Qilin (cybercrime group) explained

Qilin is a Russian-speaking cybercrime organisation that has been linked to a number of incidents, including a ransomware attack on hospitals in London.^{[1] [2]}

The group was detected by Trend Micro in August 2022 promoting ransomware called Agenda, which affiliates could tailor.^[3] The software at the time was written in Go and Trend Micro noted similarity of the source code with Black Basta, Black Matter and REvil families of malware.^[3]

history

In December 2022 the Agenda ransomware was rewritten in Rust.^[4]

Group-IB said they had infiltrated the group in March 2023 and that affiliates earn about 80 to 85% of each ransom payment.^[4]

In 2023, Qilin attacks included the following:

• Thailand battery manufacturer, Thornburi Energy Storage Systems, a battery manufacturer in Thailand
• Construction consultancy WT Partnership Asia
• Chinese car parts manufacturer Yanfen, which affected operations at US car maker Stellantis

In 2024, Qilin was named in the following attacks:

• Upper Merion Township in the United States was the victim of a ransomware attack where they claimed to have stolen 500 GB including information on staff and private contracts.^[5]
• Felda Global Ventures Holdings Berhad in Malaysia was also attacked.
• UK-based charity, the Big Issue had 550 GB of data stolen including personnel information, contracts and partner data
• US business Skender Construction had 651 GB of data stolen impacting 1,067 people including names, addresses, dates of birth, payment details passports and potentially health information.
• Several London hospitals declared a critical incident when a ransomware attack affected their systems.

References

1. News: Hern . Alex . 2024-06-05 . Who are Qilin, the cybercriminals thought behind the London hospitals hack? . The Guardian. 2024-06-05 . The Guardian . en-GB . 0261-3077.
2. Web site: Qilin ransomware gang likely behind crippling NHS attack Computer Weekly . 2024-06-05 . ComputerWeekly.com . en.
3. News: New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim . Lakshmanan . Ravi . 2022-08-29 . 2024-06-25 . The Hacker News.
4. News: Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts . Lakshmanan . Ravie . 2023-05-16 . 2024-06-25 . The Hacker News.
5. News: 2024-06-01 . Street newspaper appears to have Big Issue with Qilin ransomware gang . 2024-06-05 . . en-US.