RHC interviews Qilin Ransomware! “Let’s play fair and wait for a worthy opponent on the field”

RHC Dark Lab : 19 September 2024 07:12

Qilin (from Chinese :麒麟) is a legendary creature that appears in Chinese mythology and is said to appear with the imminent arrival or demise of a sage or illustrious ruler.

The Qilin ransomware is a prime example of the growing complexity of cyber threats. Discovered in 2022, Qilin immediately attracted attention for its ability to target critical sectors such as healthcare and education, particularly in the regions of Africa and Asia. Written in Rust and C, Qilin offers an unprecedented level of customisation that sets it apart from most other ransomware. The operators behind this threat can change the extension of encrypted files, terminate specific processes, and adjust various aspects of the malware’s behaviour to suit victims, making a uniform response difficult.

According to SentinelOne, Qilin’s ransomware campaigns are characterised by a sophisticated modular structure that allows malicious actors to modify operations and select processes to terminate based on the specific target. This kind of flexibility is what makes Qilin particularly insidious, as each attack can be adapted to the victim’s defences, increasing the chances of success.

Behind Qilin is a highly structured and organised criminal organisation, known for targeting numerous victims, including strategically important sectors. Like other ransomware gangs, Qilin uses double extortion tactics: they not only encrypt data, but also threaten to publish it online if a ransom is not paid (second extortion). The group mainly operates on clandestine dark web forums and has proven very adept at evading international law enforcement.

When dealing with these threats, it is crucial to take a strategic and investigative approach by increasing threat detection capabilities and adopting cyber threat intelligence processes.

As we have long maintained, ‘knowing the demons is the first step to fighting them.’ Following this model of which we have long advocated, RedHotCyber constantly conducts interviews with threat actors to help us understand their TTPs and increase our defences accordingly. Delving into the internal dynamics of groups like Qilin allows us not only to anticipate their movements, but also to build stronger and more responsive defences.

As ransomware attacks continue to evolve, it is essential to maintain a proactive and adaptive approach to defend against these complex and customisable threats.

Qilin ransomware interview

1 – RHC : We appreciate you taking the time to talk with us. Your band debuted in 2022 and it seems your name is rooted in Chinese mythology, specifically the qilin (麒麟). There’s a deep meaning behind this name, isn’t there? Could you elaborate on why you chose Qilin?

Qilin: We are happy to answer your questions. Let’s start with ideology. You have correctly understood that the name Qilin has its roots in ancient Chinese philosophy. Like any ancient symbol, Qilin has a whole firework of meanings, each of the lights of which complements the overall picture. You probably know that the appearance of Qilin in ancient China had a very specific meaning. Qilin always appeared before people’s eyes before a great warrior or a great sage was born on Earth. Thus, the Chinese believe that Qilin was seen before Confucius was born. In addition, I would like to draw your attention to the fact that Qilin is a burning dragon, which is often depicted with the body of a buffalo. This is an obvious allusion to the Charging Bull from Wall Street. It is obvious to us that the American bull turns from an attacker into a fleeing one. And you understand perfectly well who he is so afraid of. We are sure that the past hegemons in the form of the USA and the countries of old Europe are losing their influence in the world year after year. Very soon, they will turn from prosperous countries into the “backyard” of the world, torn apart by conflicts and civil wars. And we want to do everything to make this happen as soon as possible. We are supporters of a multipolar world. And our Qilin will very soon be trampled by the Charging Bull of the Western world.

2 – RHC : Is there a connection between your group and any previous actors in the ransomware landscape? Could you be considered an evolution or offshoot of an existing group? Your debut in 2022 was marked by the demise of REvil and its ‘Happy Blog’, an event that left a void in the data leak world.

Qilin : The emergence of Qilin is in no way connected with the collapse of REvil and its “Happy Blog”. Of course, we closely monitor what is happening in our field and we made the right conclusions after the closure of this platform. We do not repeat their mistakes. We employ the best specialists in the world and, of course, we take into account the experience of our predecessors in the implementation of our technological solution.

3 – RHC : How many people, including developers, affiliates, and access brokers, are currently involved in your organization?

Qilin : Sorry but we can’t answer this question. It’s the case of our security. I can only say that our teams work in many states and it is the decentralized structure.

