New Qilin.B Ransomware Strain: Enhanced Encryption and Evasion Tactics

The latest Qilin ransomware variant, known as Qilin.B, has emerged, utilizing Rust-based code for stronger encryption and improved evasion from detection. Security experts at Halcyon recently detected Qilin.B in the wild and provided indicators of compromise to help organizations recognize its presence early. Qilin.B strengthens its encryption capabilities by implementing AES-256-CTR with AESNI support on compatible CPUs for faster performance. For systems without AESNI support, it defaults to ChaCha20, ensuring robust encryption across various hardware types. To secure encryption keys, Qilin.B employs RSA-4096 with OAEP padding, making decryption nearly impossible without access to the private key. The malware gains persistence by creating an autorun key in the Windows Registry and proceeds to disable critical processes, such as Veeam, SQL services, and Windows Volume Shadow Copy, to block backup and recovery efforts. It also clears system logs to impede forensic investigations, wipes shadow copies, and deletes its binary post-encryption. Qilin.B attacks local and network directories, creating ransom notes in each and logging victim IDs for identification. It further alters the Windows Registry to facilitate network drive sharing, potentially amplifying its reach within compromised networks. This Qilin variant maintains the original group’s focus on high-impact targets, with previous attacks affecting significant institutions like London hospitals and Australian court services. Read more...