qilin
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion, demanding payment for a decryptor, as well as for the non-release of stolen data.
- Business Services
- Manufacturing
- Unspecified
- Consumer Services
- Healthcare
- Construction
- Agriculture and Food Production
- Technology
- TA0001Initial Access
- T1078Valid Accounts
Compromised credentials used to authenticate via VPN and RDP. Qilin notably steals credentials from Chrome browsers on compromised endpoints before encryption.
- T1190Exploit Public-Facing Application
Exploitation of vulnerabilities in VPN appliances and remote management tools to gain initial access.
- T1566Phishing
- T1566.003Phishing: Spearphishing via Service
Qilin affiliates spear-phished MSP administrators via ScreenConnect to gain access to downstream customers. Phishing campaigns using credential-harvesting pages targeting VPN and SSO portals.
- TA0002Execution
- T1059.001Command and Scripting Interpreter: PowerShell
PowerShell scripts used for payload execution, lateral movement, and post-exploitation tasks.
- T1059.004Command and Scripting Interpreter: Unix Shell
Shell scripts used to execute the Linux/ESXi variant of the Qilin ransomware payload.
- T1569System Services
- T1569.002System Services: Service Execution
- TA0003Persistence
- T1037Boot or Logon Initialization Scripts
- T1053Scheduled Task/Job
- T1053.005Scheduled Task/Job: Scheduled Task
Scheduled tasks created to maintain persistence and execute post-exploitation scripts.
- T1098.004Account Manipulation: SSH Authorized Keys
- T1136Create Account
- T1547Boot or Logon Autostart Execution
- TA0004Privilege Escalation
- T1068Exploitation for Privilege Escalation
- TA0005Defense Evasion
- T1027Obfuscated Files or Information
Qilin.B variant (October 2024) introduced enhanced obfuscation and anti-analysis techniques compared to earlier versions.
- T1036.001Masquerading: Invalid Code Signature
- T1134.004Access Token Manipulation: Parent PID Spoofing
- T1211Exploitation for Defense Evasion
- T1480Execution Guardrails
- T1497.001Virtualization/Sandbox Evasion: System Checks
- T1553.002Subvert Trust Controls: Code Signing
- T1562.001Disable or Modify Tools
Security tools and EDR solutions disabled via batch scripts and Group Policy modifications.
- T1562.004Impair Defenses: Disable or Modify System Firewall
- T1564Hidden Artifacts
- T1564.003Hidden Artifacts: Hidden Window
- TA0006Credential Access
- T1003.001OS Credential Dumping: LSASS Memory
LSASS memory dumped to harvest credentials for lateral movement and privilege escalation.
- T1040Network Sniffing
- T1110.002Brute Force: Password Cracking
- T1555.003Credentials from Web Browsers
Qilin notably deployed a custom script to steal credentials stored in Google Chrome browsers on all domain-joined machines via Group Policy — a distinctive TTP first observed in the Synnovis NHS attack (June 2024).
- TA0007Discovery
- TA0008Lateral Movement
- TA0009Collection
- TA0010Exfiltration
- T1011Exfiltration Over Other Network Medium
- T1011.001Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
- T1048.003Exfiltration Over Alternative Protocol: Unencrypted Non-C2 Protocol
- T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Data exfiltrated to cloud storage and actor-controlled servers for double extortion via the Qilin leak site.
- TA0011Command and Control
- TA0040Impact
- T1486Data Encrypted for Impact
Qilin (formerly Agenda) uses ChaCha20 for file encryption with RSA-4096 for key protection. Originally written in Go, later rewritten in Rust (Qilin.B). Targets Windows, Linux, and VMware ESXi. Notable attack: Synnovis NHS pathology services (June 2024) causing 10, 000+ NHS appointment cancellations. Active RaaS with high affiliate revenue share.
- T1490Inhibit System Recovery
Shadow copies deleted; ESXi snapshots removed to prevent VM recovery.
- T1561Disk Wipe
- T1561.001Disk Wipe: Disk Content Wipe
- TA0042Resource Development
- T1587.001Develop Capabilities: Malware
- TA0043Reconnaissance
- T1590.004Gather Victim Network Information: Network Topology