Cybersecurity researchers have uncovered a new variant of the Qilin ransomware, labeled Qilin.B, which showcases sophisticated evasion techniques and enhanced encryption measures to avoid detection. The upgraded version is tracked by cybersecurity firm Halcyon, who disclosed these findings to The Hacker News.
“Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while retaining Chacha20 for systems lacking this support,” explained the Halcyon Research Team. “Additionally, it uses RSA-4096 with OAEP padding to secure encryption keys, making decryption without the attacker's private key virtually impossible.”
The Qilin ransomware, also known as Agenda, emerged in mid-2022 with its initial versions in Golang, later shifting to Rust for increased complexity. Group-IB's report from May 2023 revealed that this ransomware-as-a-service (RaaS) scheme provides affiliates with 80-85% of ransom payments.
Qilin.B’s enhancements include not only encryption methods but operational improvements such as resisting analysis by continuously clearing Windows Event Logs, terminating security-related services, and even deleting itself after execution. Additionally, Qilin.B kills processes related to backup and virtualization services like Veeam, SQL, and SAP, and deletes volume shadow copies, making recovery more challenging.
"Qilin.B’s combination of robust encryption, evasive defense tactics, and disruption of backup systems marks it as an exceptionally dangerous ransomware variant," Halcyon noted.
The increasing sophistication of ransomware tactics is further evidenced by the emergence of the Embargo ransomware, which terminates endpoint detection and response (EDR) tools using the “Bring Your Own Vulnerable Driver” (BYOVD) technique. ESET researchers, Jan Holman and Tomáš Zvara, identified the EDR killer, MS4Killer, as well as MDeployer, a malicious loader delivering Embargo ransomware and responsible for executing file encryption. Both tools are coded in Rust, pointing to Rust as the preferred language for the group’s development.
This year, Microsoft reported that ransomware attacks have impacted 389 U.S. healthcare facilities, costing them up to $900,000 daily in downtime. Notable ransomware groups, including Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest, have been involved in these attacks. Among 99 healthcare organizations that admitted to paying the ransom, median payments were around $1.5 million, while average payments reached $4.4 million.
Resource: The Hacker News
