Qilin (Agenda) Ransomware and Ransomware Defense Initiative (RDI)

RDI RANSOMWARE DEFENSE INITIATIVE

Qilin (Agenda) Ransomware and Ransomware Defense Initiative (RDI)

Edgar Rojas

Author of Ransomware Defense Initiative (RDI) Framework.

Table of Contents

The Qilin ransomware, also known as Agenda, is a serious threat to organizations worldwide, especially those in the healthcare sector. This document provides an analysis of Qilin ransomware and details how the Ransomware Defense Initiative (RDI) can be used to protect organizations against such threats. The RDI framework offers a structured approach to mitigate ransomware risks through a set of Foundational, Advanced, and Elite controls.

Understanding Qilin (Agenda) Ransomware

Qilin, a RaaS (ransomware-as-a-service) operation, teams up with attackers to launch ransomware assaults. It encrypts and exfiltrates data from targeted organizations, demanding a ransom for decryption and to prevent data leakage. First observed in July 2022, it is written in Rust1 and Golang2 languages, which supports multiple encryption modes, making it harder to detect and analyze.

  1. Rust: A cross-platform programming language used by Qilin along with other nefarious ransomware gangs such as Hive, Blackcat, Luna, etc. Threat actors are increasingly using the programming language as it is more difficult to analyze and has a lower detection rate by antivirus engines.
  2. Golang: A cross-platform programming language used by Qilin and several other threat actors, which is widely popular for its versatility as it eliminates the need to rewrite the malware code for different operating systems.

Despite its name deriving from a mythical Chinese creature, the Qilin ransomware group is believed to be linked to Russia. The ransomware operation has been active, targeting high-value organizations including healthcare and education sectors, with some victims identified such as The Big Issue, Yanfeng, and Synnovis:

  • The Big Issue: Qilin targeted The Big Issue, stealing 550 GB of confidential data, including personal information of top executives and staff. The group leaked sensitive documents on their DLS (Dedicated Leak Site), but the publication and distribution of the newspaper were not disrupted.
  • Synnovis: A major ransomware attack on Synnovis led to a critical incident declaration at several London hospitals. Qilin demanded a $50 million ransom for decryption and non-release of stolen data. The attack caused massive disruption to healthcare services, with thousands of surgeries and appointments canceled and blood testing services significantly reduced.
  • US Healthcare: More than half a million US radiology patients had their data stolen in an April attack. Qilin demanded $50 million but published millions of patient records on the dark web after the ransom was not paid.

Attack Methodology

Here’s a breakdown of Qilin’s attack methodology, outlining the different stages it uses to infiltrate, compromise, and extort targeted systems:

  • Initial Access: Primarily through phishing and spear-phishing emails.
  • Exploiting Vulnerabilities: Leveraging exposed applications and interfaces like Citrix and RDP.
  • Double Extortion: Demanding ransom for both decryption and non-release of stolen data.
  • Customization: Capable of changing filename extensions and terminating specific processes/services.
  • Tools Used: Remote Monitoring and Management (RMM) tools, Cobalt Strike, PsExec, and SecureShell. Uses different vulnerable SYS drivers for defense evasion.

Detection and Mitigation of Qilin Ransomware

Combatting Qilin requires a layered approach. This section outlines various detection techniques to identify potential detection and mitigation strategies to minimize the impact of an attack, should it occur.

RDI RANSOMWARE DEFENSE INITIATIVE

Detection Techniques

  1. Security Tools:
    • XDR and other advanced anti-malware software to detect and prevent ransomware behaviors.
  2. Network Traffic Monitoring:
    • Identifying unusual network patterns or communications with command-and-control servers.
  3. Security Audits:
    • Regular security assessments to identify and address vulnerabilities.
  4. Employee Education:
    • Training staff to recognize and report phishing attempts and other suspicious activities.

Mitigation Strategies

  1. Employee Education:
    • Continuous training on cybersecurity best practices and threat awareness.
  2. Strong Password Policies:
    • Enforce strong, unique passwords and regular password changes.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for all user accounts to add an extra layer of security.
  4. Regular Updates and Patch Management:
    • Ensure all systems and software are up-to-date with the latest patches.
  5. Network Segmentation:
    • Restrict lateral movement within the network through effective segmentation.
  6. Encryption:
    • Encrypt sensitive data to protect it from unauthorized access during an attack.

Ransomware Defense Initiative (RDI)

The RDI provides a structured approach to mitigate ransomware risks through a set of controls divided into Foundational, Advanced, and Elite levels.

