The newly discovered version of the Qilin ransomware, called Qilin.B, demonstrates enhanced capabilities and more sophisticated evasion tactics, making it more dangerous. According to cybersecurity firm Halcyon, the key technical updates in this variant include:

1. Encryption Algorithm Upgrades:
   • AES-256-CTR (Advanced Encryption Standard): For systems with AESNI (Advanced Encryption Standard New Instructions) support, Qilin.B uses AES-256 in Counter mode, a highly efficient and secure encryption standard.
   • Chacha20: For systems that do not support AESNI, the ransomware retains the use of the Chacha20 encryption algorithm, which is known for its speed and security.
2. RSA-4096 with OAEP Padding:
   • RSA-4096 encryption is used to safeguard the encryption keys. With Optimal Asymmetric Encryption Padding (OAEP), this makes file decryption virtually impossible without access to the attacker’s private key or seed values, adding an extra layer of security to protect the encryption keys.

One of the key aspects of Qilin’s evolution is its shift towards a Ransomware-as-a-Service (RaaS) model. According to a May 2023 report by Group-IB, affiliates involved in the operation can retain a significant portion of the ransom—between 80% to 85%—after establishing communication with a Qilin recruiter. This decentralized structure allows the ransomware to proliferate more widely through affiliate networks.

Recent Qilin attacks have also deviated from the traditional double extortion strategy (encrypting data and threatening to leak it). Instead, recent operations have focused on credential theft, such as harvesting credentials stored in Google Chrome browsers on compromised endpoints. This is indicative of a broader strategy to gain deeper access to systems beyond just encryption for ransom.

The newer variant, Qilin.B, analyzed by Halcyon, expands upon the tactics and encryption mechanisms of its predecessors, making it significantly more dangerous:

1. Advanced Encryption:
   • AES-256-CTR or Chacha20: The ransomware dynamically selects between AES-256-CTR and Chacha20 encryption algorithms, depending on system support, allowing it to optimize for security and performance.
2. Enhanced Evasion and Persistence:
   • Service Termination: Qilin.B actively terminates services related to security tools, effectively resisting detection and analysis.
   • Log Clearing: It continuously clears Windows Event Logs to erase traces of its activities, making it harder for forensic investigators to trace the attack.
   • Self-deletion: After completing its tasks, the ransomware deletes itself to evade post-attack detection.
3. Disruption of Backup and Recovery Systems:
   • Killing Processes: Qilin.B is designed to kill processes related to backup services like Veeam, SQL, and SAP, significantly complicating recovery efforts by targeting critical data infrastructure.
   • Deleting Volume Shadow Copies: By removing shadow copies, the ransomware prevents system rollback, further crippling recovery processes.

The ransomware threat continues to pose significant challenges to the healthcare sector, with new tools and techniques constantly evolving to increase the effectiveness of attacks. Recent analysis highlights MDeployer and MS4Killer, both written in the Rust programming language, as central components in a campaign dubbed Embargo, which targets vulnerable networks.

1. MDeployer: Described as the main malicious loader, MDeployer plays a pivotal role in initiating attacks on compromised networks. It facilitates the deployment of other malicious components, including ransomware, and ultimately leads to file encryption.
2. MS4Killer: This tool is expected to run indefinitely and likely serves to disable specific services, such as Microsoft Security services (MS4K), which could prevent detection and response efforts, leaving networks more vulnerable to the ransomware.
3. Rust-based Ransomware: The ransomware payload itself, as well as the malicious tools, are written in Rust, indicating a trend among sophisticated attackers. Rust has become the “go-to” language for this group due to its performance benefits, low-level control, and resistance to reverse engineering.

Technical Details:

1. CVSS (Common Vulnerability Scoring System):

• Since MDeployer and MS4Killer are tools used in delivering ransomware, the CVSS score would be highly context-dependent. If a vulnerability is exploited to deliver these tools, the CVSS score would rate factors such as attack vector (network, local), privileges required, and impact (confidentiality, integrity, availability).
• For instance, vulnerabilities in outdated systems or unpatched software can be exploited to gain initial access to deploy loaders like MDeployer. These vulnerabilities typically score high or critical CVSS ratings (7.0 and above).

