Qilin (cybercrime group)

Qilin is a Russian-speaking cybercrime organisation that has been linked to a number of incidents, including a ransomware attack on hospitals in London.[1][2]

The group was detected by Trend Micro in August 2022 promoting ransomware called Agenda, which affiliates could tailor.[3] The software at the time was written in Go and Trend Micro noted similarity of the source code with Black Basta, Black Matter and REvil families of malware.[3]

history

edit

In December 2022 the Agenda ransomware was rewritten in Rust.[4]

Group-IB said they had infiltrated the group in March 2023 and that affiliates earn about 80 to 85% of each ransom payment.[4]

In 2023, Qilin attacks included the following:

  • Thailand battery manufacturer, Thornburi Energy Storage Systems, a battery manufacturer in Thailand
  • Construction consultancy WT Partnership Asia
  • Chinese car parts manufacturer Yanfen, which affected operations at US car maker Stellantis

In 2024, Qilin was named in the following attacks:

  • Upper Merion Township in the United States was the victim of a ransomware attack where they claimed to have stolen 500 GB including information on staff and private contracts.[5]
  • Felda Global Ventures Holdings Berhad in Malaysia was also attacked.[5]
  • UK-based charity, the Big Issue had 550 GB of data stolen including personnel information, contracts and partner data[5]
  • US business Skender Construction had 651 GB of data stolen impacting 1,067 people including names, addresses, dates of birth, payment details passports and potentially health information.[5]
  • Several London hospitals declared a critical incident when a ransomware attack affected their systems.[1][2]

References

edit
  1. ^ a b Hern, Alex (2024-06-05). "Who are Qilin, the cybercriminals thought behind the London hospitals hack?". The Guardian. The Guardian. ISSN 0261-3077. Retrieved 2024-06-05.
  2. ^ a b "Qilin ransomware gang likely behind crippling NHS attack | Computer Weekly". ComputerWeekly.com. Retrieved 2024-06-05.
  3. ^ a b Lakshmanan, Ravi (2022-08-29). "New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim". The Hacker News. Retrieved 2024-06-25.
  4. ^ a b Lakshmanan, Ravie (2023-05-16). "Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts". The Hacker News. Retrieved 2024-06-25.
  5. ^ a b c d "Street newspaper appears to have Big Issue with Qilin ransomware gang". The Register. 2024-06-01. Retrieved 2024-06-05.