Qilin Ransomware Claims New Financial Services Victim
The Qilin ransomware group, known for its Golang-based ransomware and double extortion tactics, has claimed a new victim in the Financial Services sector, www.tqfinancials.com, as part of its ongoing campaign, highlighting the persistent threat of data encryption and exfiltration.
The Qilin ransomware group, first observed in July 2022, has added www.tqfinancials.com, a Financial Services entity, to its list of victims as of July 3, 2026. This group utilizes ransomware written in Golang, supporting multiple encryption modes controlled by the operator. Qilin consistently employs a double extortion model, demanding payment for decryption keys and threatening to release exfiltrated data if demands are not met. The group has claimed a total of 1973 victims, with an average delay of 45.7 days between attack and public claim. The targeting of a financial services organization underscores the group's broad sector targeting and the severe risks of data compromise and business disruption.
Attack Chain
- Initial Access: Gaining unauthorized entry, potentially via "Exploit Public-Facing Application" or "Phishing" as listed in Qilin's TTPs.
- Execution & Defense Evasion: Running malicious code, often using "Command and Scripting Interpreter: PowerShell" and employing "Obfuscated Files or Information" or tools like "EDRSandBlast" to bypass security.
- Credential Access: Harvesting credentials using tools like "Mimikatz" or leveraging "OS Credential Dumping: LSASS Memory".
- Discovery & Lateral Movement: Mapping the network with tools such as "Nmap" and moving across systems using "Remote Services" like "PsExec" or "WinRM".
- Collection & Exfiltration: Gathering sensitive data from various systems and exfiltrating it to attacker-controlled infrastructure, potentially via "EasyUpload.io" or "MEGA" or over FTP using credentials like
dataShare:2bTWYKNn7aK7Rqp9mnv3. - Impact: Deploying the Golang-based ransomware payload to encrypt systems, accompanied by "Data Encrypted for Impact" and "Inhibit System Recovery" actions, including dropping ransom notes like "DtMXQFOCos-RECOVER-README.txt".
Impact
The impact of a Qilin ransomware attack on a Financial Services organization like www.tqfinancials.com includes severe operational disruption, potential data breaches due to double extortion tactics, and significant financial losses from downtime and recovery efforts. While specific data stolen for this victim is not detailed, Qilin's standard operating procedure involves data exfiltration, posing risks of regulatory fines, reputational damage, and loss of customer trust. The group has a history of impacting a wide range of sectors, with Manufacturing (301 victims), Business Services (262), and Technology (178) among its top targets, indicating its capability to severely compromise diverse organizations.
Recommendation
- Deploy the provided IOCs (MD5 hashes, IP addresses, FTP URLs) to your network perimeter defenses (firewall, IDS/IPS, DNS filters) and endpoint detection and response (EDR) solutions to block known Qilin infrastructure.
- Enable comprehensive logging for process creation, network connections, and PowerShell activity (log source: process_creation) to detect the execution of tools like Mimikatz, Cobalt Strike, Nmap, and PsExec.
- Implement and enforce strong access controls and multi-factor authentication (MFA) across all critical systems to mitigate credential compromise and lateral movement.
- Regularly patch and update all public-facing applications and systems to remediate known vulnerabilities that could be leveraged for initial access, as Qilin has been observed to exploit public-facing applications.
- Deploy robust endpoint detection rules such as "Detect Mimikatz Credential Dumping Activity" and "Detect Common Cobalt Strike Beacon Processes" to identify and block the execution of known Qilin tools and TTPs.
Detection coverage 2
Detect Mimikatz Credential Dumping Activity
highDetects common command line arguments used by Mimikatz for credential dumping, often employed by ransomware groups like Qilin for privilege escalation and lateral movement.