4 – RHC : For a language model company like yours, can you share any information about your annual revenue and how it’s distributed, especially when it comes to affiliates?

Qilin : Again, we are not ready to name specific figures. Heer I can say that we do not earn enough. We work according to the scheme: 80% ges to the attacker, 20% to the service. Most of what we receive ges to support various associations that fight for freedom and independence around the world. This is an excellent motivation for us to increase the volume of our attacks and expand the number of our participants.

5 – RHC : Let’s discuss the initial access points to victims. Does your organization have a dedicated team that identifies vulnerabilities to gain unauthorized access to victim networks, or do you rely on Initial Access Brokers (IABs) for this purpose?

Qilin : I can answer this way: we use all possibilities and in each specific case a specific team chooses the best way to achieve its goal. Sometimes it is easier to contact a broker, but most often we prefer to do everything ourselves. Only in this case we can be completely sure of the final result. In addition, again – these are security issues. As the already mentioned Confucius said – It is better to demand from yourself than to ask from others.

6 – RHC : How long do you typically wait before encrypting data once you’re inside a victim’s network?

Qilin : Heer we can remember another great Chinese thinker, namely Sun Tzu and his art of war. We know how to wait. Of course, everything depends on the specific case and tasks, but we can sit in the victim’s network for weeks: study the movement of business processes, watch how people negotiate within the company… this helps to understand how the victim is used to playing the game and, as a result, win on his field. And of course, we love to watch when all sorts of stupid system administrators try to fix something in their leaky network.

7 – RHC : Let’s discuss your solution. How does your ransomware differentiate itself from other prominent ransomware like LockBit 3.0 or Akira? If you were to explain to a potential affiliate why they should collaborate with you, what technical advantages would you highlight about your solution?

Qilin : I would not like to go into technical details, because each solution has its pros and cons. In addition, it is not ethical. Colleagues worked or work according to their own principles and on their own solutions, we carefully analyze their experience and make our own decisions.

8 – RHC : Can you describe the type of encryption used by your ransomware? How do you ensure that victim files remain inaccessible without the decryption key?

Qilin : Watching some victim try to decipher is a special pleasure. No one has ever succeeded. Besides, we are learning. And heer we would like to address these people. Friends, we are bored! You could not hire more competent specialists. We have never seen anything interesting in their work, simple banalities and the most primitive tools. Your specialists sometimes look like Neanderthals who tied a stone to a stick and hit the safe. Sometimes it is funny, but very often it is just pathetic.

9 – RHC : Your ransomware code, do you start from known codes (such as the Conti code spill), or did you write everything from scratch?

Qilin : I could get offended and end the conversation at this point. We don’t have Zuckerbergs on our team, we don’t steal or buy other people’s developments. I’ll explain using an example that’s accessible to you. You’re walking down the street, a guy comes up to you and gives you a disk “with his songs.” Will you insert it into your computer? What’s the probability that it’s really cool crap? Quite high. What’s the probability that it’s a virus? Even higher. But the highest probability is that it’ll have both music and a virus. How can we trust such a supplier? Where are the guarantees that any code you download from the network hasn’t been compromised? If you want to get something truly unique and interesting, do it yourself.

10 – RHC : Your ransomware seems to come in two different versions-Rust and GoLang. What are the reasons you use both languages and how do you decide which one is best suited for a particular campaign? What are the main challenges you face in developing and maintaining in both Windows and Linux environments?

Qilin : This is a big misconception. We work in Rust and C. The choice of language depends on the specific team of developers who work on the code.

11 – RHC : What can you tell us technically about a classic Qilin infection process? From what we know you use phishing as your initial attack vector which we imagine allows you injection of specific loaders. Do you also work using specific security holes or misconfigurations, such as Remote code Execution or trivial passwords on RDP?

Qilin : If shorlty – we use everything. Viruses, sploits and other tools I don’t want to tell much about.

12 – RHC : 0-day or 1-day vulnerabilities play a crucial role in the success of some attacks. Are you involved in the 0-day market? How much do these vulnerabilities affect your attack strategy?

Qilin : As I said above, we use absolutely everything, including 0-day and 1-day vulnerabilities. We practically do not use the 0-day market, for the reasons described in the answer to question 9. We prefer to search for vulnerabilities ourselves for two reasons. It is safer. It is more fun.

