Qilin operates as a Ransomware-as-a-Service affiliate program using Rust-based ransomware that targets multiple operating systems with customized attacks. It employs double extortion tactics involving data encryption and exfiltration, impacting numerous global organizations and frequently adapting its methods. #Qilin #RustRansomware #NETXLOADER
Keypoints
- Qilin ransomware is developed in Rust, enabling evasion and cross-platform customization for Windows, Linux, and ESXi systems.
- The ransomware employs double extortion by encrypting data and threatening to release stolen sensitive information if ransom demands are not met.
- Qilin distributes ransomware samples through a dark web proprietary data leak site (DLS) with unique company IDs and leaked credentials.
- Recent campaigns have used loaders such as SmokeLoader and a new .NET loader called NETXLOADER to deliver the ransomware payload.
- Victims span multiple countries and sectors, including a notable attack on Yanfeng Automotive Interiors and various US organizations.
- Phishing emails with malicious links are used as initial infection vectors leading to lateral movement and data exfiltration within victim networks.
- A July 2025 attack targeted a U.S. financial advisory firm, resulting in exfiltration of 340 GB of sensitive data, demonstrating the group’s ongoing threat to critical sectors.
MITRE Techniques
- [T1566] Phishing – Qilin uses phishing emails with malicious links to gain initial access. (“Qilin targets victims through phishing emails containing malicious links to gain a foothold in the victim’s network”)
- [T1083] File and Directory Discovery – The ransomware alters filename extensions and places ransom notes in each infected directory. (“altering filename extensions of encrypted files and placing a ransom note in each infected directory”)
- [T1486] Data Encrypted for Impact – Qilin encrypts files using various encryption modes controlled by operators. (“Qilin ransomware offers various encryption modes, all controlled by the operator”)
- [T1490] Inhibit System Recovery – Attempts to reboot systems in normal mode and stop server-specific processes to complicate recovery. (“attempt to reboot systems in normal mode and stop server-specific processes to make it harder for the victim to recover their data”)
- [T1020] Automated Exfiltration – Exfiltration of sensitive data is part of the double extortion strategy. (“double extortion technique, involving the exfiltration of a victim’s sensitive data”)
- [T1071] Application Layer Protocol – Use of loaders such as SmokeLoader and NETXLOADER for payload delivery. (“Qilin ransomware affiliates used SmokeLoader and a new .NET loader (NETXLOADER)”)
Read more: https://cyberint.com/blog/research/qilin-ransomware/