Qilin Ransomware

Executive Summary

The report on Qilin ransomware provides an in-depth analysis of its recent activities and the ongoing investigations surrounding this cyber threat. Qilin ransomware has emerged as a highly sophisticated malware, targeting organizations across various sectors and countries. Recent investigations have revealed that Qilin ransomware is responsible for significant data breaches and financial losses, prompting urgent responses from cybersecurity agencies worldwide. The report also examines the technical aspects of ransomware, such as its encryption methods and command-and-control infrastructure and provides recommendations for mitigation and prevention.

Introduction to Qilin

The Qilin ransomware group (aka Agenda ransomware, Agenda Crypt) has been active since 2022 and is written in the Golang programming language. It gained significant attention in June 2024 following its attack on Synnovis, a UK-based healthcare service provider. Qilin is notorious for its aggressive "double extortion" tactics, where it steals and encrypts victim data, then demands a ransom for decryption while threatening to disclose or sell the stolen information if the ransom is not paid.

Technical Analysis

Agenda ransomware, a 64-bit Windows PE file written in Go language, leverages the language's cross-platform capabilities. This allows the malware to execute independently, without requiring a Go interpreter on the infected system. The ransomware's functionality is defined through command-line arguments,providing flexibility in its operations.

This ransomware establishes a runtime configuration to define its behavior, including encryption parameters,targeted processes, and ransom note content. The malware checks for safe mode operation to avoid execution in compromised environments by checking the string safe boot in the data of this registry value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control SystemStartOptions

To hinder recovery efforts, Agenda deletes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, and terminates specific processes, including antivirus-related services.

Detection evasion

Agenda ransomware employs a detection evasion technique by modifying the default user's password and enabling automatic login. This action is triggered by the "-safe" command-line argument. The ransomware reboots the victim's machine into safe mode to execute its encryption routine using

C:\windows\system32\bcdedit.exe /set safeboot{current} network

After completion, Agenda reboots the machine back into normal mode using

C:\Windows\System32\bcdedit.exe /set safeboot network bcdedit /deletevalue {default} safeboot.

To identify the default user, Agenda checks through local users, modifying the password and enabling automatic login for the selected account

Account Impersonation

Agenda ransomware leverages stolen credentials to execute the malicious binary. By parsing the runtime configuration, Agenda extracts username, domain, and password information. The ransomware then attempts to log in to the local computer using the LogonUserW API. A randomly generated port number is used in conjunction with the CreateProcessAsUserW API and the "-alter" command-line argument to execute the ransomware.

Encryption

Agenda ransomware employs AES-256 encryption for files and RSA-2048 for key encryption. The malware generates a random key and initialization vector using rand_read() and then encrypts files using AES-256.

The generated key is subsequently encrypted with RSA-2048 using the embedded public key. Encrypted files are renamed with a company-specific extension, and a ransom note is placed in each directory.

Ransomware Execution

Agenda ransomware drops a malicious DLL named pwndll.dll in the Public folder. This DLL, disguised as WICloader.dll, is a C-based malware component that is injected into svchost.exe to ensure persistent execution of the ransomware binary.

Recent Attack Pattern

Recent investigations revealed that Qilin ransomware gained initial access to the target environment by exploiting compromised credentials. The lack of multi-factor authentication (MFA) on the VPN portal enabled the attackers to bypass security measures and infiltrate the network. The attackers persisted within the network for eighteen days before escalating their activities. This delay might indicate the involvement of an Initial Access Broker (IAB). Following this period, the attackers moved laterally to a domain controller, using compromised credentials to gain further access and control.

Upon accessing the domain controller, the attacker modified the default domain policy to implement a logon-based Group Policy Object (GPO) with two components. The first component was a PowerShell script named “IPScanner.ps1”, placed in a temporary directory within the SYSVOL (SYStem VOLume) share—a shared NTFS directory on each domain controller in an Active Directory domain. 