2. CVE (Common Vulnerabilities and Exposures):

• No CVE identifiers have been directly attributed to MDeployer and MS4Killer yet, but in ransomware campaigns, attackers often leverage well-known CVEs to gain initial access or elevate privileges within a network. Some of the common types of vulnerabilities exploited include:
  • Remote Code Execution (RCE) vulnerabilities (e.g., unpatched Microsoft Exchange vulnerabilities).
  • Privilege escalation vulnerabilities in operating systems.
  • VPN appliance vulnerabilities that allow access to healthcare networks (e.g., CVE-2023-28771 in Fortinet VPNs).
• For example, if the ProxyShell vulnerability (CVE-2021-34473) is used in the initial compromise, it could be linked to such ransomware attacks.

3. Affected Products:

• The affected products typically include:

• Microsoft Windows systems, particularly those with unpatched vulnerabilities in services such as Remote Desktop Protocol (RDP) or Windows Event Log services.
• Healthcare infrastructure, including systems using virtualization technologies (e.g., Veeam, VMware, and SQL servers), which are often targeted to disrupt operations.
• Browsers like Google Chrome, where credentials are stored locally and can be stolen.

• Specific healthcare systems and IT products are also targeted, including:

• EHR (Electronic Health Record) systems.
• PACS (Picture Archiving and Communication Systems) used in radiology.

4. Tactics, Techniques, and Procedures (TTPs):

• Initial Access: Common techniques include phishing, exploiting known vulnerabilities in internet-facing systems (such as VPNs or RDP), or exploiting unpatched software.
• Persistence: Tools like MDeployer are used to maintain persistence and facilitate further stages of the attack.
• Defense Evasion: MS4Killer disables security services like Microsoft Defender and clears event logs to hide malicious activities.
• Impact: Ransomware payloads like those delivered by Qilin or the Embargo group encrypt files and disable backup services (e.g., deleting volume shadow copies), severely impacting system availability.

5. Impact:

1. Financial Impact:

• Downtime Costs: The downtime caused by ransomware attacks can be devastating, especially in critical sectors like healthcare. According to data shared by Microsoft, attacks on U.S. healthcare institutions have cost victims up to $900,000 per day due to system unavailability, canceled procedures, and interrupted patient care.
• Ransom Payments: In the healthcare sector alone, the median ransom payment was around $1.5 million, while the average ransom payment has reached $4.4 million. Organizations are often pressured into paying these ransoms to quickly regain access to critical systems and data, as downtime can lead to life-threatening situations in hospitals.
• Recovery Costs: Even when an organization refuses to pay the ransom, the costs of recovering from an attack, restoring systems, and investigating the breach can run into the millions.

2. Operational Impact:

• Disruption of Critical Services: In healthcare, ransomware attacks can lead to the shutdown of IT systems that manage medical devices, patient records, and treatment schedules. This can result in:
  • Postponed surgeries and treatments.
  • Inaccessible patient data (e.g., electronic health records, diagnostic imaging).
  • Life-threatening delays in patient care, particularly in emergency rooms and intensive care units.
• Loss of Data: Ransomware often encrypts critical files and data, rendering them inaccessible. In some cases, backups are also deleted (as seen with tools like MS4Killer deleting volume shadow copies), making recovery even more difficult without paying the ransom.

3. Reputational Impact:

• Loss of Trust: Organizations, especially in the healthcare sector, depend on the trust of patients and clients to safeguard sensitive personal data. A ransomware attack that leads to service disruption or data breaches can damage an organization’s reputation, causing patients or customers to lose trust.
• Regulatory Fines and Legal Consequences: Healthcare organizations are subject to strict regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., which mandates the protection of patient data. Failing to secure this data can lead to significant regulatory fines and legal action following a ransomware attack.

4. Data Theft and Extortion:

• Data Exfiltration: Many modern ransomware attacks follow the double extortion model, where attackers not only encrypt data but also steal sensitive information and threaten to leak it unless the ransom is paid. This can include:
  • Personally identifiable information (PII).
  • Protected health information (PHI), such as medical records and treatment histories.
• Privacy Breaches: Leaked medical records or personal data can have severe consequences for affected individuals, exposing them to identity theft, discrimination, or public embarrassment.

5. Technical Impact:

• System Availability: Attackers target critical infrastructure services such as backup solutions (e.g., Veeam), databases (e.g., SQL), and virtualization environments. By killing processes related to these services, ransomware like Qilin and the Embargo group hampers efforts to restore systems, making it extremely difficult for IT teams to recover without paying the ransom.
• Permanent Data Loss: By deleting volume shadow copies and corrupting backups, ransomware attacks often leave organizations with no means of restoring data, leading to permanent loss if no external backups are available.

