Analysis of Cyber Security Threat Trends in the Last Six Months of 2023

Hey Bay Area folks! I’ve noticed a hot topic in cybersecurity discussions – a notorious little piece of software called Qilin ransomware, named after a mythological Chinese creature. This program has been causing quite a stir, especially after it attacked a medical lab company based in the UK, Synnovis, curbing patient services at numerous hospitals.

So who’s behind this? As it turns out, a group going by the same name, Qilin, began leaking data from their first known victim back in October 2022. Since then, cybersecurity pros have been dealing with their after-effects, unearthing three probable cases tied to the Qilin group.

Here’s where it gets interesting – the Qilin group operates as a Ransomware-as-a-Service (RaaS), meaning they essentially run a cybercrime-for-hire kind of operation. Their strategy involves threatening to publish stolen data unless a ransom payment is made. Pretty sneaky, right?

Designed in both the Golang and Rust programming languages, the Qilin ransomware is incredibly adaptable to various operating systems. And the scariest part? The Qilin group can customize it! They can tweak it to target specific files, extensions, and directories, and even dictate the speed of encryption.

Much of the world first became aware of Qilin in August 2022, when analysts from a cybersecurity firm, Trend Micro, unearthed samples of the ransomware. It was at this time that the group was still referring to their pretty pirated program as “Agenda.”

Qilin’s RaaS program offers a tempting payment structure to its affiliates, who allegedly can earn up to 85% of ransom payments. That’s almost enough to want to switch sides. (Kidding, of course.) What’s clear is that the lucrative payment structure makes Qilin quite an attractive operation.

The Qilin group’s hit list spans around the globe and delves into various industries, including critical sectors such as healthcare and energy. These targets reflect the decisions of the group’s affiliates more than the Qilin operators themselves.

An important thing to note here is that each affiliate using Qilin ransomware has their own unique approach, meaning the tactics, indicators, even the ways they infect targets, may vary greatly. Typically, these bad actors either send spear phishing emails or exploit exposed software applications or interfaces.

Despite the damages Qilin has been causing, it seems to be that the cybersecurity community is combating their actions. Notably, technologies like Darktrace’s anomaly-based system can detect and counter such threatening ransomware attacks by identifying deviations from a device’s ‘learned’ pattern of behavior during an attack.

Remember, the world of cybersecurity is indeed a game of cat and mouse. Professionals are always on the lookout, developing and fine-tuning defensive systems, while groups like Qilin continuously evolve, trying to stay a step ahead. Yet, as we band together to champion safety and security, we can outsmart these hidden threats and keep our communities protected.

by Morgan Phisher | HEAL Security