13 – RHC : Can you name us 3 other RaaS that you like and why?

Qilin : In answering this question, I may forget some of my colleagues and thus offend them. I would like to avoid this. All teams and developers have their pros and cons. We have our own path.

14 – RHC : What do you think are the main factors hindering the cybersecurity industry’s ability to effectively prevent and mitigate ransomware threats like yours?

Qilin : If there is a door, we will find the key. Also, I don’t understand the meaning of the word “mitigate” in this context. We often see stupid cybersecurity services trying to “mitigate” a hack. But if the deed is done, how can it be neutralized? There is only one piece of advice – learn. We play fair and wait for a worthy opponent on the field, but too often we encounter incompetence and outright stupidity of cybersecurity services. Of course, we are satisfied with this situation. But in this case, another question arises. Why do companies spend so much money on the work of unskilled fools? Maybe it is better to agree with us right away?

15 – RHC : Your group is known to target healthcare organizations. Could you explain the reasons behind your program and what goals drive you to focus attacks in this area while also knowing that particular incidents can lead to loss of life?

Qilin : This is not true. We do not “to target healthcare organizations”. If you look past the headlines of the sales media and study our work closely, you will understand that we do not focus on any particular industry.

16 – RHC : In light of your group’s recent attacks on NHS hospitals in the United Kingdom, you have publicly stated that you have no regrets and do not consider yourselves guilty. You have justified these actions as politically motivated, claiming that the British government is neglecting the needs of those fighting on the front lines in the free world. Can you clarify the apparent contradiction between financial motivations and political justifications for these attacks? Are these actions an isolated incident or do they represent a broader shift in your group’s goals and tactics?

Qilin : If we talk about a specific attack on NHS hospitals, then in this case we gave the right to comment on our work to the authors of this attack, they were very talented guys from Ukraine. As I have already said, many teams from all over the world work with us. For example, we provide software to the Yemeni Houthis. It was a revelation for us, but they have very talented guys. I will tell you the same as politicians say: we simply provide a tool, software that is used by a variety of guys around the world. Let me give you an example. The governments of Great Britain, the USA, Germany and many other countries today supply weapons to the same Ukraine. This is a tool for solving the political problems of a specific country. When these countries send weapons to Ukraine, do they think about civilian casualties? About the fact that these weapons will also kill civilians in Donbass? Of course not. This is incredibly annoying. We live in a world where one life of a resident of Great Britain is worth more than a hundred, a thousand lives of residents of Eritrea, the Gaza Strip, Pakistan… it’s just an endless list! But the entire “civilized world” is only concerned about the fact that medical students were forced to carry test tubes of urine from London residents from one hospital to another.

17 – RHC : Security professionals have recently identified new techniques employed by your group for credential harvesting. In particular, your group is specializing in extracting credentials stored in Google Chrome after patiently infiltrating victims’ networks. Do you think this approach is more profitable and efficient? Is this data also subsequently used to support your group’s monetization model?

Qilin : I answer shortly – we use everything.

18 – RHC : While much of the public discussion about ransomware groups and black-hat activities focuses on your actions, we are curious about your personal experience with this lifestyle. How do you handle the pressures and challenges associated with this work? Do you plan to continue working in this field in the long term or do you plan a different path? For example, some gangs (recently Alpha/Blackat) have made an unexpected Exit. Do you enjoy your work as a RaaS member or is it just a way to earn money?

Qilin : We don’t feel any pressure, we’re doing great. We’re living our best lives and enjoying every day. Of course, it’s a way to make money. Another question is how you use that money. Money is not our main goal. As I said, we give most of the money to freedom and independence fighters around the world. As for the prospects, it’s very difficult to talk about that. We’re working successfully and plan to continue and expand our activities. I can’t say anything about other teams, because I don’t know. I can only say that many teams are now destroyed, and we are working and thriving.

19 – RHC : Following the Promises2Kids attack, your group faced a significant media backlash. How do you assess the financial gains from these attacks compared to the potential harm to vulnerable populations such as children in foster care? How has your group responded to these criticisms and challenges?

