Cyber999 Advisories

1.0 Introduction
Qilin Ransomware, also known as Agenda Ransomware, is a highly sophisticated cyber threat group that emerged in 2022 and has since become a significant player in the ransomware landscape. Its name may be inspired by the mythical Chinese creature Qilin, symbolizing adaptability and strength, though the group is believed to originate from Russia. Operating as a Ransomware-as-a-Service (RaaS), Qilin enables affiliates to deploy customized ransomware attacks, making it a versatile and formidable threat. What sets Qilin apart is its use of advanced evasion techniques, cross-platform functionality, and its ability to execute targeted attacks. The ransomware is written in Go (Golang) and Rust programming languages known for their efficiency and cross-platform compatibility allowing it to target both Windows and Linux systems with ease.

The primary objective of Qilin ransomware is financial extortion, achieved by encrypting victims' data and demanding ransom payments. It primarily targets critical industries such as healthcare, finance, education, and manufacturing sectors that rely heavily on sensitive data but often lack strong cybersecurity defences. Qilin is distributed through phishing emails, malicious attachments, and exploit kits, often leveraging unpatched vulnerabilities and weak security configurations to infiltrate systems. The group has compromised over 150 organizations, demonstrating its widespread impact and ability to execute highly damaging ransomware attacks.

2.0 Impact
Qilin Ransomware can have devastating consequences for affected organizations. The primary impact includes data encryption, rendering critical files inaccessible, and causing operational disruptions. Additionally, Qilin operators engage in double extortion, threatening to publish stolen data if the ransom is not paid. This tactic can lead to reputational damage, financial loss, legal repercussions, and compliance violations. The downtime associated with a Qilin attack can be prolonged, affecting business continuity and leading to significant revenue losses.?

3.0 Targets

• Qilin Ransomware primarily targets Windows and Linux-based systems, making it a cross-platform threat. 
• Qilin Ransomware targets industrials, professional & commercial services, consumer cyclicals, healthcare, technology, financials and other sectors.

4.0 Technical Details
4.1 Initial Infection
Qilin ransomware typically gains access to systems through multiple attack vectors. One of the most frequent methods involves phishing emails that contain malicious attachments or embedded links. When unsuspecting users open these attachments or click the links, the ransomware payload is downloaded and executed. In addition to phishing, Qilin takes advantage of known vulnerabilities in operating systems and software, exploiting security weaknesses to infiltrate networks. Another commonly used technique is attacking Remote Desktop Protocol (RDP) services, where cybercriminals target misconfigured or weakly secured RDP settings to gain unauthorized access and deploy the ransomware within the system.

4.2 Payload Delivery
After gaining initial access, Qilin ransomware employs sophisticated obfuscation techniques to evade detection. Its code is packed to disguise its true purpose, making it harder to identify through static analysis. Additionally, Qilin utilizes various code obfuscation strategies, including renaming functions, modifying control flows, and encrypting strings, which complicates reverse engineering efforts. These tactics make it difficult to detect the ransomware using traditional Indicators of Compromise (IoCs) found lower on the pyramid of pain.

To further hinder analysis, Qilin integrates anti-analysis mechanisms designed to identify and disable debugging and sandbox environments. It actively scans for virtual machines and common sandbox artifacts to evade dynamic analysis, preventing security researchers from closely examining its behavior. Although Qilin follows a typical ransomware attack chain, its success lies in the effectiveness of its evasion strategies, allowing it to execute attacks while avoiding early detection.

4.3 Execution and Persistence
Once Qilin is successfully deployed, it attempts to escalate its privileges to obtain administrative control over the compromised system. To achieve this, it may exploit system vulnerabilities or leverage legitimate administrative tools like PowerShell and PsExec to gain higher-level access. With elevated privileges, Qilin conducts network reconnaissance to locate additional targets. It systematically scans the network to identify connected systems, shared resources, and active services. Additionally, it engages in credential dumping to extract passwords and authentication credentials, enabling it to spread laterally. By using compromised credentials, Qilin can infiltrate other machines within the network, increasing its reach and impact.

Figure 1: A sample written in Golang uses PsExec for remote execution

4.4 Data Encryption
Qilin ransomware employs a sophisticated encryption process that integrates both symmetric and asymmetric encryption to effectively lock files. Initially, it utilizes symmetric encryption to encrypt the victim’s data using a randomly generated key. To ensure that only the attackers can decrypt the files, this symmetric key is further encrypted with a public RSA key, meaning the corresponding private RSA key—held exclusively by the attackers—is required for decryption.

To maximize damage and increase pressure on victims, Qilin targets a broad range of file types, including documents, databases, and backup files, making data recovery difficult without paying the ransom. However, it deliberately avoids encrypting critical system files to keep the operating system functional. This ensures that the victim can still access the ransom note and follow the attacker's instructions for payment and potential decryption.