6. National and Industry-Wide Impact:

• Healthcare Sector: The healthcare sector is a critical infrastructure target, and ransomware attacks can cripple entire hospitals, delaying care for thousands of patients. These attacks can have cascading effects, overwhelming nearby hospitals as they try to accommodate displaced patients.
• Supply Chain Disruption: In some cases, ransomware can disrupt the entire supply chain of healthcare organizations, affecting everything from medical equipment manufacturing to the distribution of life-saving medications and resources.Bottom of Form

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are critical for detecting and responding to malware and ransomware attacks like those involving MDeployer, MS4Killer, and other Rust-based ransomware variants. IOCs include file hashes, IP addresses, domain names, malicious URLs, processes, and behaviors that are commonly associated with the attack.

1. File-Based IOCs:

• Malicious File Hashes: These are the hashes (MD5, SHA1, SHA256) of malicious executables, payloads, or scripts used by the attackers.
  • MDeployer and MS4Killer loader files written in Rust could have distinct hashes for identification.
• Encrypted File Extensions: Ransomware often appends specific extensions to files after encryption. Some common extensions related to ransomware include .encrypted, .locked, or custom extensions depending on the ransomware family.
  • The Qilin ransomware might add a custom extension, specific to that variant.
• Ransom Notes: The presence of ransom notes (usually text files) left in affected directories. Common names include:
  • README.txt
  • RECOVER_FILES.html
  • DECRYPT_INSTRUCTIONS.txt

2. Network-Based IOCs:

• IP Addresses: Command-and-control (C2) server IP addresses that the malware communicates with.
  • For example, malicious loaders like MDeployer would connect to these C2 servers to receive further instructions or ransomware payloads.
• Domains/URLs: Malicious domains that distribute the ransomware or act as C2 servers.
  • Example: malicious-website.com/ransomware, attackersite.xyz
• TOR Addresses: Many ransomware variants, including Qilin, provide payment instructions via TOR hidden services (onion addresses). These addresses may look like http://ransomid.onion.

Typical Network IOC Examples:

• Outbound connections to known bad IPs or domains.
• Traffic to/from TOR nodes.
• Unusual spikes in traffic volume that coincide with encryption events.

3. Behavioral IOCs:

• Process Termination: Ransomware frequently kills processes related to security tools, backups, or database services.
  • MS4Killer: Expected to run indefinitely and may terminate services like Microsoft Security or Windows Defender.
  • Targeted services could include:
    • sqlservr.exe (SQL Server)
    • veeamservice.exe (Veeam Backup)
    • vmware.exe (VMware Virtualization)
• Log Clearing: Continuous clearing of Windows event logs (wevtutil cl Application) is a typical evasion tactic.
• File System Changes: Rapid and widespread changes to files (encryption), including attempts to delete or alter volume shadow copies (vssadmin delete shadows).
• Registry Changes: Ransomware may create or modify registry keys for persistence, such as adding itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

4. Email-Based IOCs:

• Phishing Emails: Ransomware campaigns often begin with phishing emails containing malicious attachments or links.
  • Malicious attachments could include:
    • ZIP files, DOCX files with macros, or PDFs that download malware.
    • Links to malicious websites.
• Email domains or addresses sending these phishing emails are key IOCs:
  • Examples: [email protected], [email protected].

5. System Changes and Artifacts:

• Persistence Mechanisms:
  • Files dropped into startup folders or scheduled tasks.
  • Modification of the Windows registry to enable persistence on reboot.
• Self-deletion: Some ransomware variants, including Qilin.B, delete themselves after execution to avoid post-attack analysis.
• Event Log Manipulation: Logs being cleared or tampered with to remove traces of malicious activity.

6. External Tools Used by Attackers:

• Cobalt Strike: Often used to establish footholds within a compromised network. If Cobalt Strike beacons or implants are detected, it’s a critical IOC of advanced ransomware deployment.
• PowerShell Scripts: Malicious scripts used to download and execute payloads.
  • Examples: Base64-encoded PowerShell commands or scripts that connect to external servers to download malware.

