Author of Ransomware Defense Initiative (RDI) Framework.
Table of Contents
The Qilin ransomware, also known as Agenda, is a serious threat to organizations worldwide, especially those in the healthcare sector. This document provides an analysis of Qilin ransomware and details how the Ransomware Defense Initiative (RDI) can be used to protect organizations against such threats. The RDI framework offers a structured approach to mitigate ransomware risks through a set of Foundational, Advanced, and Elite controls.
Understanding Qilin (Agenda) Ransomware
Qilin, a RaaS (ransomware-as-a-service) operation, teams up with attackers to launch ransomware assaults. It encrypts and exfiltrates data from targeted organizations, demanding a ransom for decryption and to prevent data leakage. First observed in July 2022, it is written in Rust1 and Golang2 languages, which supports multiple encryption modes, making it harder to detect and analyze.
Rust: A cross-platform programming language used by Qilin along with other nefarious ransomware gangs such as Hive, Blackcat, Luna, etc. Threat actors are increasingly using the programming language as it is more difficult to analyze and has a lower detection rate by antivirus engines.
Golang: A cross-platform programming language used by Qilin and several other threat actors, which is widely popular for its versatility as it eliminates the need to rewrite the malware code for different operating systems.
Despite its name deriving from a mythical Chinese creature, the Qilin ransomware group is believed to be linked to Russia. The ransomware operation has been active, targeting high-value organizations including healthcare and education sectors, with some victims identified such as The Big Issue, Yanfeng, and Synnovis:
The Big Issue: Qilin targeted The Big Issue, stealing 550 GB of confidential data, including personal information of top executives and staff. The group leaked sensitive documents on their DLS (Dedicated Leak Site), but the publication and distribution of the newspaper were not disrupted.
Synnovis: A major ransomware attack on Synnovis led to a critical incident declaration at several London hospitals. Qilin demanded a $50 million ransom for decryption and non-release of stolen data. The attack caused massive disruption to healthcare services, with thousands of surgeries and appointments canceled and blood testing services significantly reduced.
US Healthcare: More than half a million US radiology patients had their data stolen in an April attack. Qilin demanded $50 million but published millions of patient records on the dark web after the ransom was not paid.
Attack Methodology
Here’s a breakdown of Qilin’s attack methodology, outlining the different stages it uses to infiltrate, compromise, and extort targeted systems:
Initial Access: Primarily through phishing and spear-phishing emails.
Exploiting Vulnerabilities: Leveraging exposed applications and interfaces like Citrix and RDP.
Double Extortion: Demanding ransom for both decryption and non-release of stolen data.
Customization: Capable of changing filename extensions and terminating specific processes/services.
Tools Used: Remote Monitoring and Management (RMM) tools, Cobalt Strike, PsExec, and SecureShell. Uses different vulnerable SYS drivers for defense evasion.
Detection and Mitigation of Qilin Ransomware
Combatting Qilin requires a layered approach. This section outlines various detection techniques to identify potential detection and mitigation strategies to minimize the impact of an attack, should it occur.
Detection Techniques
Security Tools:
XDR and other advanced anti-malware software to detect and prevent ransomware behaviors.
Network Traffic Monitoring:
Identifying unusual network patterns or communications with command-and-control servers.
Security Audits:
Regular security assessments to identify and address vulnerabilities.
Employee Education:
Training staff to recognize and report phishing attempts and other suspicious activities.
Mitigation Strategies
Employee Education:
Continuous training on cybersecurity best practices and threat awareness.
Strong Password Policies:
Enforce strong, unique passwords and regular password changes.
Multi-Factor Authentication (MFA):
Enable MFA for all user accounts to add an extra layer of security.
Regular Updates and Patch Management:
Ensure all systems and software are up-to-date with the latest patches.
Network Segmentation:
Restrict lateral movement within the network through effective segmentation.
Encryption:
Encrypt sensitive data to protect it from unauthorized access during an attack.
Ransomware Defense Initiative (RDI)
The RDI provides a structured approach to mitigate ransomware risks through a set of controls divided into Foundational, Advanced, and Elite levels.
