Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyberattacks

Researchers infiltrate a ransomware operation and discover slick services behind Qilin's Rust-based malware variant.

Dark Reading Staff, Dark Reading

May 16, 2023

2 Min Read
ransomware concept image of crime scene tape wrapped around a computer terminal
Source: Andreas Prott via Alamy

Ransomware-as-a-service (RaaS) operation Qilin has been arming its affiliates with malware and supporting services to target education, healthcare, and other critical sectors of the worldwide economy, paying out an industry-leading 80% to 85% of takings to the partners.

Researchers from Group-IB were able to infiltrate the Qilin operation in March, and what they found was a one-stop shop for aspiring cybercriminals to get their hands on advanced, customizable ransomware, a defined payment structure, and encryption services to support double-extortion operations (i.e., demanding money to decrypt the data, as well as an additional fee not to release the data on a Wark Web leak site).

Ransomware attacks backed by Qilin operators typically begin with a phishing email, the Group-IB team observed. The Qilin ransomware variant itself has evolved from its July 2022 roots, initially written in Go programming language (Golang) while its current iteration is written in Rust. That makes it difficult to detect and simple to customize for each campaign, Group-IB said in its report on the RaaS operation.

"Having infiltrated Qilin, Group-IB Threat Intelligence researchers were able to analyze the inner workings of the affiliate program and all sections of Qilin's admin panel," the Group-IB report said.

The Qilin RaaS team provides information on everything from intelligence on targets, customizable buildable malware, and even ransomware note templates, the Group-IB team found.

The researchers warn that RaaS operator Qilin is actively recruiting new affiliates and improving its tools and operations, making it an important emerging ransomware threat to keep an eye on.

"Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organizations across all verticals," the Group-IB report warned. "Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery."

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights