Carding Forum
Professional
Ransomware has already attacked more than 150 organizations in 25 countries around the world.
Recently, the Qilin group, known for its cyber attacks on the healthcare sector, has once again attracted public attention. The largest ransom they demanded was $ 50 million during the attack on Synnovis, a provider of pathology services, which severely affected several key National Health Service (NHS) hospitals in London.
According to Group-IB, the Qilin group was first noticed in July 2022, and in February 2023 it began its operations using the Ransomware-as-a-Service (RaaS) model on underground forums. The eponymous Qilin malware, originally developed from the Go-based Agenda ransomware, was later reinterpreted and rewritten in Rust, which improved its stability and effectiveness.
Over the course of its activities, Qilin Group has compromised more than 150 organizations in 25 countries, affecting a variety of industries. Research has revealed a complex organization structure that includes administrative strategies and a network of partners.
Qilin methods involve exploiting vulnerabilities in known devices and programs. For example, the group exploited vulnerabilities in Fortinet devices and Veeam Backup software & Replication for initial access. They also use brute-force attacks on VPN devices and use the Mimikatz utility to increase privileges on compromised systems.
Qilin actively hides its actions, deleting system logs and events to make it more difficult to investigate incidents. The malware can stop processes and services, which makes it harder to detect and respond to an attack. To secretly remove traces, use the PowerShell command, which clears the Windows event logs.
Malicious Qilin software can spread over a local network, functioning as a network worm. To do this, it uses the PsExec utility and self-distribution capabilities via VMware vCenter. The malware can also use Remote Desktop (RDP) and Windows administrative shares (Administrative share) to move around the network.
In addition, Qilin attacks backup systems by deleting copies of data and disabling scheduled tasks for creating backups. Data encryption uses a combination of AES-256 CTR and ChaCha20 algorithms, which makes data recovery almost impossible without the decryption key.
The Qilin group poses a serious threat to cybersecurity due to its flexibility and cooperation with various partners within the RaaS. The technical tools and methods used by Qilin continue to evolve, which requires constant monitoring and updating of security measures.
Source
Recently, the Qilin group, known for its cyber attacks on the healthcare sector, has once again attracted public attention. The largest ransom they demanded was $ 50 million during the attack on Synnovis, a provider of pathology services, which severely affected several key National Health Service (NHS) hospitals in London.
According to Group-IB, the Qilin group was first noticed in July 2022, and in February 2023 it began its operations using the Ransomware-as-a-Service (RaaS) model on underground forums. The eponymous Qilin malware, originally developed from the Go-based Agenda ransomware, was later reinterpreted and rewritten in Rust, which improved its stability and effectiveness.
Over the course of its activities, Qilin Group has compromised more than 150 organizations in 25 countries, affecting a variety of industries. Research has revealed a complex organization structure that includes administrative strategies and a network of partners.
Qilin methods involve exploiting vulnerabilities in known devices and programs. For example, the group exploited vulnerabilities in Fortinet devices and Veeam Backup software & Replication for initial access. They also use brute-force attacks on VPN devices and use the Mimikatz utility to increase privileges on compromised systems.
Qilin actively hides its actions, deleting system logs and events to make it more difficult to investigate incidents. The malware can stop processes and services, which makes it harder to detect and respond to an attack. To secretly remove traces, use the PowerShell command, which clears the Windows event logs.
Malicious Qilin software can spread over a local network, functioning as a network worm. To do this, it uses the PsExec utility and self-distribution capabilities via VMware vCenter. The malware can also use Remote Desktop (RDP) and Windows administrative shares (Administrative share) to move around the network.
In addition, Qilin attacks backup systems by deleting copies of data and disabling scheduled tasks for creating backups. Data encryption uses a combination of AES-256 CTR and ChaCha20 algorithms, which makes data recovery almost impossible without the decryption key.
The Qilin group poses a serious threat to cybersecurity due to its flexibility and cooperation with various partners within the RaaS. The technical tools and methods used by Qilin continue to evolve, which requires constant monitoring and updating of security measures.
Source