RECOMMENDATIONS:

1. Preventive Measures:

1. Patch Management:

• Regularly update and patch all software, operating systems, and firmware to protect against known vulnerabilities.
• Focus on critical security patches, especially for:
  • VPN appliances.
  • Microsoft Exchange Servers.
  • RDP (Remote Desktop Protocol).
• Leverage tools to automate patch management and verify that patches have been properly applied.

1. Endpoint Security:

• Deploy Endpoint Detection and Response (EDR) solutions that can identify malicious behaviors (e.g., encryption processes, command-and-control communications).
• Use antivirus/anti-malware software with real-time protection enabled across all devices.
• Regularly update signature databases for all security software.

1. Restrict Privileged Access:

• Limit administrative privileges to only those users and systems that absolutely require them. Use the principle of least privilege.
• Implement multifactor authentication (MFA) for all users, particularly for remote access and admin accounts.
• Monitor and audit privileged access to critical systems and services.

1. Network Segmentation:

• Segment networks so that critical infrastructure, such as backup servers, healthcare devices, and sensitive databases, is isolated from general user workstations.
• Restrict internal network traffic, allowing only authorized communication between segments to minimize lateral movement by attackers.

1. Disable Unnecessary Services:

• Disable or restrict Remote Desktop Protocol (RDP) on devices where it is not essential.
• Shut down unnecessary services and close unused network ports to reduce the attack surface.

2. Backup and Recovery:

1. Backup Strategy:

• Implement a 3-2-1 backup strategy:
  • Maintain three copies of your data.
  • Store the copies on two different media.
  • Keep one copy off-site and offline (air-gapped) to protect from ransomware targeting backup systems.
• Regularly test backups to ensure they can be restored properly and quickly.

1. Protect Backups:

• Ensure backups are protected from unauthorized access and ransomware by:
  • Disabling access to backup systems except for authorized personnel.
  • Ensuring backups are encrypted.
  • Storing backups on immutable storage that cannot be altered or deleted once written.
• Monitor for processes attempting to delete or modify volume shadow copies.

3. Monitoring and Detection:

1. Network Traffic Monitoring:

• Monitor network traffic for unusual patterns or connections to known malicious IPs or domains (e.g., command-and-control servers).
• Implement Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) that can detect ransomware communication channels or C2 traffic (e.g., TOR nodes).

1. Event Log Monitoring:

• Regularly review Windows Event Logs and set up alerts for suspicious activities, such as:
  • Cleared logs (wevtutil commands).
  • Failed login attempts.
  • Unusual process termination (e.g., termination of security and backup processes like sqlservr.exe or veeamservice.exe).
• Integrate event logging with SIEM (Security Information and Event Management) systems for continuous monitoring and faster incident response.

1. Behavioral Analytics:

• Use anomaly detection tools to spot unusual user or system behaviors, such as:
  • Rapid file modification indicative of encryption.
  • Sudden spikes in CPU or network usage related to ransomware operations.
• Set up alerts for suspicious PowerShell or script execution which may indicate ransomware or malware deployment.

4. User Awareness and Training:

1. Security Awareness Training:

• Regularly educate employees on:
  • Phishing attacks: Train users to recognize malicious emails and avoid clicking on suspicious links or downloading attachments.
  • Ransomware tactics: Teach them how ransomware spreads and what steps to take if they suspect an attack.
  • Password hygiene: Promote the use of strong, unique passwords and the importance of MFA.

1. Phishing Simulations:

• Conduct regular phishing simulations to assess the vulnerability of your organization to phishing-based attacks and improve user awareness.
• Provide immediate feedback and remediation steps for employees who fail phishing tests.

5. Incident Response and Containment:

1. Incident Response Plan:

• Develop and test an incident response plan specifically designed to handle ransomware attacks.
• Ensure it includes procedures for:
  • Identifying the ransomware strain.
  • Isolating infected machines from the network.
  • Engaging the incident response team and legal/PR teams.

1. Network Isolation:

• If an attack is detected, immediately isolate affected systems from the network to prevent the spread of ransomware to other machines.
• Disable network shares and restrict access to file systems.

1. Offline Systems:

• Keep critical systems offline whenever possible or have contingency plans in place to switch over to offline systems in the event of a ransomware attack.

1. Contact Law Enforcement:

• Report ransomware attacks to local law enforcement or national cybersecurity agencies like the FBI, CISA, or CERT to receive support and guidance.