged accounts.
- Monitor Logs: Regularly monitor and archive logs to detect unauthorized changes.
- Regular Updates: Patch known vulnerabilities in systems promptly, particularly on backup systems and remote access software.
Conclusion
Qilin.B represents a significant evolution in the ransomware space, particularly for industries dependent on critical infrastructure. Its ability to evade detection, coupled with robust encryption and credential theft tactics, makes it a formidable threat. Organizations are urged to enhance their backup, monitoring, and response capabilities to mitigate this risk.