Threat Research

Tracking Adversaries: The Qilin RaaS

Securonix

Qilin is a RaaS ransomware operation active since 2022 with Russian roots, offering affiliates the tools to encrypt networks and publish stolen data in a double-extortion scheme via a Tor-based data leak site and a ransom portal. The article covers the operators (Haise), affiliate economics, notable victims, cross-group overlaps, and the evolving infrastructure and techniques driving Qilin’s campaigns. #Qilin #Haise

Keypoints

  • Qilin is a RaaS operation with affiliates who build payloads, publish stolen files, and negotiate ransoms for victims.
  • Affiliates can receive up to about 80% (≤$3M ransom) or up to 85% (> $3M), with changes to payout flow announced in July 2023.
  • Victims are globally dispersed, including Yanfeng, The Big Issue, and Synnovis (NHS), with data leaked on Tor and ransom portals.
  • Initial access often involves stolen credentials to public-facing Citrix and phishing, with lateral movement using RDP and internal enumeration.
  • Public TTPs include use of Nmap/Nping for discovery, Cobalt Strike/RMM tools, BYOVD with Terminator.exe/YDArk, PCHunter/PowerTool, and a GPO-driven enc64.exe scheduled task for encryption.
  • RaaS infrastructure features a Tor-based data leak site, a victim recovery portal, Telegram announcements, and a WikiLeaksV2 site on the ClearWeb; Group-IB exposed HUMINT-led access to the RaaS in 2023.
  • Overlaps exist with ALPHV/BlackCat, Conti, Pistachio Tempest (FIN12), and other major groups, suggesting a widening ecosystem and potential for Qilin to fill a RaaS vacuum.

MITRE Techniques

  • [T1566.001] Phishing – Access via phishing email during ransom negotiation. ‘they gained access via a phishing email during a ransom negotiation with a victim.’
  • [T1078] Valid Accounts – Stolen credentials used to access a public-facing Citrix server and for RDP with valid credentials for lateral movement. ‘one affiliate use stolen credentials to access a public-facing Citrix servers for the point of entry’ and ‘RDP with valid credentials for lateral movement.’
  • [T1046] Network Service Discovery – Internal enumeration using Nmap and Nping. ‘using Nmap and Nping for internal enumeration.’
  • [T1021.001] Remote Services: RDP – Lateral movement via Remote Desktop Protocol with valid credentials. (context drawn from RDP usage described in capabilities)
  • [T1053.005] Scheduled Task/Job – Create a scheduled task enc64.exe via ADGPO to facilitate encryption. ‘to create a scheduled task called enc64.exe’ (via GPO)
  • [T1059.001] PowerShell – Propagation across VMware vCenter/ESXi and via PsExec using a custom PowerShell script embedded in the binary. ‘custom PowerShell script embedded in the binary to propagate across VMware vCenter and ESXi servers as well as via PsExec’
  • [T1570] Lateral Tool Transfer – Use of PsExec and other tools to move laterally across environments. ‘via PsExec, the Windows Sysinternals tool’ (illustrative of lateral tool use)

Indicators of Compromise

  • [Domain] Tor data leak site and victim portal – ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion, kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion
  • [URL] Clearnet site listing victims – wikileaksv2.com (31.41.244.100)

Read more: https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint