1 min

Group-IB has infiltrated RaaS Qilin

Cybersecurity firm details all the dirty little secrets of the ransomware gang specializing in critical targets

Cybercrime - June 28, 2023

On May 15, 2023, Group-IB published an account of its infiltration of Qilin, a ransomware gang with affiliates, operating on a Ransomware-as-a-Service (RaaS) model. In March 2023, Group-IB experts gained access to Qilin’s management board, which enables each affiliate to visualize the stages of their attack. Mirroring a legitimate website, the cybercriminal group’s site features a FAQ, with support, documentation, and recommendations on strategies to be followed.

Beyond this, the infiltration determined that Qilin had claimed twelve victims, most in critical sectors, between July 2022 and March 2023. These victims came from Canada, the USA, Colombia, France, the Netherlands, Serbia, the UK, and Japan. Group-IB also discovered that the ransomware gang prohibits its affiliates from attacking Russian or Eastern European targets.

Operationally, Qilin uses ransomware based on the Rust programming language, like other larger ransomware gangs (Hive, BlackCat, Luna…). Group-IB notes that Rust is gaining in popularity among cybercriminals because “it is more difficult to analyze and its detection rate by antivirus engines is lower”.

According to the report, Qilin most often customizes its attacks, “in order to maximize their impact“. The gang practices double extortion and has several encryption modes at its disposal. Qilin charges a commission of 20% on ransoms under $3 million, and 15% on ransoms above that – figures that are in line with the industry average. Qilin is said to be in the midst of a recruitment campaign, promoting its ransomware on the dark web.

Send this to a friend