FOCUS MODE
EXTRACT IOC
Threat Research

Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024

Picussecurity
Qilin is a sophisticated ransomware group that emerged in July 2022, utilizing advanced tactics and exploiting vulnerabilities in popular software, notably demanding a high-profile ransom from a major pathology services provider. The group’s methods include initial access via misconfigurations and vulnerabilities, execution of malicious payloads, privilege escalation, and data encryption to impact recovery efforts. Comprehensive defense strategies are essential to mitigate risks posed by this persistent threat. Affected: Fortinet devices, Veeam Backup & Replication software, NHS hospitals.

Keypoints :

  • Qilin operates under a Ransomware-as-a-Service (RaaS) model, evolved from the Agenda ransomware initiative.
  • Gained notoriety with a million ransom demand from Synnovis, affecting NHS hospitals.
  • Employs techniques for initial access, including exploiting misconfigurations and software vulnerabilities.
  • Advanced encryption techniques employed with RSA and AES-256 algorithms.
  • Utilizes techniques for privilege escalation and lateral movement within networks.
  • Leverages a modular design to adapt behavior based on the attacker’s objectives.
  • Maintains stealth through log deletion and other evasion tactics.
  • Critical for organizations to implement robust defenses and response strategies against attacks.

MITRE Techniques :

  • TA0001: Initial Access Methods
  • T1133 External Remote Services: Targets remote access services, primarily Fortinet devices.
  • T1190 Exploit Public-Facing Application: Exploits CVE-2023-27532 in Veeam Backup & Replication.
  • TA0002: Execution
  • T1204.002 User Execution: Malicious File – Deploys ransomware payload as w.exe.
  • TA0004: Privilege Escalation
  • T1078.002 Valid Accounts: Gains access to domain accounts via proof of concept exploits.
  • T1134 Access Token Manipulation: Uses Mimikatz for credential dumping and token impersonation.
  • TA0005: Defense Evasion
  • T1070 Indicator Removal: Deletes system logs to prevent detection.
  • T1562.001 Impair Defenses: Disables or modifies security tools.
  • TA0007: Discovery
  • T1087.002 Account Discovery: Domain Account – Enumerates domain-connected hosts.
  • TA0008: Lateral Movement
  • T1021.002 Remote Services: Uses PsExec for lateral movement across local networks.
  • TA0040: Impact
  • T1490 Inhibit System Recovery: Disables backup integrity and volume shadow services.
  • T1486 Data Encrypted for Impact: Executes a comprehensive data encryption process.

Indicator of Compromise :

  • [CVE] CVE-2023-27532
  • [Product] Veeam Backup & Replication
  • [Filename] w.exe
  • [Command] “powershell” -Command “Get-WinEvent -ListLog *”
  • [Command] cipher /w:”X:”

Full Story: https://www.picussecurity.com/resource/blog/qilin-ransomware

Views: 25

Tags: CVE, WORM, CLOUD, VULNERABILITY, FIREWALL, EXPLOIT, RAAS, PRIVILEGE