Thursday, 18 May 2023 09:02

Inside a Ransomware as a Service Operation Shows How Simple and Profitable This can Be

Written by

Reading time is around minutes.

As part of our ongoing (really never ending) series on modern ransomware, we are taking a look at a recent study of one Ransomware as a Service operation. In this case the look is at the Qilin scheme which was brought to light by Group-IB. They were able to infiltrate the group through a conversation with a recruiter (nothing like being invited in). The cybersecurity firm started their inside look in March of 2023 and what they found was eye opening. It shows that RaaS clearly pays well and that services like this make things easy and profitable for people looking to get in on the “fun” but might not have the skill set or infrastructure to do it on their own.

Qilin was discovered in mid-2022 by Trend Micro when it was using a Golang based payload before switching to Rust at the end of 2022 (New year new me). With the dawning of 2023 the organization also appeared to have expanded its target base to Linux and ESXi. VMware became a rather fun target after IABs (initial access brokers) found Log4J embedded so deeply in some of the control systems that it was almost impossible to mitigate its vulnerability. The ability to target ESXi via a compromised VMware control server was just too good to pass up. Qilin appears to have made the move to follow the rest of the threat landscape as well. Qilin’s typical means of insertion is via phishing emails for initial access.

The use of recruiters to add to their affiliate program, while not unheard of, is a bit different that what other RaaS groups have been seen to do. They (Qilin) use their affiliates to identify targets and stage various attacks. The admin panel appears to be set up like a regular cloud-based service. There are sections for targets (your current services), a blog area (like a community section), Stuffers (Users and Roles), News (General News on the state of the service), Payments (Accounts receivable), and even an FAQ section. Affiliates get their own admin panel so they can manage and monitor operations. As you might expect, Qilin targets have been varied considering the use of affiliates as opposed to just setting up and targeting people on their own.

Qilin is an attractive service as they have put in the legwork to make things easy for their affiliates to use. They also offer as much as 85% of the ransom paid to their affiliates. The lure of good money and ease of use combined with active recruiting efforts is sure to expand their reach. As we have said before and will say over and over and over again. Ransomware is not slowing down. It might have taken a bit of a pause, but it is ramping back up with new tactics, services, and increased exposure risk from data theft and disclosure. Looks like it is time to assess your exposure to ransomware and fix the pieces that might be broken and/or missing.

Read 750 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.