Full Report
The ransomware landscape is undergoing a turbulent realignment, marked by collapses, takeovers, and unexpected internal betrayals.
Analysis Summary
# Threat Actor: Qilin
## Attribution & Identity
**Primary Identification:** Qilin (A rising Ransomware-as-a-Service (RaaS) group).
**Known Aliases/Associations:** The context suggests Qilin is actively capitalizing on:
* The collapse/disappearance of **RansomHub**.
* The apparent absorption of infrastructure/affiliates from other collapsing/breached groups like **RansomHub**, **LockBit**, **Everest**, and **BlackLock** (rebranding of Eldorado/Mamona).
## Activity Summary
Qilin is presented as the primary beneficiary of the recent turbulent realignment in the ransomware ecosystem. They are operating a technically mature RaaS model. Their primary activity is taking over operational space vacated by groups like RansomHub and expanding their presence across forums and activity trackers. They are positioning themselves as a full-service cybercrime platform, offering technical capabilities alongside auxiliary services.
## Tactics, Techniques & Procedures
- **Malware Composition:** Payloads built using Rust and C.
- **Evasion:** Utilizing advanced evasion features in their loaders.
- **Operational Security:** Offering affiliates features for Safe Mode execution, network spreading (Lateral Movement), log cleanup (Indicator Removal), and automated negotiation tools.
- **Impact via Encryption:** Employing hypervisor directory encryption, specifically targeting **ESXi and Nutanix** environments.
- **Data Targeting:** Broad sweep targeting database and container data.
- **Persistence/Notification:** Injecting ransom demands into the system’s **/etc/motd** (Message of the Day) upon user login, alongside dropping traditional ransom notes.
**Associated MITRE ATT&CK IDs (Mapped to Qilin activity):**
| Tactic | Technique ID & Name |
| :--- | :--- |
| Execution | T1569.002 – System Services: Service Execution |
| Defense Evasion | T1070.004 – Indicator Removal: File Deletion |
| Defense Evasion | T1070.001 – Indicator Removal: Clear Windows Event Logs |
| Defense Evasion | T1218 – System Binary Proxy Execution |
| Discovery | T1087 – Account Discovery |
| Discovery | T1120 – Peripheral Device Discovery |
| Lateral Movement | T1675 – ESXi Administration Command |
| Impact | T1486 – Data Encrypted for Impact |
| Impact | T1490 – Inhibit System Recovery |
## Targeting
- **Sectors:** Environments utilizing virtualization (ESXi and Nutanix) are specifically targeted, alongside general targets that hold databases and containers.
- **Geography:** Not explicitly detailed, but implied global reach due to RaaS model.
- **Victims:** Victims of predecessor/rival groups are at risk of being absorbed under Qilin’s operational umbrella. Specific victims are not named in relation to Qilin's actions, but the ecosystem shift implies all prior targets are now threatened by this evolving structure.
## Tools & Infrastructure
- **Malware Families Used:** Qilin Ransomware payload (built in Rust/C).
- **Infrastructure:**
- **IP Addresses (Defanged):**
- `185[.]208.156[.]157` (FTP data share)
- `185[.]196.10[.]19` (FTP data share)
- `80[.]64.16[.]87` (Wikileaksv2)
- **Additional Services:** Spam services, PB-scale data storage, and a full affiliate panel.
## Implications
Qilin represents the "next generation" of RaaS providers, offering a more technically robust and "full-service" platform following the collapse of major competitors. Their use of Rust/C payloads and technical focus on virtualization (ESXi/Nutanix) suggests high operational capacity and potential for catastrophic impact on environments with large virtualized footprints. The instability in the threat landscape means affiliates from collapsed groups are migrating to mature platforms like Qilin.
## Mitigations
- Harden configurations specifically against ESXi/Nutanix attacks (T1675).
- Monitor `/etc/motd` for unauthorized changes to prevent persistent ransom communication.
- Implement robust measures to detect file deletion and log clearing (T1070.*) as Qilin actively attempts to cover tracks prior to impact.
- Maintain offline, immutable backups to counter impact methods (T1486, T1490).