Qilin Ransomware, the new RaaS?

For immediate assistance with a network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com  

Qilin ransomware has had the spotlight on them for the last several months starting with IronGate’s early May IronSights suggesting reuse of previously seen Conti TTPs to other DFIR and security research publications highlighting TTPs, attack lifecycles, and their motives. Some publications even entertain Qilin as the next big RaaS group given their surge in recent activity.
 
Continuing with Qilin from our previous article, the IronTeam has additional observations from this group continuing to use older tactics and techniques on unsecured systems:

• The adversary gains access to networks either through an initial access broker, credential reuse, or through insecure VPNs without MFA.
• Once connected to the network, they use tactics and techniques to scan the network, inventory available services and systems, then initiate procedures to attack those systems.
• In recent investigations, the adversary identified an internal web application and dumped credentials using SQL injection. The dumped credentials contained a domain administrator account.
• The adversary leveraged the domain administrator account to move laterally, scan the network for data to exfiltrate, disrupt backups, employ anti-forensics and finally deploy Qilin ransomware.

Notable Observations:

• Qilin’s initial ransom demands average $225,000 with an average final payment of $162,500.
• Negotiations drawn out over an average of 12 days resulted with approximately a 30% reduction in demand.
• Qilin TTPs look for and exploit the least path of security resistance.
  

Mitigation Recommendations: 

• Patch and secure both internal and external systems.
• Customized applications that contain open-source dependencies should be assessed on a regular cadence including monitoring through threat feeds and analysis.
  
• Implement secure software development operations and procedures to develop systems and software with a “security first” approach. NIST and OWASP have published guidance for secure SDLC risk frameworks, top web application security risks, and security training for development and engineering teams. 
• Implement role-based access controls for all accounts including domain administrators, administrators, and user accounts. 
• Implement 3-2-1 backup strategy and implement network segmentation for “online backups” using access controls and unique administration credentials from the production network. 
• Implement a 24 x 7 Security Operations Center (“SOC”) to monitor and respond to alerts from security tools including SIEM, EDR software, and network devices. 

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.