Last Week in Ransomware: 10.28.2024
Last week in ransomware news we saw a new Qilin.B ransomware variant with improved encryption and evasion, an Akira payload targeting ESXi, and Casio attack delaying deliveries...
New Qilin.B Ransomware Variant
A new Rust-based variant of Qilin ransomware, dubbed 'Qilin.B,' has been discovered by Halcyon researchers, featuring enhanced encryption and evasion tactics. ?
This variant employs AES-256-CTR encryption with AESNI for modern CPUs and ChaCha20 for older systems, alongside RSA-4096 to secure encryption keys, making decryption nearly impossible without the private key. ?
The ransomware disables key services like Veeam, SQL databases, and antivirus tools, wipes volume shadow copies to prevent recovery, and clears Windows Event Logs to hinder forensic analysis.
Qilin.B targets local and network directories, leaving ransom notes in each affected folder. It also modifies the Windows Registry to enable network drive sharing, maximizing its impact. These features make it particularly dangerous for large organizations, with previous attacks on hospitals, Court Services Victoria, and Yanfeng.
Originally operating as Agenda, the Qilin group transitioned into a Ransomware-as-a-Service (RaaS) model in 2022. Written in Golang and Rust, Qilin targets both Windows and Linux systems, with Rust's cross-platform capabilities enhancing its performance. ?
The ransomware's affiliates exploit vulnerabilities in applications like Remote Desktop Protocol (RDP) to gain unauthorized access, while leveraging credential harvesting techniques, including PowerShell scripts targeting Chrome browser credentials.
Qilin follows a double extortion model, encrypting victims' data and threatening to leak it if ransom demands are unmet. Affiliates earn between 80-85% of ransom payments, depending on the size, with ransom demands ranging from $50,000 to $800,000. For larger ransoms exceeding $3 million, affiliates receive an 85% cut.
Qilin’s focus on high-value targets, especially in healthcare and education sectors, has led to significant disruptions. By 2024, the group had claimed over 150 victims, including UK healthcare provider Synnovis, which caused major disruptions in the NHS. Other victims include Big Issue Group, Ditronics Financial Services, and ASIC S.A., among others.
Akira’s Rust Payload Targets ESXi
The Akira ransomware gang has developed a Rust variant targeting VMware ESXi servers, representing a significant shift from their previous C++ architecture. This new Rust-based encryptor uses the rust-crypto 0.3.26 library and targets systems like SonicWall SonicOS, Cisco VPN services, and FortiClientEMS software. ?
Once inside, Akira operators use advanced techniques, such as PowerShell for credential harvesting and WMI for deleting system shadow copies, to expand their attacks. The ransomware encrypts files with the “akiranew” extension and deploys the Megazord encryptor to maximize damage.
Akira's typical attack chain involves exploiting VPN credentials, compromising network appliances, and escalating privileges using tools like Veeam. While the group primarily targets manufacturing and technical services, they recently shifted back to C++ for Windows and Linux attacks, adopting the ChaCha8 stream cipher for efficiency. ?
Akira’s focus on ESXi and Linux environments enables the simultaneous encryption of multiple virtual machines, causing widespread operational disruption.
Ransomware groups increasingly favor Rust due to its cross-platform capabilities, advanced evasion techniques, and superior memory management. Rust’s use in ransomware attacks, such as Akira’s, complicates decryption efforts and enables the malware to disable security tools more effectively. ?
Despite similarities to the Conti gang, no definitive link has been confirmed between the two.
Akira operates a sophisticated Ransomware-as-a-Service (RaaS) platform, using VPN exploits and legitimate tools like PCHunter64 to evade detection. Since expanding operations in 2023, the group has leveraged vulnerabilities in VMware ESXi and Cisco software for lateral movement and deployed a double extortion strategy, threatening to leak stolen data.
领英推荐
With over 300 victims and $50 million in ransom collected, Akira’s attacks have intensified across industries like healthcare, education, and finance. Ransom demands typically range from $200,000 to $4 million, with notable victims including Nissan and the Royal College of Physicians and Surgeons.
Casio Attack Delays Deliveries
Casio, the Japanese watchmaker, has confirmed that product delivery delays will continue through November 2024 due to a ransomware attack that occurred on October 5. ?
The attack has disrupted critical systems, causing delays in product repairs and shipping. Casio expects to restore systems by the end of November but has suspended personal product repairs until then. Customers will be notified when services resume.
The "Underground" ransomware group claimed responsibility, stating they stole 204.9 GB of sensitive data, including employee and business partner information. Casio acknowledged the severity of the breach, which impacted supplier relationships and shipments, particularly in Japan. ?
While Casio has not disclosed the full effect on production, Japanese authorities have been informed. The stolen data includes personal details of temporary workers, job applicants, and employees of affiliated companies.
Nidec Attack Exposes 50,000 Files ?
In August 2024, Nidec Precision (NPCV), a Vietnam-based subsidiary of Nidec, fell victim to a ransomware attack by the Everest group. The breach led to the theft of over 50,000 internal documents, including procurement policies and business correspondence, which were later leaked online after Nidec refused to pay the ransom. ?
The attackers likely accessed the network via compromised credentials from a general domain account. In response, Nidec bolstered security by disabling the VPN involved, strengthening systems, and resetting passwords.
While Nidec downplayed the financial impact, the risk of data theft, including potential legal liabilities and regulatory fines, remains significant. The rise of data exfiltration tactics in ransomware attacks highlights the need for a more robust cybersecurity approach, with early detection and prevention being key. ?
This trend also raises concerns for organizations about reputational damage, legal risks, and operational disruption.
Ransomware attacks now often involve data theft as leverage, with cybercriminals sometimes bypassing encryption entirely to focus on extortion. Effective strategies must prioritize protecting sensitive data from being exfiltrated, while ensuring compliance with breach notification laws to avoid further legal complications.
Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.