Cybersecurity researchers have uncovered a more sophisticated version of the Qilin ransomware with enhanced evasion techniques.
The latest variant, known as Qilin.B, has been identified by cybersecurity company Halcyon.
“Qilin.B now uses AES-256-CTR encryption for AESNI-enabled systems and Chacha20 for systems without AESNI support,” the Halcyon Research Team stated.
“Moreover, the ransomware employs RSA-4096 with OAEP padding to secure encryption keys, making decryption without the attacker’s private key or seed values nearly impossible.”
Qilin, also referred to as Agenda, first emerged in mid-2022 and has since evolved its encryption methods.
An analysis by Group-IB in 2023 revealed that affiliates of the ransomware scheme can earn up to 85% of each ransom payment they facilitate.
Recent Qilin attacks have focused on stealing Google Chrome credentials from compromised systems, deviating from traditional extortion practices.
Halcyon’s examination of Qilin.B samples indicates improved encryption features and evasion strategies.
The ransomware now utilizes advanced encryption algorithms and actively evades security measures by disrupting services, wiping logs, and self-destructing.
It also targets backup and virtualization processes, hindering recovery efforts.
“Qilin.B’s blend of robust encryption, evasion tactics, and backup disruption makes it a potent threat,” according to Halcyon.
The evolving nature of ransomware threats is evident in the emergence of Rust-based tools like Embargo, which aim to bypass security solutions before deploying ransomware.
One such tool, MS4Killer, has been observed terminating endpoint protection systems using the BYOVD technique before initiating the ransomware attack.
Both the EDR killer and Embargo ransomware are coded in Rust, indicating a preference for the language among threat actors.
Microsoft data shows that ransomware incidents have plagued U.S. healthcare institutions, resulting in significant financial losses.
Notable ransomware groups targeting healthcare include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
“Of the healthcare organizations that paid ransoms, the median payment was $1.5 million, with an average of $4.4 million,” Microsoft reported.
