Ransomware affiliates involved in Qilin ransomware-as-a-service (RaaS) schemes earn between 80% and 85% of each ransom payment, according to new findings from Group-IB.
The cybersecurity firm was able to infiltrate the group in March 2023 and, after private conversations with Qilin’s recruiter, who operates online under the alias Haise, found insider payment structures and RaaS programs of affiliates. announced that it has revealed details about its structure.
“Many Qilin ransomware attacks are customized for each victim to maximize their impact,” the Singapore-based company said in a comprehensive report. “To do this, attackers can employ tactics such as changing the filename extension of encrypted files or terminating certain processes or services.”
Qilin, also known as Agenda, was first documented by Trend Micro in August 2022 and started as Go-based ransomware, switching to Rust in December 2022.
The adoption of Rust is important not only for its evasive detection capabilities, but also for enabling threat actors to target Windows, Linux, and VMware ESXi servers.
Attacks launched by this group used phishing emails with malicious links as a means to gain initial access and encrypt sensitive data, which was then exfiltrated as part of a double extortion model. To do.
Between July 2022 and May 2023, data from up to 12 companies were posted to Qilin’s data breach portal on the dark web.
Victims primarily span the critical infrastructure, education and healthcare sectors, and are concentrated in Australia, Brazil, Canada, Colombia, France, Japan, the Netherlands, Serbia, the United Kingdom and the United States.
According to Group-IB, Qilin’s attackers identified targets of interest and assigned affiliates recruited to carry out the attacks to form administrative committees to effectively oversee various parts of their operations. It also offers meetings.
“The Qilin Ransomware Group has an affiliate panel with sections such as targets, blogs, staff, news, payments and FAQs to manage and coordinate the network of affiliates,” said security researcher Nikolai Kichatov. ‘ said.
- target – Section to configure ransom note, files to skip, directories, extensions, extensions to encrypt, processes to terminate, encryption mode, etc.
- blog – A section for creating blog posts with information about attacked companies whose affiliates have not paid the ransom
- Stuffing – A section for threat actors to create accounts for other members of their team and manage their permissions
- news – Section to post updates related to the Ransomware Partnership (currently blank)
- payment – Section with transaction details, affiliate wallet balance and option to withdraw illicit earnings
- FAQ – A section featuring support and documentation information detailing how to use the ransomware
“Qilin ransomware gained notoriety by targeting companies in critical sectors, but it is a threat to organizations in all industries,” said Kichatov.
“Furthermore, the ransomware operator’s affiliate program is not only adding new members to its network, but weaponizing them with upgraded tools, technology and even service offerings.”
