The cybersecurity landscape continues to evolve as new, more dangerous ransomware variants emerge, each boasting improved tactics. One of the latest threats to make headlines is the Qilin.B ransomware variant, an advanced iteration of the Qilin ransomware-as-a-service (RaaS) operation, also known as Agenda. First identified in July 2022, Qilin has targeted both Windows and Linux systems, focusing on data exfiltration for double extortion. With the advent of Qilin.B, attackers are now equipped with even more potent encryption methods and refined techniques for evading detection and corrupting backups, leaving organizations more vulnerable than ever.
In this article, we explore the key features of Qilin.B, examine its operational tactics, and provide crucial advice to help businesses defend against this growing ransomware threat.
Qilin.B: Enhanced Encryption and Evasion Tactics
Qilin.B represents a more sophisticated version of the original Qilin ransomware, with significant improvements in its encryption capabilities and evasion techniques. Written in Rust—a programming language that is difficult to reverse-engineer—the ransomware can now execute across a broader range of systems while actively avoiding detection.
Key Enhancements in Qilin.B:
- Advanced Encryption Methods
Qilin.B employs two primary encryption methods: AES-256-CTR and Chacha20. Systems with AESNI capabilities are protected using AES-256-CTR, while others rely on Chacha20. The ransomware uses RSA-4096 encryption with OAEP padding to safeguard encryption keys, making it impossible to decrypt files without access to the attacker’s private keys. - Ransom Notes and Extortion Strategy
For each encrypted directory, Qilin.B generates a ransom note titled “README-RECOVER-[company_id].txt,” directing victims to a Tor website where they can find payment instructions and decryption information. The ransomware appends a unique identifier to the encrypted files, allowing its affiliates to track specific targets efficiently. - Backup Disruption
One of the most alarming features of Qilin.B is its ability to corrupt backup systems. By deleting volume shadow copies (VSS) with the commandvssadmin delete shadows /all /quiet
, the ransomware disables critical recovery mechanisms, leaving organizations unable to restore their systems without paying the ransom. - Targeted Process and Service Termination
Qilin.B is designed to terminate or disable essential security, backup, and virtualization services. By targeting services such as Veeam, VSS, SQL, Sophos, and Acronis, the ransomware neutralizes critical defenses that organizations rely on for data protection and system integrity. - Defense Evasion
Qilin.B is particularly adept at evading detection and forensic analysis. It clears Windows Event Logs using PowerShell commands to erase evidence of its actions, making it harder for investigators to track its movements. Furthermore, after executing its payload, the ransomware deletes itself to remove traces of its presence on the infected system.
How Qilin.B Operates:
Once executed, Qilin.B follows a precise sequence to maximize its impact:
- Verifying Administrative Privileges: The ransomware checks if it has sufficient access to execute its functions.
- Detecting Virtual Machine Environments: Qilin.B identifies if it’s running in a virtual environment and adapts its behavior accordingly to avoid detection.
- System Modifications: It adds registry entries for persistence, ensuring it can continue operating even after system reboots.
- File Selection and Enumeration: The ransomware scans network drives, avoiding system-critical directories like Windows, Program Files, and Intel to prevent accidental system crashes during encryption.
- Encryption Process: Qilin.B encrypts all located files and appends the ransomware’s company identifier to the file extensions, effectively locking out users.
Indicators of Compromise (IOCs):
While the specific IOCs for each attack vary based on the victim organization, key indicators of Qilin.B infections include the presence of ransom notes titled “README-RECOVER-[company_id].txt” and files encrypted with the custom extension linked to the affiliate responsible for the attack.
10 Ways to Protect Against Qilin.B and Similar Ransomware Threats:
- Regular Backups: Ensure that backups are stored offline or in environments protected against unauthorized changes, and test backup restoration procedures regularly.
- Patch Management: Keep systems updated with the latest security patches to close known vulnerabilities that ransomware exploits.
- Advanced Endpoint Detection and Response (EDR): Deploy advanced EDR tools that monitor for suspicious behavior such as unexpected file encryption or log clearing.
- Network Segmentation: Limit the spread of ransomware by segmenting networks, ensuring that critical systems are isolated from infected workstations.
- Implement Zero Trust Architecture: Adopt a zero-trust approach to limit access privileges, ensuring that users only have access to the resources they need for their roles.
- Multi-factor Authentication (MFA): Use MFA for all critical systems and remote access points to prevent attackers from exploiting compromised credentials.
- Employee Training: Educate employees on the risks of phishing and social engineering attacks, which are common entry points for ransomware infections.
- Disable Remote Desktop Protocol (RDP): If RDP is not essential, disable it to prevent unauthorized access. If necessary, secure it with strong passwords, MFA, and network-level authentication.
- Monitor Network Traffic: Use intrusion detection systems (IDS) and firewalls to monitor inbound and outbound network traffic for unusual activity.
- Create an Incident Response Plan: Have a robust incident response plan that outlines procedures for isolating affected systems, notifying stakeholders, and recovering from a ransomware attack.
Conclusion:
Qilin.B represents the next step in ransomware evolution, combining sophisticated encryption methods, advanced defense evasion techniques, and disruption of backup systems to increase its impact on victims. Organizations need to stay vigilant, deploying multi-layered defenses and actively monitoring for signs of ransomware activity. By taking proactive steps to safeguard critical data and systems, businesses can reduce their vulnerability to Qilin.B and similar threats.
Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!