Was ist Qilin Ransomware?

Qilin (auch bekannt als Agenda) ist eine Ransomware-as-a-Service (RaaS), die sowohl Windows- als auch Linux-Systeme angreift und typischerweise über Phishing oder RDP-Zugänge verteilt wird.

Wie sieht die Erpressernachricht von Qilin aus?

Die Gruppe nutzt variabel generierte Dateinamen für die Ransomnote, wie zum Beispiel [RANDOM]-RECOVER-README.txt. Inhalte variieren, enthalten aber stets Zahlungsanweisungen und Tor-Adressen.

Was soll ich tun, wenn mein Unternehmen betroffen ist?

Kontaktieren Sie umgehend unser Computer Emergency Response Team (CERT) unter dfir@mh-service.de oder +49 211 8797446742. Wir sind 24/7 verfügbar.

Qilin Ransomware

Screenshot der Akira-Leakseite (Tor Hidden Service)

Allgemeine Informationen

Erkannt seit: Mitte 2022 (unter dem Namen "Agenda"), später als "Qilin" bekannt
Modell: Ransomware-as-a-Service (RaaS)
Verbindung zu: Vermutlich eigenständige Gruppe mit enger technischer Nähe zu UNC3944 (Mandiant) / GOLD FEATHER (Secureworks)
Opferzahl: Mehrere Dutzend bestätigte Fälle weltweit, u. a. im Gesundheitswesen und Bildungssektor
Zielbranchen: Öffentlicher Sektor, Bildung, Gesundheitswesen, Industrie, IT-Infrastruktur
Typische Lösegeldforderungen: 100.000 – 800.000 USD (abhängig von Größe und Standort)

Dateiendungen & Ransomnote

.MmXReVIxLV (variabel generierte Endung) – Erweiterung verschlüsselter Dateien
[RANDOM]-RECOVER-README.txt – Erpressernachricht mit Kontaktinformationen

Datei-Hashes

SHA‑256:

b3c8fefee9394b89f57fcfc0a7ae07133a8f7cbb2f8efcdd8b91a3b8cfaa0ba0
579efbffb8e364181d127e53d7223cfe7efc34ff27f13a130c78226a8d3d6715

Verdächtige Kommandos

vssadmin delete shadows /all /quiet
bcdedit /set {current} safeboot minimal
wmic shadowcopy delete
netsh advfirewall set allprofiles state off

Netzwerkindikatoren

Remote Tool: PsExec
Remote Tool: AnyDesk
Leak-Site (.onion): ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion

Externe Analysen & Bedrohungsprofile

MITRE ATT&CK Mapping

Initial Access: T1078 - Valid Accounts (z. B. VPN ohne MFA), T1133 - External Remote Services
Execution: T1059 - Command and Scripting Interpreter (PowerShell)
Persistence: T1547 - Boot or Logon Autostart Execution
Privilege Escalation: T1068 - Exploitation for Privilege Escalation
Defense Evasion: T1562 - Impair Defenses (AV-Killer, Shadow Copy löschen)
Credential Access: T1003 - OS Credential Dumping (Mimikatz, LaZagne)
Discovery: T1087 - Account Discovery, T1018 - Remote System Discovery
Lateral Movement: T1021 - Remote Services (RDP, SMB)
Collection: T1119 - Automated Collection
Exfiltration: T1041 - Exfiltration Over C2 Channel (z. B. Rclone, FileZilla)
Impact: T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery

Ransomnote - Beispiel A


-- Qilin 



Your network/system was encrypted. 

Encrypted files have new extension. 



-- Compromising and sensitive data 



We have downloaded compromising and sensitive data from you system/network 

If you refuse to communicate with us and we do not come to an agreement, your data will be published. 

Data includes: 

- Employees personal data, CVs, DL , SSN. 

- Complete network map including credentials for local and remote services. 

- Financial information including clients data, bills, budgets, annual reports, bank statements. 

