Cybersecurity researchers have infiltrated the management board of a group of cybercriminals specializing in ransomware. These hijackers work like any software solution manager.
Groupe-IB cybersecurity researchers have managed to infiltrate the management software of Qilin, a gang specializing in ransomware. They describe the methods of this group in a report published on May 15 on their site. The experts do not explain how they had access to the tools of the criminals. It is however specified that the collective is in full recruitment.
The Qilin collective has organized itself around a so-called “ransomware-as-service” approach, which is increasingly used by cybercriminals. Concretely, the malware is rented by the managers of the “product” – much like Adobe or Microsoft would do – and the attacks are carried out by affiliates; associates who pay a commission after the ransom is paid. The group therefore includes developers in charge of editing and updating the software, and “customer” and user pirates.
Qilin hackers reportedly start their attack with phishing emails, which contain booby-trapped attachments. So far, nothing surprising. Once the attacker has gained their initial access, they typically move through the victim’s infrastructure, looking for critical data to lock down. Cybercriminals also have the ability to quickly shut down the victim’s workstations if the victim detects and reacts to the threat. During this process of capturing files and folders, hackers will leave a ransom note with instructions to recover stolen files.
Qilin affiliates have an attack management table provided by the provider. This software works in an ordinary way, with credentials provided to customers. The latter can then file their file, publish an announcement claiming the attack, the amount demanded and even have a discussion channel to exchange with the victim.
Affiliates have access to support and documentation in the FAQ section, which details the type of infections, recommendations for using the malware, additional target information, and so on.
A commission on winnings
According to the report, affiliates pocket 80% of ransoms of $3 million or less. For any payout over $3 million, affiliates receive 85% of the payout. A common gain split in ransomware circles. Affiliates of the BlackCat gang would also receive between 80-90% of the ransoms. The entrance and rental price is usually between 500 and 1,500 dollars (460 to 1,400 euros approximately)
This ransomware-as-a-service group emerged in July 2022, attacking a range of healthcare organizations, tech companies, and other companies around the world. In less than a year, the criminals claimed at least 12 victims in Canada, the United States, Colombia, France, the Netherlands, Serbia, the United Kingdom and Japan. The group explicitly tells its affiliates that it will not attack Eastern European countries.
The number of victims is still low compared to the most active groups. Lockbit is said to have targeted more than 1,500 organizations around the world. However, this report shows that the model of “ransomware as service” continues to grow with small groups emerging ready to provide new solutions in the midst of cybercrime.
Subscribe for free to Artificials, our AI newsletter, designed by AIs, verified by Numerama!