em360tech image

Qilin, also known as Agenda, is a dangerous ransomware-as-a-service (RaaS) operation that collaborates with affiliates to target organizations, encrypt their data, and exfiltrate sensitive information. After compromising a system, Qilin demands a ransom to decrypt the data and prevent the release of stolen files.

The Qilin ransomware group takes its name from a mythical creature in Chinese folklore, which is described as a combination of a dragon and a horned beast, often compared to a unicorn.

In this article, we’ll explore the origins of the Qilin ransomware group, its methods of attack, notable victims, and how its double extortion strategy works. We will also look at the group's growing presence in the world of ransomware-as-a-service and provide insights into how organisations can protect themselves against these evolving cybersecurity threats.

What is Qilin?

Qilin’s ransomware activities were first reported on its darknet leak site in October 2022, and its attacks have been steadily increasing since then. Notable victims include The Big Issue, the well-known street newspaper, automotive parts manufacturer Yanfeng, and Australian court services.

In June 2024, Qilin made headlines with a ransomware attack on Synnovis, a service provider for UK healthcare organisations and hospitals. Qilin is infamous for using double extortion tactics: stealing victims’ data, encrypting systems, and threatening to leak or sell the stolen information unless the ransom is paid.

How Does the Qilin Ransomware Group Attack?

The ransomware group gains initial access to environments using compromised credentials, a tactic that is frequently observed in their attacks. This method of entry is not new for Qilin, but it remains effective.

Qilin note
Qilin's Ransom Note 

The attacker's dwell time between initial access and further lateral movement was approximately eighteen days, suggesting the possible involvement of an Initial Access Broker. Once this period ended, Qilin's activities increased, and lateral movement toward the domain controller was observed. This movement leveraged compromised credentials to execute the next phase of the attack.

Upon reaching the domain controller, the attacker modified the default domain policy, introducing a logon-based Group Policy Object (GPO).

This GPO deployed two key components:

  1. PowerShell script named “IPScanner.ps1”, placed in a temporary directory within the SYSVOL folder on the domain controller. This 19-line script aimed to harvest credentials stored in Chrome browsers on affected machines.
  2. batch script named “logon.bat”, designed to trigger the execution of the PowerShell script during user logins.

This attack structure allowed credentials saved in Chrome browsers to be collected from any machine connected to the network each time a user logged in, thanks to the logon GPO.

Qilin Ransomware Group Tactics

The Qilin ransomware group directs victims to communicate through Dark Web portals or encrypted messaging services like Telegram, ensuring the anonymity of the attackers. This complicates law enforcement's efforts to trace the interactions.

Payments are demanded in cryptocurrencies, such as Bitcoin or Monero, to maintain anonymity and further hinder traceability. However, even after ransom payments, there is no guarantee that victims will receive the necessary decryption tools to recover their files.

Qilin message TOR
Victims are instructed to download the TOR browser and redirected to their dark web portals

Qilin Ransomware Notorious Attacks

Qilin Attack on Synnovis 

In early June, a critical incident was declared at several London NHS hospitals after a ransomware attack on Synnovis, a key provider of blood testing and transfusion services. The Qilin ransomware group quickly claimed responsibility, announcing on its dark web leak site that it would release stolen data from the attack.

The Qilin ransomware attack has reportedly led to a staggering $50 million ransom demand from Synnovis to decrypt the affected systems and prevent the publication of sensitive data. Despite this, the Qilin gang has insisted in media interviews that the attack was not financially motivated, claiming it was part of a protest against the British government’s involvement in an unspecified war.

This political motivation is a surprising twist, as the Qilin ransomware group has not previously shown any such motivations. Historically, they have targeted a wide range of victims, including hospitals, healthcare organizations, schools, and businesses across industries. The $50 million ransom reflects the immense disruption to NHS hospitals and patient care, which raises doubts about the sincerity of Qilin’s political claims.

NHS message
Qilin's Synnovis downloads 

The Qilin ransomware attack has had severe consequences for NHS trusts and GP surgeries relying on Synnovis’ services. Since the attack was detected on June 3rd, hospitals have faced major disruptions, including:

  • Blood stock shortages
  • Delays in medical procedures
  • Cancelled operations and appointments

The NHS, known for its complex IT systems and limited budgets, is often seen as a soft target for ransomware groups. Unlike a business that can halt operations for a few days, healthcare providers cannot afford downtime without putting lives at risk, making hospitals more vulnerable to cyber extortion.

Google Chrome Credential Theft

According to cybersecurity firm Sophos, a recent Qilin ransomware attack has targeted Google Chrome users by stealing credentials stored in the browser, compromising a small set of endpoints. This attack highlights an alarming shift in ransomware tactics, combining credential harvesting with ransomware deployment, posing severe security risks.

First observed in July 2024, the attack began with compromised credentials from a VPN portal lacking MFA, granting the attackers access to the target network. After an 18-day delay, the threat actors initiated post-exploitation actions, reaching the domain controller and editing the default domain policy.

The attackers implemented a logon-based group policy object (GPO), introducing two key components. The first, a PowerShell script (IPScanner.ps1), harvested credential data stored in Google Chrome. The second was a batch script (logon.bat) designed to trigger the credential-harvesting process during user logins. This GPO remained active for over three days, allowing attackers to capture credentials each time affected users logged in.

Following this, the attackers exfiltrated the stolen credentials and erased traces of the attack before encrypting files and leaving a ransom note in every directory on the system. As a result, compromised users are now forced to change their Google Chrome passwords and all related third-party credentials.

How to Protect Your Organization from Qilin Ransomware Attacks?

Qilin ransomware has become a significant threat, particularly targeting industries like healthcare, education, and public administration. These sectors are often vulnerable due to their reliance on critical data and weaker cybersecurity measures compared to financial institutions or governments. However, no industry is immune from Qilin's reach.

Best Practices to Safeguard your Organisation

To safeguard your organisation, it’s essential to follow best practices in cybersecurity:

  1. Offsite Backups: Regularly back up your critical data to offsite locations. In the event of a ransomware attack, secure backups will ensure that you can restore your systems without paying the ransom.
  1. Keep Security Solutions Updated: Ensure your antivirus software and all security solutions are up to date. Regularly install the latest security patches to close vulnerabilities that Qilin or other ransomware can exploit. 
  1. Network Segmentation to Limit Lateral Movement: Restrict an attacker’s ability to move laterally across your network through proper network segmentation. This will isolate critical systems and limit the spread of ransomware. 
  1. Use Strong Passwords and Multi-Factor Authentication: Protect sensitive data and accounts with strong, unique passwords. Enable MFA wherever possible to add an extra layer of security.
  1. Encrypt Sensitive Data: Implement data encryption to protect sensitive information, making it harder for attackers to access or exploit even if they breach your system.
  1. Reduce Your Attack Surface: Disable unnecessary services and features within your organisation to minimise the attack surface that cybercriminals can exploit. 
  2. Educate Your Staff: Provide ongoing cybersecurity training for employees. Educating your staff about phishing, social engineering, and ransomware tactics will reduce the risk of human error leading to a breach.