QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization.
Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key
Ransomware Details & Working
It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS.
Here are some pointer’s to be noted:
- Ransomware is written in Go and Rust programming languages.
- It Reboots the system in safe mode and stops the process and services running on the servers.
- They use AES-256 encryption to encrypt the files and RSA-2048 for encrypting the generated key.
- After successful encryption, the encrypted files are renamed as a company ID indicated in the runtime configuration.
- They customize the ransomware sample for each victim and most samples are 64-bit Windows PE file written in Go.
Victim Selection
First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.
As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States.
Fig1: Victim Countries
As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries.
Darkweb Analysis of Qilin Ransomware
Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site.
They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.
Also Read: How to get started with OT security
Let’s go through their Darkweb site
Qilin Darkweb front page where they publish the information about their victims.
Login page present in the Qilin ransomware site
They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image)
IOCs
76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e
fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039
Mitigation For Securing OT Environment:
- Check for the CVE of Devices and patch it.
- Implement IEC 62443.
- Proper Network segmentation as per the Purdue model.
- Timely Conduct Risk Assessment and Gap Analysis.
- Employee Awareness and Training.
Remediations
- Multi-factor Authentication
- Data Backup
- Employee Awareness and Training
- Email Security
- Patch Management
- Network Segmentation
- Advanced Threat Detection
- Incident Response Readiness
Reference
https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
https://www.group-ib.com/blog/qilin-ransomware/
Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert.
See our IoT and OT security solution in action through a no-obligation demo
Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio
This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.