Qilin was discovered in mid-2022 by Trend Micro when it was using a Golang based payload before switching to Rust at the end of 2022 (New year new me). With the dawning of 2023 the organization also appeared to have expanded its target base to Linux and ESXi. VMware became a rather fun target after IABs (initial access brokers) found Log4J embedded so deeply in some of the control systems that it was almost impossible to mitigate its vulnerability. The ability to target ESXi via a compromised VMware control server was just too good to pass up. Qilin appears to have made the move to follow the rest of the threat landscape as well. Qilin’s typical means of insertion is via phishing emails for initial access.
The use of recruiters to add to their affiliate program, while not unheard of, is a bit different that what other RaaS groups have been seen to do. They (Qilin) use their affiliates to identify targets and stage various attacks. The admin panel appears to be set up like a regular cloud-based service. There are sections for targets (your current services), a blog area (like a community section), Stuffers (Users and Roles), News (General News on the state of the service), Payments (Accounts receivable), and even an FAQ section. Affiliates get their own admin panel so they can manage and monitor operations. As you might expect, Qilin targets have been varied considering the use of affiliates as opposed to just setting up and targeting people on their own.
Qilin is an attractive service as they have put in the legwork to make things easy for their affiliates to use. They also offer as much as 85% of the ransom paid to their affiliates. The lure of good money and ease of use combined with active recruiting efforts is sure to expand their reach. As we have said before and will say over and over and over again. Ransomware is not slowing down. It might have taken a bit of a pause, but it is ramping back up with new tactics, services, and increased exposure risk from data theft and disclosure. Looks like it is time to assess your exposure to ransomware and fix the pieces that might be broken and/or missing.