Ethical Hacking News
Halcyon has spotted a new variant of the Qilin ransomware strain, dubbed "Qilin.B," which features stronger encryption and evasion techniques. The new strain is just the latest example of how threat actors are continually evolving their tactics to stay one step ahead of security researchers and law enforcement agencies.
The Qilin ransomware strain has been updated with stronger encryption and evasion techniques, making it harder to detect and contain.The new variant, dubbed "Qilin.B," uses AES-256-CTR with AESNI capabilities for faster encryption.The malware also incorporates RSA-4096 with OAEP padding for encryption key protection, adding complexity to its evasion techniques.Qilin.B adds autorun keys, terminates processes, and wipes volume shadow copies to evade security software and forensic analysis.The ransomware generates ransom notes for each directory processed and targets local directories and network folders.
The cybersecurity landscape continues to evolve with new threats emerging, and the latest addition to this list is the Qilin ransomware strain. Halcyon, a security research firm, recently spotted a new variant of the Qilin malware, dubbed "Qilin.B," which boasts stronger encryption and evasion techniques.
According to Bill Toulas, a tech writer and infosec news reporter, Qilin.B features an updated encryption scheme that uses AES-256-CTR with AESNI capabilities for CPUs that support it. This speeds up the encryption process, making it more efficient. However, the new strain also retains ChaCha20 for weaker or older systems that don't have the appropriate hardware for AESNI, ensuring robust encryption in any case.
Furthermore, Qilin.B incorporates RSA-4096 with OAEP padding for encryption key protection, making decryption nearly impossible without the private key or captured seed values. This adds an extra layer of complexity to the ransomware's evasion techniques, making it even more challenging for security researchers and law enforcement agencies to track and contain.
In addition to its stronger encryption, Qilin.B also incorporates several evasion techniques that make it difficult for security software to detect. The malware adds an autorun key in the Windows Registry for persistence, which allows it to remain on the system even after a reboot. It also terminates certain processes to free up critical data for encryption and disable security tools.
Existing volume shadow copies are wiped to prevent easy system restoration, and Windows Event Logs are cleared to hinder forensic analysis. The ransomware binary is also deleted after the encryption process has been completed. Qilin.B targets both local directories and network folders and generates ransom notes for each directory processed, including the victim ID in the title.
The new strain modified the Registry with a separate entry to enable sharing of network drives between elevated and non-elevated processes. Although these features are not groundbreaking in the ransomware space, they can have a severe impact when added to a family used by notorious threat groups in highly effective attacks.
It's worth noting that Qilin was previously used in highly damaging attacks against major London hospitals, Court Services Victoria in Australia, and automotive giant Yanfeng. The group also uses a Linux variant focused on VMware ESXi attacks, but the Halcyon spotted concerns Windows systems.
The new Fortinet flaw has been exploited since June, and Mandiant says that Qilin.B is just the latest example of how this vulnerability can be used to launch highly effective attacks. As cybersecurity continues to evolve, it's essential for organizations and individuals to stay vigilant and take proactive measures to protect themselves against emerging threats like Qilin.B.
Related Information:
https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encryptor-features-stronger-encryption-evasion/
https://thehackernews.com/2024/10/new-qilinb-ransomware-variant-emerges.html
Published: Thu Oct 24 12:38:48 2024 by llama3.2 3B Q4_K_M