Figure 2: Qilin’s recruitment post includes details about it functionalities, the mentioned encryption algorithms are ChaCha20, AES and RSA4096

4.5 Ransom Note and Extortion
Once the encryption process is complete, Qilin places a customized ransom note on the compromised system. This note generally specifies the ransom amount, which is typically demanded in cryptocurrency, along with detailed instructions on how to reach the attackers for payment and file decryption. Additionally, the note often includes threats, warning victims that their stolen data may be leaked or permanently lost if the ransom is not paid within a set deadline.

Figure 3: Sample Qilin’s Ransom Note

4.6 Communication and Payment
Victims are instructed to contact the attackers through Dark Web portals or encrypted messaging platforms, which help maintain the attackers' anonymity and make it difficult for law enforcement to trace communications. Ransom payments are typically required in cryptocurrencies like Bitcoin or Monero, ensuring anonymity and reducing the chances of tracking financial transactions. However, even if the ransom is paid, there is no certainty that the attackers will provide the necessary decryption tools to restore the encrypted data.

Figure 4: Victims are instructed to download the TOR Browser and redirected to their dark web portals 

4.7 Clean-up and Cover-up
To evade detection and hinder forensic investigations, Qilin ransomware systematically deletes logs and other traces of its activity. This includes wiping event logs and eliminating temporary files generated during the attack. In some cases, Qilin is also designed to self-delete once its objectives are achieved, making post-incident analysis and response even more challenging for cybersecurity teams.

5.0 Indicators of Compromise (IoCs)

File Names

Detection Names

6.0 MITRE ATT&CK Framework

7.0 Recommendations
CyberSecurity Malaysia recommends that system administrators review this advisory and implement the mitigations recommended below for immediate protection against Qilin Ransomware and other ransomware incidents. 

7.1 Recommendations for System Administrators:

1. Implement recovery plan to maintain and retain multiple copies of sensitive and proprietary data and servers in a physically separate, segmented and securelocation.
2. Organisations must proactively monitor and screen for compromised credentials potentially due to Qilin infection. Hence, compromised credentials must be immediately rectified by changing the passwords to strong passwords. 
3. Implementing password revocation to enforce password changing.
4. Encourage employees to use secure password managers and longer passphrases, avoid using the same password for multiple accounts and set reminders to change passwords after several months.
5. Use multi-factor authentication to identify and protect the businesses' critical assets and access to critical information systems.
6. Restrict access authorisations according to user roles and develop authorisation policy to secure idle accounts; automatically lock accounts and alert IT staff after several failed login attempts.
7. Review Active Directory (AD) to locate and close existing backdoors, such as compromised service accounts, which often have administrative privileges and are often targeted by attackers who aim to steal credentials.
8. Keep all operating systems, software and firmware up-to-date and patched regularly.
9. Perform Data backups daily and test regularly. Place backup copies in a remote location.
10. Enforce phishing-resistant multifactor authentication to administrator accounts.
11. Segment networks to prevent the spread of ransomware, which helps to restrict adversary lateral movement.
12. Install, regularly update and enable real-time detection for anti-virus software on all hosts.
13. Review domain controllers, servers, workstations, and active directories for new and/or unrecognised accounts.
14. Maintain offline backups of data and regularly maintain backup and restoration. Ensure all backup data is encrypted
15. IS awareness training should be conducted for all staff at least once a year.
16. Do not download suspicious files from an unknown sender.
17. Conduct Disaster Recovery Plan review and update, if necessary.
18. Conduct Business Continuity Plan review and update, if necessary.

 
7.2 Recommendations for Internet Users:

1. Users should use strong and unique passwords.
2. Users should use secure passwords for the network.
3. Users should be wary of phishing attempts and not simply click on any links or executables they receive via social media and other messaging applications.
4. Users should practice safe browsing and regularly back up data.
5. Users should download software or applications from reputable sources.
6. Users should be wary and suspicious of applications circulated on social media for downloads.
7. Enable and use up-to-date anti-virus software.
8. Do regular security updates and patches.
9. Contact relevant authorities such as CyberSecurity Malaysia for inquiries and assistance related to cyber threats or suspicious activities users observe online
10. Users are also encouraged to report to the Service Providers or the social media platform concerning the circulation of posts or ads with suspicious links.

Generally, CyberSecurity Malaysia advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

To report an incident and for further enquiries, please contact the Cyber999 Incident Response Centre through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17:30 MYT 
Web:  https://www.mycert.org.my  

8.0 References

• https://socradar.io/dark-web-profile-qilin-agenda-ransomware/
• https://www.group-ib.com/blog/qilin-revisited/
• https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
• https://blackpointcyber.com/wp-content/uploads/2024/08/Qilin-Ransomware-Threat-Profile_Adversary-Pursuit-Group-Blackpoint-Cyber_2024Q3.pdf
• https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know
• https://www.picussecurity.com/resource/blog/qilin-ransomware