Qilin : The media only sees and shows what is profitable. Poor kids, potential harm, blah blah blah… Anger, compassion, a small tear and a loud, horse-like neigh after 10 minutes – that’s what modern media is. Trigger, swipe, trigger, swipe and so on ad infinitum. Brain masturbation – that’s modern media.
Check out our other cases. We collaborate with the guys from wikileaksv2 – find their site and see how they analyze some of the cases. In the published archives you can find SOMETHING that will make your hair stand on end. I myself have read several articles there and I understand that hacking is the best thing that could happen to some companies. And your favorite “authoritative media” always see only the cover. A beautiful headline, 5 lines of text and move on. None of them studied what exactly is in the published archives. Who needs it? Deep research is long and expensive. They wrote about sick children, caused a primordial trigger in the reader and forgot about it 10 minutes later. This is a disgusting situation that social networks and modern media have driven us into. No one understands, no one gets to the heart of the matter. I will reveal a terrible secret to you – no one cares about these children. Both the media and the readers.

20 – RHC : DarkLab, the cyber threat intelligence group at Red Hot Cyber, has identified a growing trend of ransomware operators targeting supply chains. Qilin’s recent attack on Thonburi Energy Storage Systems, a Mercedes partner, exemplifies this approach. Do you find that targeting supply chains is more profitable and easier than directly attacking larger companies? In your experience, what factors contribute to the growing popularity of attacks on supply chains?

Qilin : There is a good idiom about it: a chain is only as strong as its weakest link. You can spend six months and break Mercedes but why spend so many resources? “Supreme excellence consists of breaking the enemy’s resistance without fighting.” ― Sun Tzu, The Art of War.

21 – RHC : If a company does not pay the ransom, what do you do? In addition to posting data on your Data Leak Site, do you conduct private auctions for particularly valuable data, such as health data? Can you tell us about your monetization tactics in case a ransom is not paid?

Qilin : Our main principle is honesty. We never deceive our victims, we do not demand ransom two or three times. The victim does not buy their data from us. They buy the opportunity to prevent this data from falling into the wrong hands. If we receive a refusal, then of course, we use all the tools to get the maximum profit. We can sell the data at auction, we can directly contact the victim’s competitors, we can publish the received data and completely destroy the company’s reputation. Frankly, we do not care whether the victim pays us or not. It is in their interests. If not, we will find the best way to use this information.

22 – RHC : If you had to tell a company which way to start in order to be resilient to cyber attacks what would you recommend?

Qilin : The main advice is to set a budget for the payment, or even better – to act first and agree with us in advance. We can sell immunity to the attack. It’s like a Covid-19 vaccine, only 100% effective and without complications.

23 – RHC : With the introduction of stricter standards such as NIS2 in Europe, governments are providing stricter rules to anticipate future attacks especially on critical infrastructure. Post-quantum cryptography is also beginning to be discussed. Do you think this will hinder your work in any way?

Qilin : We are also really looking forward to the emergence of post-quantum cryptography, because we want to study this tool and of course we will use it in attacks in the future. As for the work of governments and “stricter rules” – this is just ridiculous. While they are adopting their rules and laws, we will already have come up with ten ways to bypass this protection. Although most likely, they will not be able to show us anything new.

24 – RHC : How does your revenue sharing work with your affiliates? We had read that you retain 15% of the redemptions. Has anything changed to date and is it still a flat fee?

Qilin : Partners receive 80% to their wallets. They can indicate their crypro wallets in the lettes so everything is extremely honest with us. We receive a modest 20%.

25 – RHC : What is the long term vision for Qilin? Do you plan to expand your activities to other industries or geographical regions? What new things will the future hold?

Qilin : Wait. We have some ideas that will surprise you. And that’s putting it mildly. We are currently working on several promising developments.

26 – RHC : Thank you very much for your availability. We are doing these interviews to make our readers understand that cybersecurity is a purely technical subject and that in order to be able to win the fight against cybercrime you need to be stronger than you, who are notoriously often one step ahead of everyone. Is there anything you would like to say to our readers, or to potential victims of your operations?

Qilin : Thank you for your questions. Unlike other “famous media” you approached this interview with a cool head. I really hope that you will behave honestly when publishing. As for wishes. I have already outlined several times how potential victims of our attacks should behave. Prepare your dirty money, we will take it soon.