Qilin.B Ransomware Emerges with Enhanced Evasion and Encryption
Researchers at Halcyon have uncovered a new variant of the Qilin ransomware, designated as Qilin.B, which employs enhanced techniques to evade security defenses. This version utilizes AES-256-CTR encryption on AESNI-compatible systems, while preserving ChaCha20 for others. Furthermore, RSA-4096 keys with OAEP padding are employed, rendering decryption impossible without the attacker’s private key.
The earliest iterations of Qilin, also known as Agenda, emerged in July-August 2022. Originally written in Golang, the ransomware later transitioned to Rust. Since May 2023, the Qilin extortion scheme has operated as a service (RaaS), enabling affiliates to receive up to 85% of the ransom amount.
Unlike traditional double-extortion attacks, the new Qilin.B variant diverges by targeting data theft from Google Chrome browsers on compromised systems rather than resorting to conventional blackmail. Other advancements include more sophisticated encryption methods and the termination of security-related services.
Qilin.B also terminates processes related to backup and virtualization, such as Veeam and SAP, greatly complicating data recovery efforts. The program automatically clears Windows logs and deletes itself, reducing the risk of detection.
In addition to Qilin.B, researchers identified a new threat—Embargo ransomware, propagated via Rust-based tools. Its attacks involve the BYOVD (Bring Your Own Vulnerable Driver) technique, allowing it to disable security solutions. The attack process leverages the malicious loader MDeployer and the MS4Killer tool, akin to the open-source solution s4killer.
The escalating threat of ransomware attacks is particularly acute in the healthcare sector. In the current fiscal year, 389 medical institutions in the U.S. have fallen victim, incurring daily losses of up to $900,000. Notable groups targeting hospitals include Lace Tempest, Sangria Tempest, Cadenza Tempest, and Vanilla Tempest.
According to Microsoft, among the 99 healthcare organizations that disclosed ransom payments, the average amount was $4.4 million, with a median of $1.5 million.
