Qilin (aka Agenda) is a RaaS group that has targeted organizations globally since August 2022 using spear-phishing, double extortion, and a portable Go/Rust ransomware that encrypts files with AES-256 or ChaCha20 and appends RSA-encrypted key material to each file. The ransomware disables recovery (shadow copies, event logs, backup/DB services), uses argument-controlled behavior (including a required password check), and drops README-RECOVER-.txt ransom notes threatening data publication. #Qilin #Agenda
Keypoints
- Qilin (Agenda) emerged August 2022 and targets diverse countries and sectors, including education, healthcare, and critical infrastructure.
- Initial access is primarily via spear-phishing and the group operates as Ransomware-as-a-Service with double extortion (data theft + encryption).
- The ransomware requires a ββpasswordβ argument which is SHA-256 checked against a hardcoded hash, but enforcement can be bypassed since code is already decrypted.
- It disables recovery by deleting volume shadow copies (vssadmin), clearing event logs via PowerShell, and stopping/disabling backup, DB, virtualization, and security services.
- Qilin terminates processes and services, excludes many OS/backup/security files from encryption, and supports multiple runtime arguments to modify behavior (spread, safe mode, no-network, etc.).
- Files are encrypted with AES-256 by default (or ChaCha20 if no AES-NI); the symmetric key is encrypted with an RSA-4096 public key and appended to the file, preventing local decryption.
- The ransomware is written in Go and Rust, creates execution logs in a QLOG temp folder, changes desktop wallpaper, and leaves README-RECOVER-.txt ransom notes demanding DLS access credentials.
MITRE Techniques
- [T1566] Phishing β Initial access mainly via spear-phishing. Quote: βThe initial access method is mainly known to be spear phishing.β
- [T1059.001] Command and Scripting Interpreter: PowerShell β Deletes all event logs using a PowerShell script to clear logs: βpowershellβ $logs = Get-WinEvent -ListLog * β¦ [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)β.
- [T1486] Data Encrypted for Impact β Encrypts files with AES-256 or ChaCha20, appends separator and RSA-encrypted AES key to end of file: ββββEND CIPHERTEXT BLOCKβ-β is appended β¦ The AES symmetric key encrypted with the RSA public key is then inserted.β
- [T1490] Inhibit System Recovery β Deletes volume shadow copies and disables VSS using vssadmin and service start/stop/change commands: βwmic service where name=βvssβ call ChangeStartMode Manual β¦ vssadmin.exe delete shadows /all /quiet β¦ wmic service where name=βvssβ call ChangeStartMode Disabled.β
- [T1489] Data Destruction β Clears event logs leaving only deletion records: βa PowerShell script is executed to delete all event logs registered in the system without backup.β
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder β Maintains persistence via registry entries with randomized 6-character names (prefixed by β*β), enabling execution even in safe mode.
- [T1489/ T1499] Service Stop β Stops and disables backup, database, virtualization, and security services (examples: sql, vss, veeamtransportsvc, backupexecjobengine, sapservice): βIt terminates services β¦ and changes the startup type to disabled.β
- [T1105] Ingress Tool Transfer (lateral tools) β Supports spreading via PsExec when run with the ββspreadβ argument to propagate across the network.
- [T1562.001] Impair Defenses: Disable or Modify Tools β Targets and terminates security/backup processes (examples: avagent, sophos, veeam) to disrupt defensive measures: βcontinuously checks the processes during file encryption and terminates the processes.β
Indicators of Compromise
- [File Hash ] sample malicious binary MD5 hashes observed β 08a2405cd32f044a69737e77454ee2da, 0d68a310f4265821900249bec89364c2
- [File Hash ] additional MD5 samples β 0d70b3825647082d779987f2772bd219, 119856ec134acc86ef76044cbf291f54 (and 1 more hash)
- [File Name ] ransom note filename pattern β README-RECOVER-.txt (example: README-RECOVER-9_bJ6s6BxF.txt)
- [Registry ] persistence indicator β Run key entries with randomized 6-character value names possibly prefixed with β*β in registry (executes even in safe mode)
- [Commands ] recovery-inhibiting commands β vssadmin.exe delete shadows /all /quiet; PowerShell command to clear event logs (quotes provided in article)
Read more: https://asec.ahnlab.com/en/90497/