The Rise of the Qilin Ransomware Group: Insights into Their Tactics
In recent months, the Qilin ransomware group has emerged as a significant player in the world of cybercrime. Over a span of just seven months, this group has conducted 677 ransomware attacks, taking over as the most active ransomware operator following the decline of RansomHub, potentially due to sabotage. Current research reports shed light on their evolving tactics and methods.
Understanding Qilin’s Approach to Cyber Attacks
Recent investigations by Trend Micro and Cisco Talos reveal that Qilin, known as “Agenda” by Trend, employs an unusual approach by running Linux ransomware on Windows systems. This notable strategy combines various tools and techniques for executing attacks and evading detection. For instance, the attackers utilize WinSCP for secure file transfers and Splashtop Remote for launching ransomware binaries on compromised Windows machines.
One of their standout tactics involves utilizing Bring Your Own Vulnerable Driver (BYOVD) techniques. This method aids in evading defenses while deploying multiple SOCKS proxies to obscure command-and-control (C&C) traffic. The attackers also leverage legitimate remote monitoring tools like AnyDesk and Atera, coupled with infrastructure solutions like ScreenConnect, to maintain control over the systems they infiltrate.
Targeting Backup Systems: A Strategic Move
A significant aspect of Qilin’s strategy is their focus on backup systems. In particular, the group has targeted Veeam backup infrastructures to extract credentials. Understanding that these backups often contain access details for various enterprise systems allows attackers to enhance their infiltration capabilities dramatically. Trend Micro has noted that Qilin employs PowerShell scripts embedded with base64-encoded payloads to extract and decode credentials stored in these databases.
These well-planned tactics enable attackers to gain comprehensive access to several layers of an organization’s infrastructure, which can include domain controllers and critical servers. Their method of systematic credential harvesting from Veeam databases showcases a clear understanding of an organization’s cyber defense weaknesses.
The Techniques That Make Qilin Stand Out
Qilin’s approach pushes the boundaries of traditional cybersecurity defenses. Researchers indicate that their deployment of Linux ransomware on Windows environments is a game-changer, highlighting the need for security systems to adapt accordingly. By utilizing stolen credentials and social engineering tactics—such as fake CAPTCHA pages designed to pull in unwary victims—the group is skilled in bypassing multifactor authentication (MFA), thus creating a more significant challenge for organizations.
Their command execution methods utilize SOCKS proxy DLLs injected directly into memory via legitimate Windows processes. By resetting legitimate administrator passwords, attackers can hinder any attempts at recovery by network administrators, as they systematically enumerate domain trusts to gain access to privileged accounts.
Defense Evasion Strategies Employed by Qilin
The group has shown proficiency in using sophisticated defense evasion techniques. For instance, tools like 2stX.exe and Or2.exe utilize a driver known as eskle.sys, which disables various security solutions to prevent detection. Such advanced strategies include obfuscated PowerShell code that makes configuration changes to disable key functionalities like the Windows Antimalware Scan Interface (AMSI), thereby allowing malicious payloads to execute unimpeded.
Cisco Talos has identified additional tactics used by Qilin, including attempts to disable endpoint detection and response (EDR) solutions through various commands. The combination of legitimate tools with cross-platform execution makes detection increasingly challenging for security teams.
Urgent Call for Enhanced Security Measures
Given Qilin’s adaptable and multifaceted methods, organizations must conduct a thorough reassessment of their security protocols. The use of unconventional attack vectors calls for improved monitoring of remote management tools and backup system access. Recognizing the evolving nature of these threats is vital for businesses aiming to stay a step ahead in cybersecurity.
As threats like the Qilin ransomware group continue to evolve, staying informed about new tactics is critical for effective protection and response strategies.