- Complete datagrams/schemas/drawings for manufacturing in solidworks format 

- And more... 



-- Warning 



1) If you modify files - our decrypt software won't able to recover data 

2) If you use third party software - you can damage/modify files (see item 1) 

3) You need cipher key / our decrypt software to restore you files. 

4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. 



-- Recovery 



1) Download tor browser: https://www.torproject.org/download/ 

2) Go to domain 

3) Enter credentials-- Credentials 

Extension: [snip] 
Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion 
login: [snip] 
password:[snip]

Ransomnote - Beispiel B


-- Qilin 



We have 3.4TB of your data stored on our servers. Contact us or we will publish this data on our blog, in the media and pass it on to the relevant authorities. We are ready to offer you a discount in case of payment within a week.



Your network/system was encrypted. 

Encrypted files have new extension. 



-- Compromising and sensitive data 



We have downloaded compromising and sensitive data from your system/network.

Our group cooperates with the mass media.

If you refuse to communicate with us and we do not come to an agreement, your data will be reviewed and published on our blog and on the media page (https://wikileaks2.site/)



Blog links:

http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion

http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion



Data includes: 

- Employees personal data, CVs, DL , SSN. 

- Complete network map including credentials for local and remote services. 

- Financial information including clients data, bills, budgets, annual reports, bank statements. 

- Complete datagrams/schemas/drawings for manufacturing in solidworks format 

- And more... 



-- Warning 



1) If you modify files - our decrypt software won't able to recover data 

2) If you use third party software - you can damage/modify files (see item 1) 

3) You need cipher key / our decrypt software to restore you files. 

4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. 



-- Recovery 



1) Download tor browser: https://www.torproject.org/download/ 

2) Go to domain 

3) Enter credentials



Please note that communication with us is only possible via the website in the Tor browser, which is specified in this note. 

All other means of communication are not real and may be created by third parties, if such were not provided in this note or on the website specified in this note.

-- Credentials 

Extension: 2ir53sQQAU 
Domain: [snip] 
login: [snip] 
password:[snip]

Ransomnote - Beispiel C (Agenda)


-- Agenda

Your network/system was encrypted.
Encrypted files have new extension.

-- Compromising and sensitive data

We have downloaded compromising and sensitive data from you system/network
If you refuse to communicate with us and we do not come to an agreementyour data will be published.
Data includes:
    - Employees personal dataCVsDLSSN.
    - Complete network map including credentials for local and remote services.
    - Financial information including clients databillsbudgetsannual reportsbank statements.
    - Complete datagrams/schemas/drawings for manufacturing in solidworks format
    - And more...

-- Warning

1) If you modify files - our decrypt software won't able to recover data
2) If you use third party software - you can damage/modify files (see item 1)
3) You need cipher key / our decrypt software to restore you files.
4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions.

-- Recovery

1) Download tor browser: https://www.torproject.org/download/
2) Go to domain
3) Enter credentials


-- Credentials

Extension: DtMXQFOCos
Domain: wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion
login: [snip] 
password: [snip]

Indicators of Compromise (IOCs)


Dateiendung(en):        *.MmXReVIxLV (variabel pro Angriff)
Ransom Note:            *-RECOVER-README.txt
Leak Site (Tor):        ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion

Verdächtige Prozesse:   psexesvc.exe, esxcli, esxcfg-info
Remote Tools:           PsExec, AnyDesk, RDP

Command-Line IOCs:
  - vssadmin delete shadows /all /quiet
  - bcdedit /set {current} safeboot minimal
  - wmic shadowcopy delete
  - netsh advfirewall set allprofiles state off

Hash-Beispiel (SHA256):
  - b3c8fefee9394b89f57fcfc0a7ae07133a8f7cbb2f8efcdd8b91a3b8cfaa0ba0
  - 579efbffb8e364181d127e53d7223cfe7efc34ff27f13a130c78226a8d3d6715