22. Secure Communications/Secure Protocols/Secure File Transfer Protocols
23. Use Encryption
24. Implement Security Policies
25. Conduct Regular Security Assessments
26. Phishing Incident Response Plan
27. Role-Based Access Control
Advanced Controls
1. Security Testing and Red Teaming Exercises
2. Threat Intelligence
3. Security Information and Event Management (SIEM)
4. Network Traffic Analysis (NTA)
5. APT Detection and Response
6. URL Reputation
7. Application Security Testing Tools
8. Digital Signature and Trust Verification
9. MFA
10. EDR
11. Application Whitelisting
12. Network Sandboxing
13. File Integrity Monitoring
14. IDS/IPS
15. Browser Isolation or Virtual Browser Solutions
16. Network Access Control (NAC)
17. SOAR
18. Network Segmentation
19. Network Detect and Respond (NDR)
20. Runtime Application Self-Protection (RASP)
21. Implementing DevSecOps
22. Deception Techniques
23. Email Encryption
24. Software Bill of Materials (SBOM)
25. Vendor Security Management Program
26. Third-Party Security Assessment
27. Background Checks
28. Privilege Access Management (PAM)
29. Data Loss Prevention (DLP)
30. Identity and Access Management (IAM)
Elite Controls
1. Advanced Threat Intelligence
2. Continuous Monitoring
3. Artificial Intelligence and Machine Learning
4. Behavioral Analysis
5. Memory-Based Analysis
6. Network Forensics
7. User and Entity Behavior Analytics (UEBA)
8. Behavioral Biometrics
9. Software-Defined Perimeter (SDP)
10. Zero-Trust Architecture
11. Quantum-Resistant Security
12. Threat Hunting
13. Blockchain for Security
14. Biometric-Based Authentication
15. Advanced Phishing-Aware Web Browsers
Mapping RDI to Mitigation Strategies for Qilin Ransomware
This section demonstrates how various RDI controls map to mitigation strategies against Qilin ransomware attacks. We’ll explore how Foundational, Advanced, and Elite controls outlined by the RDI framework can be implemented to address Qilin’s specific tactics.
Foundational Controls
Apply Patches and Updates:
Regular updates and patch management directly align with RDI’s foundational control to apply patches and updates.
Security Awareness:
Employee education and training are part of RDI’s foundational controls, enhancing awareness of phishing and social engineering attacks.
Anti-Phishing Software and Spam Filters:
Implementing anti-phishing software and email content filtering helps detect and mitigate phishing attempts.
Vulnerability Scanning and Regular Security Assessments:
Conducting regular security audits to identify and remediate vulnerabilities aligns with RDI’s foundational controls.
Advanced Controls
Multi-Factor Authentication (MFA):
Enabling MFA for all user accounts is a key advanced control within the RDI framework.
Security Information and Event Management (SIEM):
Using SIEM systems to monitor and analyze security events for unusual patterns.
Endpoint Detection and Response (EDR):
Deploying EDR solutions to detect and respond to threats on endpoints.
Network Traffic Analysis (NTA):
Monitoring network traffic for unusual activity that might indicate a ransomware attack.
Elite Controls
Artificial Intelligence and Machine Learning:
Leveraging AI and ML for advanced threat detection and response.
Behavioral Analysis and User Entity Behavior Analytics (UEBA):
Using behavioral analysis to identify anomalies and potential threats.
Continuous Monitoring and Advanced Threat Intelligence:
Implementing continuous monitoring and using advanced threat intelligence to stay ahead of emerging threats.
Zero-Trust Architecture:
Adopting a zero-trust security model to minimize the risk of ransomware spread.
Actionable Strategy for Implementing RDI Recommendations
Moving from theory to practice, this section outlines an actionable strategy for implementing the RDI recommendations to effectively combat Qilin ransomware. It details a step-by-step approach, from initial risk assessment to ongoing improvement, ensuring a comprehensive defense posture.
Conduct a Risk Assessment:
Evaluate the current security posture and identify areas for improvement using RDI controls.
Prioritize Foundational Controls:
Ensure all foundational controls are implemented, such as patch management, security awareness training, and anti-phishing measures.
Integrate Advanced Controls:
Deploy advanced controls like MFA, SIEM, and EDR to enhance detection and response capabilities.
Adopt Elite Controls for Enhanced Security:
Implement elite controls such as AI-based detection, continuous monitoring, and zero-trust architecture for comprehensive protection.
Regular Training and Simulations:
Conduct regular training sessions and simulated attacks to keep employees aware and prepared.
Continuous Improvement:
Regularly review and update security policies and practices to adapt to evolving threats.
Conclusion
The Ransomware Defense Initiative (RDI) provides a referenceable framework for detecting and mitigating ransomware attacks, including those from sophisticated groups like QILIN. By leveraging the controls specified in the RDI, organizations can strengthen their defenses, stay ahead of evolving threats, and ensure a resilient security posture. While recovery controls such as backup strategies and incident response are crucial, the RDI’s focus on detection and mitigation ensures that organizations can proactively manage and reduce the risk of ransomware incidents.