New Qilin ransomware encryptor features stronger encryption, evasion

New Qilin ransomware encryptor features stronger encryption, evasion

October 24, 2024 at 11:22AM

The new Qilin.B ransomware, identified by Halcyon, features advanced encryption techniques and evasion strategies, targeting critical systems and processes to obstruct data recovery. It utilizes AES-256-CTR, ChaCha20, and RSA-4096 for robust encryption. The malware poses significant threats to networks, building on previous high-profile attacks.

### Meeting Takeaways:

1. **Introduction of Qilin.B Ransomware**:
– A new variant of the Qilin ransomware, named ‘Qilin.B’, has been detected, presenting enhanced features including stronger encryption and better evasion techniques against security tools.

2. **Encryption Techniques**:
– Qilin.B employs AES-256-CTR encryption using AES-NI capabilities for fast processing on compatible CPUs. For older systems without AES-NI, it uses ChaCha20, ensuring robust encryption across all systems.
– RSA-4096 encryption with OAEP padding is utilized for additional protection of encryption keys, complicating decryption without required keys.

3. **Malware Behavior**:
– Upon execution, Qilin.B modifies the Windows Registry for persistence and terminates key processes to facilitate data encryption while disabling security measures.
– Targeted processes include:
– Veeam
– Windows Volume Shadow Copy Service
– SQL database services
– Sophos
– Acronis Agent
– SAP

4. **Data Manipulation**:
– The ransomware deletes existing volume shadow copies to prevent easy restoration and clears Windows Event Logs to obscure forensic detection. The malicious binary is also removed post-encryption.

5. **Targeted Data**:
– Qilin.B targets both local directories and network folders, generating ransom notes for each processed directory, including a victim ID.

6. **Network Impact and Persistence**:
– It modifies the Registry to enhance network drive sharing capabilities, broadening its attack reach.

7. **Previous Activities**:
– Qilin has been associated with significant attacks against organizations such as major London hospitals and Court Services Victoria, and is known for deploying custom info-stealers to harvest credentials.

8. **Related Threats**:
– The discussion noted the existence of a Linux variant of Qilin targeting VMware ESXi systems, while the ongoing threat primarily concerns Windows environments.

9. **Context of Current Threat**:
– Although Qilin.B’s features are not revolutionary in the ransomware landscape, its execution by established threat groups poses considerable risks for various sectors.

### Action Items:
– Review and enhance current cybersecurity measures to address the threats posed by Qilin.B.
– Conduct training for employees to recognize potential ransomware indicators.
– Update backup protocols to mitigate risks associated with data recovery processes.

Full Article