New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

Cybersecurity researchers have identified a new version of the Qilin ransomware, dubbed Qilin.B, which exhibits increased sophistication and evasion tactics. This advanced variant employs AES-256-CTR encryption for systems equipped with AESNI capabilities, while retaining the Chacha20 encryption method for systems without this support. Additionally, it employs RSA-4096 with OAEP padding to protect encryption keys, rendering file decryption unfeasible without the attacker’s private key or captured seed values.

Qilin ransomware, also known as Agenda, first gained attention in mid-2022 and transitioned from being developed in Golang to Rust. A report from May 2023 highlighted its ransomware-as-a-service (RaaS) model, allowing affiliates to retain 80% to 85% of ransom payments after infiltrating the group. Recent attacks attributed to Qilin have notably compromised credentials stored in Google Chrome, marking a shift from the traditional double extortion tactics.

Halcyon’s analysis of Qilin.B samples reveals enhancements from earlier versions, including improved encryption capabilities and tactics for operational security. The ransomware now implements methods to thwart detection by terminating security service processes, continuously clearing Windows Event Logs, and executing self-deletion routines. Furthermore, it actively disrupts backup and virtualization operations, targeting processes associated with software like Veeam, SQL, and SAP, while also obliterating volume shadow copies, complicating recovery efforts for victims.

Halcyon describes Qilin.B as a particularly dangerous ransomware variant due to its combination of advanced encryption, effective evasion tactics, and persistent interference with backup systems. This evolution in ransomware tactics acknowledges the ongoing threat and adaptive nature of such operations in the current cybercrime landscape.

Additionally, researchers uncovered a Rust-based toolset utilized by the newly discovered Embargo ransomware. This variant employs the Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint detection and response (EDR) solutions on compromised hosts before executing the ransomware. The malicious loader responsible for deploying Embargo is called MDeployer, which is essential for executing the attack and initiating file encryption processes.

The MS4Killer tool, developed to incapacitate EDR solutions, is expected to operate continuously, further enhancing the threat posed by Embargo ransomware. Both the loading mechanism and the ransomware payload are written in Rust, underscoring the language’s increasing prominence among cybercriminals.

The impact of ransomware has been particularly severe in the healthcare sector, evidenced by data from Microsoft indicating that 389 U.S. healthcare institutions have experienced such attacks within the current fiscal year, resulting in financial losses of up to $900,000 daily due to system downtime. Notable ransomware groups targeting healthcare facilities include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.

Among 99 healthcare organizations that disclosed ransom payments, the median payment was reported at $1.5 million, while the average payment stood at $4.4 million. This reinforces the financial burden on institutions affected by ransomware, highlighting the ongoing challenges faced by the healthcare sector in safeguarding sensitive data amidst increasing cyber threats.

Ultimately, the continual evolution of ransomware like Qilin.B and Embargo illustrates the persistent and adaptive nature of the cybercrime threat landscape, necessitating ongoing vigilance and advanced security measures to protect sensitive data and system integrity.