Foundational Controls

1. Web Application Firewall (WAF)

2. Security Logging and Monitoring Controls

3. Vulnerability Scanning

4. Email Authentication Protocols

5. Monitoring Social Media and other platforms

6. Software and Firmware Security Standards

7. Web Filtering

8. Browser Extensions

9. Anti-Virus and Anti-Malware software

10. Apply Patches and Updates

11. Network Segmentation in the DMZ

12. Security Awareness

13. Use Security Software on Mobile Devices

14. Enabling Host-Based Firewalls

15. DNS Security

16. 2FA

17. Secure Remote Access

18. Network Security Controls (Firewalls/VPNS/Proxy servers)

19. Anti-Phishing Software

20. Spam Filters/Email Content Filtering

21. Conduct Vendor Risk Assessments

22. Secure Communications/Secure Protocols/Secure File Transfer Protocols

23. Use Encryption

24. Implement Security Policies

25. Conduct Regular Security Assessments

26. Phishing Incident Response Plan

27. Role-Based Access Control

Advanced Controls

1. Security Testing and Red Teaming Exercises

2. Threat Intelligence

3. Security Information and Event Management (SIEM)

4. Network Traffic Analysis (NTA)

5. APT Detection and Response

6. URL Reputation

7. Application Security Testing Tools

8. Digital Signature and Trust Verification

9. MFA

10. EDR

11. Application Whitelisting

12. Network Sandboxing

13. File Integrity Monitoring

14. IDS/IPS

15. Browser Isolation or Virtual Browser Solutions

16. Network Access Control (NAC)

17. SOAR

18. Network Segmentation

19. Network Detect and Respond (NDR)

20. Runtime Application Self-Protection (RASP)

21. Implementing DevSecOps

22. Deception Techniques

23. Email Encryption

24. Software Bill of Materials (SBOM)

25. Vendor Security Management Program

26. Third-Party Security Assessment

27. Background Checks

28. Privilege Access Management (PAM)

29. Data Loss Prevention (DLP)

30. Identity and Access Management (IAM)

Elite Controls

1. Advanced Threat Intelligence

2. Continuous Monitoring

3. Artificial Intelligence and Machine Learning

4. Behavioral Analysis

5. Memory-Based Analysis

6. Network Forensics

7. User and Entity Behavior Analytics (UEBA)

8. Behavioral Biometrics

9. Software-Defined Perimeter (SDP)

10. Zero-Trust Architecture

11. Quantum-Resistant Security

12. Threat Hunting

13. Blockchain for Security

14. Biometric-Based Authentication

15. Advanced Phishing-Aware Web Browsers

RDI RANSOMWARE DEFENSE INITIATIVE

Mapping RDI to Mitigation Strategies for Qilin Ransomware

This section demonstrates how various RDI controls map to mitigation strategies against Qilin ransomware attacks. We’ll explore how Foundational, Advanced, and Elite controls outlined by the RDI framework can be implemented to address Qilin’s specific tactics.

Foundational Controls

  1. Apply Patches and Updates:
    • Regular updates and patch management directly align with RDI’s foundational control to apply patches and updates.
  2. Security Awareness:
    • Employee education and training are part of RDI’s foundational controls, enhancing awareness of phishing and social engineering attacks.
  3. Anti-Phishing Software and Spam Filters:
    • Implementing anti-phishing software and email content filtering helps detect and mitigate phishing attempts.
  4. Vulnerability Scanning and Regular Security Assessments:
    • Conducting regular security audits to identify and remediate vulnerabilities aligns with RDI’s foundational controls.

Advanced Controls

  1. Multi-Factor Authentication (MFA):
    • Enabling MFA for all user accounts is a key advanced control within the RDI framework.
  2. Security Information and Event Management (SIEM):
    • Using SIEM systems to monitor and analyze security events for unusual patterns.
  3. Endpoint Detection and Response (EDR):
    • Deploying EDR solutions to detect and respond to threats on endpoints.
  4. Network Traffic Analysis (NTA):
    • Monitoring network traffic for unusual activity that might indicate a ransomware attack.

Elite Controls

  1. Artificial Intelligence and Machine Learning:
    • Leveraging AI and ML for advanced threat detection and response.
  2. Behavioral Analysis and User Entity Behavior Analytics (UEBA):
    • Using behavioral analysis to identify anomalies and potential threats.
  3. Continuous Monitoring and Advanced Threat Intelligence:
    • Implementing continuous monitoring and using advanced threat intelligence to stay ahead of emerging threats.
  4. Zero-Trust Architecture:
    • Adopting a zero-trust security model to minimize the risk of ransomware spread.

Actionable Strategy for Implementing RDI Recommendations

Moving from theory to practice, this section outlines an actionable strategy for implementing the RDI recommendations to effectively combat Qilin ransomware. It details a step-by-step approach, from initial risk assessment to ongoing improvement, ensuring a comprehensive defense posture.

  1. Conduct a Risk Assessment:
    • Evaluate the current security posture and identify areas for improvement using RDI controls.
  2. Prioritize Foundational Controls:
    • Ensure all foundational controls are implemented, such as patch management, security awareness training, and anti-phishing measures.
  3. Integrate Advanced Controls:
    • Deploy advanced controls like MFA, SIEM, and EDR to enhance detection and response capabilities.
  4. Adopt Elite Controls for Enhanced Security:
    • Implement elite controls such as AI-based detection, continuous monitoring, and zero-trust architecture for comprehensive protection.
  5. Regular Training and Simulations:
    • Conduct regular training sessions and simulated attacks to keep employees aware and prepared.
  6. Continuous Improvement:
    • Regularly review and update security policies and practices to adapt to evolving threats.

Conclusion

The Ransomware Defense Initiative (RDI) provides a referenceable framework for detecting and mitigating ransomware attacks, including those from sophisticated groups like QILIN. By leveraging the controls specified in the RDI, organizations can strengthen their defenses, stay ahead of evolving threats, and ensure a resilient security posture. While recovery controls such as backup strategies and incident response are crucial, the RDI’s focus on detection and mitigation ensures that organizations can proactively manage and reduce the risk of ransomware incidents.