The Qilin ransomware operation is notable for using Windows Subsystem for Linux (WSL) to run Linux encryptors on Windows systems, helping them evade detection. This evolving tactics have led to over 700 attacks across 62 countries, exploiting legitimate remote tools and Windows utilities to breach networks and execute payloads. #Qilin #WinSCP
Keypoints
- Qilin ransomware initially launched as βAgendaβ in August 2022 before rebranding as Qilin.
- The threat group uses a mix of legitimate programs, remote management tools, and Windows utilities for data theft and system inspection.
- They perform Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security solutions prior to encryption.
- Qilin affiliates use WSL to execute Linux encryptors within Windows, bypassing traditional detection methods.
- Recent focus includes encrypting VMware ESXi virtual machines, with attackers deploying ELF Linux encryptors via WSL to evade defenses.