Prepared by: Richard Grainger, Global Head of Digital Forensics
Australian organisations are facing a sharp rise in ransomware attacks from a group known as Qilin. Over 700 victims have already been named on their dark web leak site, and Triskele Labs’ Digital Forensics and Incident Response (DFIR) team has investigated nine incidents in just the past two years. Qilin’s tactics are fast, destructive, and highly opportunistic—combining data theft with system encryption to maximise pressure on victims.
This post breaks down how they operate, why they’re so effective, and what steps you can take to defend your organisation.
The group consistently perform double extortion where they will exfiltrate sensitive information from victim organisations prior to deploying their ransomware. This allows them to try to extort victims for payments to not only provide a decryption tool but also supress the publishing of any stolen data on their leak site.
During an investigation, we are looking to identify the initial access method and time, this allows us to calculate the time between initial access and the impact (encryption) of the incident – also known as dwell time. The dwell time for Qilin averages 19 days but Triskele Labs have observed them gain access to victim organisation networks, identify sensitive information repositories for exfiltration, destroy backups and encrypt systems in as little as two days.
The Qilin ransomware group are opportunistic, in the nine investigations conducted by the Triskele Labs DFIR Team, they have gained initial access into environments through exposed Remote Desktop Protocol (RDP) or Secure Socket Layer Virtual Private Networks (SSL VPNs) that have not been configured with MFA.
The Qilin ransomware group have been observed utilising common tooling such as Mimikatz, LaZagne and Ngrok. EDR tooling should identify these tools being written to disk, block them upon execution and generate alerting. EDR should be deployed across all systems within organisation, not just endpoints or servers. Threat Actors will commonly identify hosts that don’t have security tooling on them and utilise these to conduct their activity without generating any alerts.
Qilin, like most other ransomware groups are most active within victim environments in the late evening and early morning Australian time. In the investigations conducted by the Triskele Labs DFIR Team, the victim organisations did not have their security toolsets being monitored around the clock, and their first indication that they had been attacked was identifying that systems had been encrypted when staff arrived at the office in the morning.
Ensuring that these security platforms are being monitored around the clock can allow for ransomware attacks to be contained early.
Qilin, like most other ransomware groups will utilise legitimate RMM tooling to maintain persistence within a victim organisations network. They have been observed to use tools like AnyDesk, TightVNC, Splashtop and ScreenConnect. These tools are not inherently malicious and are often used legitimately by organisation’s IT teams to remotely manage systems. Due to these being legitimate tools, they are often not alerted on by security tooling, implementing custom detections to fire an alert when RMM tools are observed within a network can be an early warning of persistence being deployed.
Similar to understanding an attack surface, organisations should be continually performing vulnerability scanning of publicly accessible systems, as well as internal systems. Ensuring that processes are put in place to patch these vulnerabilities, particularly critical vulnerabilities on publicly facing systems is imperative.
Ransomware groups like Qilin will seek to understand what backup systems are in place for victim organisations so that they can destroy these and maximise their chances of extorting a payment for a decryption tool. Organisations need to maintain regular backup cadence and ensure that multiple copies of backups are being stored, with at least one copy being on external infrastructure that is immutable.
Organisations also need to ensure that they are testing restores of these backups so that they can be relied upon in the event of an incident.
Organisations should not simply restore impacted systems from the night before encryption took place. The group have been observed to have had access to victim organisations network for up to 65 days prior to encryption taking place. Backups should be analysed by experienced DFIR professionals prior to restoration.
Qilin remains one of the most active ransomware groups that are impacting Australian organisations, employing double extortion tactics, opportunistic entry points such as exposed RDP and SSL VPNs, and commonly leveraging legitimate tools to maintain persistence.
MITRE ATT&CK mappings, alongside commonly observed tooling used during Qilin attacks are detailed below.
If your organisation experiences a Qilin ransomware attack, it is critical that you immediately notify your cyber insurer to ensure the incident is reported and managed correctly. If you do not have a cyber insurer, you should engage a reputable DFIR firm and Legal firm without delay to ensure that the incident can be contained, investigated and the organisation can receive advice on regulatory and legal obligations.