The second component was a batch script named “logon.bat”, which contained the commands to execute the first script. The combination of these scripts facilitated the harvesting of credentials stored in Chrome browsers across all machines connected to the network. Configured through a logon-based Group Policy Object (GPO), these scripts were executed on each client machine whenever a user logged in. 

Exploitation

Upon each user login on an endpoint, the logon.bat script would execute the IPScanner.ps1 script resulting in the creation of SQLite database file (LD) and a text file (temp.log). These files were saved to a newly created directory on the domain’s SYSVOL share, named after the hostname of the device on which they were executed.

The attacker left the Group Policy Object (GPO) active on the network for more than three days. This allowed for widespread credential harvesting as unsuspecting users logged into their devices, unknowingly triggering the malicious script. Because the script was configured through a logon GPO, it executed each time a user logged in, continually harvesting credentials.

To evade detection, the attackers deleted the stolen credential files and cleared event logs on both the domain controller and infected machines. This proactive step aimed to cover their tracks and prevent the discovery of their malicious activities. Following this, the attackers executed a ransomware attack, encrypting files and leaving a ransom note in every directory on the compromised devices. 

Qilin ransomware utilized Group Policy Objects (GPOs) to deploy and execute malicious code. A scheduled task was configured to execute the 'run.bat' batch file, which downloaded and executed the ransomware payload. This tactic allowed the ransomware to propagate throughout the network.

Targeted Countries: United States, United Kingdom, Canada, Australia, Brazil, Argentina, South Africa and Japan.

Targeted Industries: Healthcare, Education, Public Administration and Automotive industries.

TTP’s

Table representing technique and tactics employed by Qilin ransomware:

‍Impact

This discovery marks a significant shift in the Qilin's tactics, as it now targets credentials stored in Google Chrome, which dominates approximately 65% of the browser market. This attack vector could have far-reaching consequences, allowing attackers to gain access to sensitive information such as financial accounts, emails, cloud storage and business applications through compromised credentials. 

The compromise of Google Chrome credentials could have significant consequences. Defenders would need to force a password reset for both Active Directory and numerous third-party accounts. However, enforcing such a widespread password reset would be challenging, as it relies on user cooperation.

Detection and Mitigation

It is crucial for businesses to take immediate and concrete measures to fully secure their critical operations and data. Here's how they can do it: 

• Implementing multi-factor authentication (MFA) and credential-based access solutions to protect critical assets and high-risk users 
• Regular data backups are essential for business continuity. 
• Investing in advanced malware detection solutions which are AI powered to identify intrusions in real time.
• Implementing a regular patch management process ensures timely application of security updates. 
• Organizations should conduct regular training programs and security drills to help employees recognize and report early signs of cybercrime, such as phishing emails. 

Conclusion 

The evolving tactics employed by ransomware groups, such as Qilin's targeting of endpoint-stored credentials, highlight the increasing sophistication of cyber threats. This trend underscores the need for organizations to adopt comprehensive security measures, including robust password management and multi-factor authentication, to protect against data breaches and unauthorized access. The potential consequences of compromised credentials, including the ability to target additional systems or access sensitive information, emphasize the urgency of addressing this growing threat.

Sources Cited

1. https://news.sophos.com/en-us/2024/08/22/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome
2. https://hackread.com/qilin-ransomware-steals-google-chrome-credentials
3. https://www.forbes.com/sites/daveywinder/2024/08/25/ransomware-gang-targets-google-chrome-users-in-surprise-new-threat-twist
4. https://thehackernews.com/2024/08/new-qilin-ransomware-attack-uses-vpn.htmll
5. https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-credentials-from-chrome-browsers
6. https://www.androidheadlines.com/2024/08/qilin-ransomware-group-credentials-google-chrome.html
7. https://www.technewsed.net.ng/2024/08/26/qilin-ransomware-now-steals-credentials-from-chrome-browsers
8. https://socradar.io/dark-web-profile-qilin-agenda-ransomware
9. https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
10. https://www.group-ib.com/blog/qilin-ransomware
11. https://explore.avertium.com/resource/qilin-ransomware
12. https://www.sentinelone.com/anthology/agenda-qilin