Introduction
Cybersecurity researchers have identified a sophisticated variant of Qilin ransomware [5], known as QilinB. This ransomware operates as a ransomware-as-a-service (RaaS) and targets both Windows and Linux systems [6]. Developed in Rust [2], it represents an evolution from its original Golang implementation, featuring enhanced encryption capabilities and advanced evasion strategies [2].
Description
Cybersecurity researchers have identified an advanced variant of Qilin ransomware [5], designated QilinB [5], which operates as a ransomware-as-a-service (RaaS) targeting both Windows and Linux systems [6]. This sophisticated version [1], developed in Rust [2], has evolved from its original Golang implementation and employs enhanced encryption capabilities. It utilizes AES-256-CTR for systems with AESNI support, significantly boosting encryption speed by leveraging AESNI features. For systems lacking appropriate AESNI hardware [3], QilinB employs ChaCha20 to ensure robust encryption in all scenarios [3]. Additionally, it incorporates RSA-4096 with OAEP padding for securing encryption keys [3], making decryption without access to the attacker’s private key or captured seed values nearly impossible [1]. This combination of advanced encryption methods complicates decryption efforts considerably.
Initially recognized in mid-2022 [1] [5], Qilin ransomware has shown a notable shift in tactics, with recent attacks indicating an increase in credential theft from Google Chrome on compromised endpoints, moving away from traditional double extortion methods. QilinB implements advanced evasion strategies, including the termination of security-related services [6], disabling security tools [8], clearing of Windows Event Logs to obstruct forensic analysis [6], and self-deletion to minimize traces of its presence [6]. It specifically targets processes associated with critical backup and virtualization services, such as Veeam [5], SQL [1] [5] [7], and SAP [1] [5], and deletes volume shadow copies [1] [5], complicating recovery efforts for organizations [1] [4] [5], particularly in sectors like healthcare where downtime can be life-threatening [4].
The ransomware targets both local directories and network folders [3], generating ransom notes for each processed directory that include the victim’s ID [3]. Encrypted files are assigned random extensions [4], and ransom notes are typically named with a random string followed by “-RECOVER-README.txt.” Its history of targeting major organizations demonstrates a track record of highly effective attacks, with the healthcare industry facing significant ransom demands. The combination of enhanced encryption methods [1] [5] [6], effective evasion tactics [1] [5], and disruption of backup systems positions QilinB as a particularly significant threat to enterprise networks [6]. Early detection through process monitoring and identification of indicators of compromise (IOCs) is essential for mitigating its impact [6], as affiliates retain a substantial portion of ransom payments after joining the group.
Conclusion
QilinB represents a significant threat to enterprise networks due to its advanced encryption methods, evasion tactics [1] [5] [6] [8], and ability to disrupt backup systems. The healthcare industry [8], in particular [1] [5], faces severe risks due to potential downtime. Mitigating the impact of QilinB requires early detection through process monitoring and identification of indicators of compromise. As ransomware tactics continue to evolve, organizations must remain vigilant and proactive in their cybersecurity measures to protect against such sophisticated threats.
References
[1] https://www.ihash.eu/2024/10/new-qilin-b-ransomware-variant-emerges-with-improved-encryption-and-evasion-tactics/
[2] https://thenimblenerd.com/article/qilin-b-ransomware-the-rusty-menace-wreaking-havoc-on-security-systems/
[3] https://www.prsol.cc/2024/10/25/new-qilin-ransomware-encryptor-features-stronger-encryption-evasion/
[4] https://cybersecsentinel.com/qilin-b-new-variant-disrupts-backups-and-evades-detection-tools/
[5] https://thehackernews.com/2024/10/new-qilinb-ransomware-variant-emerges.html
[6] https://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion
[7] https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/surge-nueva-variante-del-ransomware-qilin-b-que-mejora-las-tacticas-de-cifrado-y-evasion/
[8] https://thenimblenerd.com/article/ransomware-rampage-qilin-b-unleashes-chaos-with-killer-encryption-tactics/