|
TACTIC |
TECHNIQUE |
Description |
|
Initial Access |
T1078.002 - Valid Accounts: Domain Accounts |
Obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
Initial Access |
T1133 - External Remote Services |
Leverage external-facing remote services to initially access and/or persist within a network. |
|
Persistence |
T1053.005 – Scheduled Task/Job: Scheduled Task |
A scheduled task was created to execute a malicious program or code. |
|
Persistence |
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ransomware binary added on hosts as a startup item. |
|
Lateral Movement |
T1021.001 - Remote Services: Remote Desktop Protocol |
Use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). |
|
Lateral Movement |
T1021.004 – Remote Services: SSH |
SSH was used to laterally move within the environment |
|
Lateral Movement |
T1021.002 – Remote Services: SMB/Windows Admin Shares |
PsExec was used to laterally move within the environment |
|
Defence Evasion |
T1562.001 - Impair Defenses: Disable or Modify Tools
|
Modify and/or disable security tools to avoid possible detection of their malware/tools and activities. |
|
Defence Evasion |
T1070.001 - Indicator Removal: Clear Windows Event Logs |
Clear Windows Event Logs to hide the activity of an intrusion. |
|
Defence Evasion |
T1078.002 – Valid Accounts: Domain Accounts |
Obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
|
Defence Evasion |
T1562.004 – Impair Defenses: Disable or Modify System Firewall |
Security tooling was modified to evade detection and execute malicious programs |
|
Defence Evasion |
T1070.003 – Indicator Removal: Clear Command History |
PowerShell history Logs were cleared to remove evidence of the Threat Actor’s activity. |
|
Exfiltration |
T1048 - Exfiltration Over Alternative Protocol |
Steal data by exfiltrating it over a different protocol than that of the existing command and control channel. |
|
Exfiltration |
T1537 – Transfer Data to Cloud Account |
MEGAsync was installed and executed by the Threat Actor. |
|
Collection |
T1039 – Data form Network Shared Drive |
Data was collected from shared network drives. |
|
Collection |
T1005 – Data from Local System |
Data was collected from local systems |
|
Impact |
T1486 – Data Encrypted for Impact |
Encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. |
|
Impact |
T1485 – Data Destruction |
Recent Veeam backups were deleted |
|
Impact |
T1491.001 - Defacement: Internal Defacement |
Change to the Veeam login message and leaving ransom notes |
|
Impact |
T1490 - Inhibit System Recovery |
Deleting backups to limit ability to recover |
|
Execution |
T1569.002 - System Services: Service Execution |
Abuse the Windows service control manager to execute malicious commands or payloads. |
|
Execution |
T1059.001 - Command and Scripting Interpreter: PowerShell |
Abuse PowerShell commands and scripts for execution. |
|
Execution |
T1204.002 – User Execution: Malicious File |
Rely upon a user opening a malicious file to gain execution. |
|
Execution |
T1059.004 - Command and Scripting Interpreter: Unix Shell |
Shell on ESXi was used to deploy the ransomware |
|
Credential Access |
T1555 - Credentials from Password Stores |
Search for common password storage locations to obtain user credentials. |
|
Credential Access |
T1003 – OS Credential Dumping |
Attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. |
|
Credential Access |
T1003.001 - OS Credential Dumping: LSASS Memory |
Attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). |
|
Credential Access |
T1003.003 OS Credential Dumping: NTDS |
Attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. |
|
Discovery |
T1087.002 - Account Discovery: Domain Account |
Attempt to get a listing of domain accounts. |
|
Discovery |
T1135 - Network Share Discovery |
Look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. |
|
Discovery |
T1046 - Network Service Discovery |
Attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. |
|
Discovery |
T1083 – File and Directory Discovery |
Enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|
Discovery |
T1016 - System Network Configuration Discovery |
Netscan was executed in the environment to identify IP addresses of hosts |
|
Discovery |
T1087.002 – Account Discovery: Domain Account |
Domain account information was collected. |
|
Command & Control |
S0154 - Cobalt Strike S0154 |
A commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". |
|
Command & Control |
T1219 - Remote Access Software |
Use legitimate remote access tools to establish an interactive command and control channel within a network. |
|
Command & Control |
T1090 - Proxy |
Reverse proxies were established by the Threat Actor. |
|
Tool |
Purpose |
|
Advanced IP Scanner |
Mapping organisation networks |
|
Advanced Port Scanner |
Mapping organisation networks |
|
NetScan |
Mapping organisation networks |
|
Mimikatz |
Dump credentials from systems |
|
Cobalt Strike |
Maintain persistence and perform command and control |
|
LaZagne |
Dump credentials from systems |
|
AnyDesk |
Maintain persistence |
|
Action1 |
Maintain persistence |
|
MEGA |
Online cloud storage for data exfiltration |
|
MEGASync |
MEGA client used for data exfiltration |
|
PsExec |
Remote code execution across systems |
|
Rclone |
Data exfiltration tool |
|
FileZilla |
Data exfiltration tool |
|
WinSCP |
Data exfiltration tool |
|
Kopia |
Data exfiltration tool |
|
Process Hacker |
Dump credentials from systems |
|
dControl |
Disable native Windows Defender on systems |
|
TightVNC |
Maintain persistence |
|
Splashtop |
Maintain persistence |
|
ScreenConnect |
Maintain persistence |
|
Ngrok |
Maintain persistence |
|
SSH |
Maintain persistence |
