What is a Qilin?
In Chinese mythology, a qilin is a creature that has an appearance somewhere between a dragon and a unicorn. In the cyber world, Qilin is a ransomware group based within Russia. Qilin offers Ransomware-as-a-Service (RaaS) affiliate program typically requiring of the order of 25% as a fee. It performs double extortion (i.e., encryption and data exfiltration) and maintains a leak site listing Qilin victims on the dark web.
History of Qilin
The ransomware group, also known as Agenda, has existed since at least mid-2022 and has targeted critical commercial and public organizations across most continents with documented attacks in South America (including Argentina, Brazil, Colombia), North America (Canada and United States) Europe (including France, Germany, Netherlands, Spain, the UK, and Serbia) as well as Asia (China, Indonesia, Malaysia, Japan, Thailand, Saudi Arabia, and UAE) and Oceania (Australia and New Zealand). Previously written in Go newer versions are written in Rust for which reverse-engineering tools are still in the early stages.
Selected Attacks
An attack on a UK National Health System provider, Synovis, on June 3, 2024, has been attributed to Qilin. Patients have been transferred from affected hospitals to alternates to deal with the emergency. Consistent with other ransomware groups targeting healthcare organisations, in May 2024, Qilin attacked the website of Charles A Evans, an east coast American Health Provider, In December 2023, Court Services Victoria in Melbourne, Australia were attacked by Qilin causing significant disruption to legal processes. The Qilin group has responsibility for a ransomware attack on Yanfeng Automotive Interiors, a major Chinese automotive parts developer and manufacturer focused on interior elements.
Technical Details
Qilin requires a password to initiate. We found ‘AgendaPass’ sufficed for some but not all examples. Passwords are generally crafted for each victim to make analysis more difficult. Although Qilin supports various encryption algorithms (see below), we found it defaulted to encrypting files using the AES-CTR algorithm with 256-bit keys. As is common, the standard configuration excludes various extensions (e.g., exe, dll, bin), filenames (e.g., desktop.ini, ntuser.dat, $recycle.bin), and folders (e.g. windows, program files (x86)) are excluded from encryption. Terminated processes and services include the Microsoft Office suite as well as various anti-virus applications. After files are encrypted, they are renamed with a randomized 9 alphabetic extension (e.g., OKJRM-RKPy) and a ransomware note README- RECOVER-extension.txt is created in each folder. A typical note starts:
“– Qilin
Your network/system was encrypted.
Encrypted files have new extension.
– Compromising and sensitive data”
Key parameters used to execute Qilin on the command line are:
- encryption encryption algorithm
- min-size minimum file size to be encrypted
- no-proc Processes not terminated
- no-services Services not terminated
- password Password to execute
- path Directories to be encrypted
- safe Boot in safe mode
- stat Show configuration
Recovery
Memcrypt Detect identifies live ransomware attacks and uses file and memory forensics to recover from forensic attacks. We recovered data using our product against a wide range of ransomware families, including Qilin, that use standard and non-standard encryption algorithms. Please contact us on sales@memcrypt.io to see how we can assist you in recovering from ransomware.
References
Further Qilin Technical Analysis
DISCLAIMER
This document is not a substitute for obtaining security and legal advice. All reasonable measures should be taken to lower the risk of exploitable potential weaknesses. This report does not constitute a guarantee or assurance of compliance. MemCrypt is not ultimately responsible for assessing and meeting compliance responsibilities.
