Patients are left without critical care while systems lie under a barrage of attacks.
Researchers at Halcyon have discovered a new version of the Qilin ransomware known as Qilin.B, with improved tactics to bypass defense mechanisms. This version uses AES-256-CTR encryption on AESNI-enabled systems, preserving ChaCha20 for other systems. In addition, RSA-4096 keys with OAEP alignment are used, which eliminates the possibility of decryption without the attacker's private key.
The first versions of Qilin, also known as Agenda, appeared in July-August 2022. Originally written in Golang, the software later switched to the Rust language. Since May 2023, the Qilin extortion scheme has been functioning as a service (RaaS), allowing affiliates to receive up to 85% of the ransom amount.
The new version of Qilin.B differs from traditional double-extortion attacks — instead of the usual blackmail, it aims to steal data from the Google Chrome browser on infected devices. Other improvements include more sophisticated encryption methods and the elimination of security-related services.
Qilin.B also terminates backup and virtualization processes such as Veeam and SAP, which makes data recovery much more difficult. The program automatically clears Windows logs and deletes itself, minimizing the risk of detection.
In addition to Qilin.B, researchers have noted a new threat - the Embargo ransomware, distributed using Rust tools. Its attacks involve the use of the BYOVD (Bring Your Own Vulnerable Driver) technique, which allows you to shut down defenses. The attack involves the MDeployer malicious downloader and the MS4Killer tool, which is similar to the open-source s4killer solution.
The growing threat of ransomware attacks is particularly pronounced in healthcare. In this fiscal year, 389 medical facilities in the United States have been attacked, resulting in losses of up to $900,000 per day. Notable groups targeting hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
According to Microsoft, of the 99 healthcare organizations that accepted the ransom payment, the average amount was $4.4 million, while the median was $1.5 million.
Source
Researchers at Halcyon have discovered a new version of the Qilin ransomware known as Qilin.B, with improved tactics to bypass defense mechanisms. This version uses AES-256-CTR encryption on AESNI-enabled systems, preserving ChaCha20 for other systems. In addition, RSA-4096 keys with OAEP alignment are used, which eliminates the possibility of decryption without the attacker's private key.
The first versions of Qilin, also known as Agenda, appeared in July-August 2022. Originally written in Golang, the software later switched to the Rust language. Since May 2023, the Qilin extortion scheme has been functioning as a service (RaaS), allowing affiliates to receive up to 85% of the ransom amount.
The new version of Qilin.B differs from traditional double-extortion attacks — instead of the usual blackmail, it aims to steal data from the Google Chrome browser on infected devices. Other improvements include more sophisticated encryption methods and the elimination of security-related services.
Qilin.B also terminates backup and virtualization processes such as Veeam and SAP, which makes data recovery much more difficult. The program automatically clears Windows logs and deletes itself, minimizing the risk of detection.
In addition to Qilin.B, researchers have noted a new threat - the Embargo ransomware, distributed using Rust tools. Its attacks involve the use of the BYOVD (Bring Your Own Vulnerable Driver) technique, which allows you to shut down defenses. The attack involves the MDeployer malicious downloader and the MS4Killer tool, which is similar to the open-source s4killer solution.
The growing threat of ransomware attacks is particularly pronounced in healthcare. In this fiscal year, 389 medical facilities in the United States have been attacked, resulting in losses of up to $900,000 per day. Notable groups targeting hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
According to Microsoft, of the 99 healthcare organizations that accepted the ransom payment, the average amount was $4.4 million, while the median was $1.5 million.
Source
