Rust-Based Ransomware Implements Sophisticated Anti-Detection Measures
In a disturbing development in the cyber threat landscape, a Russian-speaking ransomware group has unveiled a new variant dubbed Qilin.B, characterized by its advanced capabilities designed to thwart cyber defenses. These enhancements include log wiping, backup system disruption, and the ability to halt decryption processes without detection by insiders. This introduces significant challenges for organizations striving to mitigate ransomware risks.
The Qilin ransomware-as-a-service operation, also referred to as Agenda, emerged in July 2022, gaining notoriety for its high-profile attack on Synnovis, a National Health Services provider in the United Kingdom. This breach severely impacted hospital operations in London, highlighting the dire consequences of ransomware incidents on critical services. Halcyon, a cybersecurity firm, has recently reported on the advanced features of Qilin’s latest payload, provided under the ransomware-as-a-service model.
The advancements in Qilin.B are notable, particularly its dual encryption mechanisms. While it employs the AES-256-CTR cipher—heralded for its speed and performance on modern hardware—it also retains the older Chacha20 cipher for systems that lack AESNI support. The encryption keys are secured using RSA-4096 with OAEP padding, effectively rendering file decryption without corresponding private keys or captured seed values virtually impossible.
Of particular concern is the evasion strategy employed by Qilin.B, which is engineered in Rust, a programming language that emphasizes security and is notoriously resistant to reverse engineering. This makes the ransomware substantially more difficult for security professionals to analyze and respond to during or after an attack. Upon execution, Qilin.B methodically terminates critical security services, clears Windows Event Logs, and deletes itself from the compromised system, leaving minimal forensic evidence for investigators.
Once deployed, Qilin.B begins by verifying administrative privileges, detecting virtual machine environments, and checking for support for the AESNI instruction set, cementing its persistence within the compromised environment. The ransomware achieves this by modifying system registry entries to ensure it runs on startup, which poses a serious challenge for recovery efforts post-infection.
In its destructive path, Qilin.B targets key backup systems, specifically exploiting the Windows Volume Shadow Copy Service. This strategy effectively disables data recovery options for the victims after the encryption of files. The ransomware explicitly seeks out and disrupts services from well-known security and backup vendors such as Sophos, Acronis, and Veeam, further complicating recovery efforts for affected organizations.
Victims of Qilin.B are tagged with unique extensions associated with a "company_id," allowing the attackers to track their targets closely. Encrypted directories contain ransom notes entitled "README-RECOVER-[company_id].txt," directing victims to payment instructions and a Tor-based decryption assistance website, thereby facilitating the ransomware’s extortion attempts.
In terms of the tactics employed in this attack, several techniques from the MITRE ATT&CK framework can be identified. The group likely utilized methods related to initial access to infiltrate systems, persistence through registry modifications, privilege escalation through administrative privilege checks, and data destruction by targeting backup capabilities. As organizations continue to navigate the risks associated with cyber threats, Qilin.B serves as a stark reminder of the evolving sophistication of ransomware operations and the pressing need for robust cybersecurity measures.
