Qilin Ransomware: What You Need To Know

What is Qilin?

Qilin (also known as Agenda) is a ransomware-as-a-service criminal operation that works with affiliates, encrypting and exfiltrating the data of hacked organisations and then demanding a ransom be paid.

Qilin seems like a strange name. Where does it come from?

The Qilin is a creature from Chinese mythology that combines the features of a dragon and a horned beast. Sometimes, it is compared to a unicorn.

So the Qilin ransomware comes from China?

Err, no. Sorry. The group behind the Qilin ransomware operation appears to be linked to Russia.

Hmmph. So how long has the Qilin ransomware been operating?

Qilin first posted about a victim on its darknet leak site in October 2022 and has increased its activities since then. Victims have included street newspaper The Big Issue, automotive parts giant Yanfeng and the Australian court service.

So why is Qilin in the news now?

At the beginning of June, an emergency “critical incident” was declared and operations cancelled at several London hospitals following a ransomware attack against blood testing and transfusion firm Synnovis. Qilin subsequently announced on its dark web leak site that it would release data stolen during the attack.

Nasty. Presumably they are trying to extort a hefty ransom from the company?

Well, here is where things get a little confusing. It has been reported that Qilin is demanding an eye-watering US $50 million (approximately £40 million) from Synnovis for the tools to decrypt its systems and the promise not to publish its data. And yet, in a series of media interviews, the Qilin ransomware gang has claimed that its attack against the hospitals was not financially-motivated at all, but instead part of a protest against the British government’s involvement in an unspecified war.

Is that really likely?

I find it hard to believe. The Qilin ransomware group has never claimed to have political motivations for its actions in the past, and history has shown that it has no qualms about hitting all kinds of businesses, schools, hospitals and healthcare organisations in its attacks. A US $50 million ransom demand reflects the scale of disruption that the hospitals and patients are facing. It does not make any sense if the gang is serious about any political agenda that the Qilin gang claims to be making.

It does seem that healthcare organisations and hospitals get hit by ransomware a lot. Why is that?

Public healthcare providers typically have the dangerous cocktail of complex IT systems mixed with limited budgets. In addition, there’s a huge difference between a company hit by ransomware not being able to manufacture widgets for a few days and a hospital not being able to treat patients with cancer. Ransomware groups are likely to view hospitals and associated organisations as a “soft target” as a result, who they hope will find it easier to extort money from.

So, what should my company do about Qilin?

You would be wise to follow our recommendations on how to protect your organisation from ransomware. Those include:

  • making secure offsite backups.
  • running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Restrict an attacker’s ability to spread laterally through your organisation via network segmentation.
  • using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • encrypting sensitive data wherever possible.
  • reducing the attack surface by disabling functionality that your company does not need.
  • educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

Stay safe, and don’t allow your organisation to be the next victim to fall foul of the Qilin ransomware group.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button