Qilin Ransomware Claims New Victim in French Public Sector

The Qilin ransomware group, first observed in July 2022, has claimed Commune d'Eyguires (www.eyguieres.org), a public sector entity in France, as its latest victim. Qilin operates a double extortion model, encrypting victim data and threatening to leak exfiltrated sensitive information if the ransom is not paid. The group's ransomware is written in Golang and allows operators to select multiple encryption modes. Since its emergence, Qilin has victimized at least 1935 organizations globally, with attacks observed since October 2022, demonstrating an average delay of 46.3 days between attack and public claim. This incident highlights the continued threat posed by ransomware groups to critical public services and the importance of robust defenses against data exfiltration and encryption.

Attack Chain

1. Initial Access: Qilin actors gain initial access to target environments through tactics such as phishing campaigns (e.g., spearphishing via service), exploiting publicly accessible applications (T1190), or compromising valid accounts (T1078).
2. Execution & Command and Control (C2): Upon gaining access, attackers execute malicious code using built-in command and scripting interpreters (PowerShell, Unix Shell) to establish persistence and set up command and control (C2) channels. Tools like Cobalt Strike or SystemBC are typically used for C2, often communicating over web protocols.
3. Defense Evasion & Privilege Escalation: The group employs various techniques to evade defenses and escalate privileges, including exploiting system vulnerabilities (e.g., Bring-Your-Own-Vulnerable-Driver via Toshiba power management driver), leveraging credential dumping tools such as Mimikatz (T1003.001), and disabling security software or firewalls to reduce detection.
4. Lateral Movement & Discovery: Qilin actors move laterally across the compromised network using remote services (e.g., RDP, SMB, SSH) and tools like NetExec. They perform comprehensive discovery actions to map the network topology, identify valuable systems, and query registry for sensitive information.
5. Data Collection & Exfiltration: Prior to encryption, the group identifies and collects sensitive data from local systems. This data is often archived using native utilities (e.g., fsutil) before being exfiltrated to attacker-controlled infrastructure or cloud storage services like EasyUpload.io, MEGA, or FTP servers.
6. Impact - Encryption & System Impairment: The final stage involves deploying the Golang-based ransomware payload to encrypt target data, rendering systems inoperable and files inaccessible (T1486). The threat actors also inhibit system recovery mechanisms and may perform disk wipes (T1490) to ensure data irrecoverability, reinforcing their double extortion strategy.

Impact

The Qilin ransomware group's attacks result in severe operational disruption and significant financial burdens due to system downtime, recovery costs, and potential ransom payments. Beyond encryption, the double extortion model means sensitive data exfiltrated from victims, such as Commune d'Eyguires in the public sector, is threatened with public release on their leak site. This can lead to severe reputational damage, loss of public trust, and potential regulatory fines due to data breaches, impacting critical services provided by the affected organizations. With 1935 victims globally across sectors like public sector, manufacturing, and healthcare, the financial and operational impact is substantial and widespread.

Recommendation

• Deploy the provided Sigma rules to your SIEM/EDR to detect Qilin ransomware activity, specifically focusing on file system events, process creation, and network connections.
• Block the FTP exfiltration domains dataShare:2bTWYKNn7aK7Rqp9mnv3@176.113.115.209 and dataShare:nX4aJxu3rYUMiLjCMtuJYTKS@176.113.115.97 at your network perimeter firewall and proxy servers.
• Implement strong logging for process_creation, file_event, and network_connection to enable the detection rules and facilitate incident response.
• Filter network traffic to block connections to the identified malicious IP addresses: 176.113.115.209, 176.113.115.97, 188.119.66.189, 31.41.244.100, 85.209.11.49.
• Regularly patch public-facing applications and systems to prevent exploitation for initial access as described in the attack chain.