Think Locally, Attack Globally: QILIN Ransomware Group Expands Operations, Targeting Organisations Worldwide

In recent months, a notorious ransomware group known as Qilin, also referred to as 'Agenda,' has emerged as a significant cyber threat, leaving organisations worldwide vulnerable to malicious attacks. Pragma has noted a sharp surge in the group’s activities, impacting an increasing number of victims.

With a history of targeted exploits and a knack for evading detection, Qilin has gained notoriety due to its sophisticated techniques and successful ransomware campaigns. Until recently, the group had reportedly targeted twelve victims in a year, up until May 2023. However, alarming trends have shown an exponential increase in attacks, indicating an aggressive expansion of their operations. Initially associated with exploiting organisations primarily in Indonesia, Thailand, and South Africa, Qilin's reach has now expanded beyond these regions.

Pragma’s Global Head of Incident Response Mark Bird urged all companies to stay vigilant. “The rising prominence of the Qilin ransomware group demands immediate attention from organisations worldwide. By understanding their tactics, staying vigilant, and implementing comprehensive preventive measures, we can collectively combat this growing threat. Protecting our digital assets requires a proactive and collaborative effort.”

The Financial T(r)oll:

Qilin operates with a clear motive: financial gain. Their ransom demands range from USD 50,000 to an eye-watering USD 800,000. Such high ransom amounts underscore the severity of their attacks, as they deliberately target valuable assets within organisations. Additionally, Qilin's encryption techniques operate at the host level, rendering virtual machines ineffective. This strategic move limits the availability of forensic artefacts, making investigation and recovery efforts even more challenging for targeted organisations.

To further complicate matters, Qilin employs sophisticated anti-forensic techniques to conceal their malicious activities. By exploiting security gaps and utilising evasion tactics, the group makes it increasingly difficult for incident response teams to track their movements and identify potential vulnerabilities.

According to Group-IB, ransomware affiliates associated with the Qilin ransomware-as-a-service (RaaS) scheme earn between 80% to 85% of each ransom payment. Logically, it will be very difficult to dissuade them from operating given the large payday.

According to Group-IB, their threat analysts came across an original screenshot of a post by a “recruiter” from Qilin to hire affiliates and advertise their RaaS on an underground forum. The post is written in Russian and mentions that the group “does not work in CIS countries.”

Qilin ransomware attacks are often customised for each victim, maximising their impact by employing tactics such as changing filename extensions and terminating specific processes and services.

Prevention Strategies:

In the face of this growing threat, it is crucial for organisations to implement robust preventive measures. Here are some key steps to fortify your defences against Qilin and similar ransomware attacks:

Strengthen Remote Desktop Protocol (RDP) Security: Ensure that RDP is properly configured and protected. Implement strong passwords, two-factor authentication, and restrict access to authorised users only.
Deploy Effective Spam Filters: Implement robust spam filters to prevent phishing emails, which are commonly used by threat actors to gain unauthorised access. Regularly educate employees about the risks associated with suspicious emails and how to identify potential threats.
Enhance Employee Security Awareness: Establish comprehensive security awareness training programmes to educate employees about ransomware threats and how to promptly identify and report potential incidents.
Enable and Monitor Endpoint Detection and Response (EDR): Implement an advanced EDR solution to actively monitor and detect any suspicious activities on your organisation's endpoints. Prompt detection can help mitigate the impact of a potential attack.

Seeking Assistance:

At Pragma, we prioritise your organisation's security and are ready to assist you in preventing and responding to ransomware incidents. For proactive support in bolstering your defences, please contact our team at [email protected]. In the event of an incident, our dedicated Incident Response (IR) team can be reached at [email protected].