Detect Common Cobalt Strike Beacon Processes
highDetects suspicious process creation patterns often associated with Cobalt Strike beacons, a tool frequently used by ransomware groups like Qilin for command and control.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
54
hash_md5
5
ip
1
url
| Type | Value |
|---|---|
| hash_md5 | 08a2405cd32f044a69737e77454ee2da |
| hash_md5 | 0d68a310f4265821900249bec89364c2 |
| hash_md5 | 11d795baafa44b73766e850d13b8e254 |
| hash_md5 | 144183a4217ae0914ba0c865858d07cd |
| hash_md5 | 19ff6488a259d750ec18902fe75a713b |
| hash_md5 | 1bde76f3197123dcc2ecd0bfef567484 |
| hash_md5 | 1c4bea81c0da22badd9b7eab574c51cd |
| hash_md5 | 2020979e080d7ac9c0403172573c7de8 |
| hash_md5 | 24a8fcd08d9e40d32929b57de9b15385 |
| hash_md5 | 2bb209ccfc5103eccab523c875050cfa |
| hash_md5 | 2f76a29d4e4292d7f29a29345717812c |
| hash_md5 | 3158a3849ea2695d6ec5aea6512fd030 |
| hash_md5 | 348b0ce6af4698061678c8e92b4b2675 |
| hash_md5 | 37155f0bca29ccd6b6d4f5b2bc42eb4d |
| hash_md5 | 3b10127e65fa3e215d21e0a2e7fd32be |
| hash_md5 | 417ad60624345ef85e648038e18902ab |
| hash_md5 | 420a2c53386678396f972f09cc7f3a5c |
| hash_md5 | 4a3f22021e4415e8211633fb3735a046 |
| hash_md5 | 4ea8adecc5bd45a76cc61430c560924f |
| hash_md5 | 53c8a4f0497929de4a5039b2c14bf426 |
| hash_md5 | 575b26c1cc06609722f98e2beaed6a8a |
| hash_md5 | 5862f9fc9c9a0d766eba29eb4945f619 |
| hash_md5 | 59d756280b06cf113ca43abc0050edd5 |
| hash_md5 | 5cffa3126b9effc279d32b2cf4ef2278 |
| hash_md5 | 64a590760fdbb84356544cc90ac3d50f |
| hash_md5 | 670fe8faaede4e2e033311fb662d2a4a |
| hash_md5 | 6f893b1cc5cf534c59eabe932c1bf21e |
| hash_md5 | 6fc6164b3a08669992acad3764fb1922 |
| hash_md5 | 826a8e8c05983aa3a884d7abcfa473ac |
| hash_md5 | 88630916b0c6633ca28c8896416a93ee |
| hash_md5 | 88bb86494cb9411a9692f9c8e67ed32c |
| hash_md5 | 8ca5c9745e8a0e18167a9b932821645a |
| hash_md5 | 964c13b68dc6b6b918b66a9a10469d2a |
| hash_md5 | 996c394d0f6d6967df9542c52f6f4661 |
| hash_md5 | 9befad1d56d2bd8195813aea1f37f921 |
| hash_md5 | 9ea321b6a0f069caab7092cfe1cbbde0 |
| hash_md5 | 9f510626c7327a7c2328bc5131726638 |
| hash_md5 | a6302fdb63e2244c1246a73a7d65d09e |
| hash_md5 | a7ab0969bf6641cd0c7228ae95f6d217 |
| hash_md5 | a7e7d00d531cb7ca27d0f3bee448573f |
| hash_md5 | ab05a1925fee8334a2114811d5283364 |
| hash_md5 | b04e8ee43aba85fa5c585b9335c953c2 |
| hash_md5 | b4a6152514919a637c22a58bea316fc7 |
| hash_md5 | bed0f34673cc93560c17e3ab04ea5d19 |
| hash_md5 | d1c331c17ddd4abe0d53755461c1ec9a |
| hash_md5 | d309e3d77ed6a336eb3ad263ddf9db90 |
| hash_md5 | d6e7547ad7dfd1fbc62e8282aebcc391 |
| hash_md5 | dd42c3e017889c107a81da78d87dc8af |
| hash_md5 | e01776ec67b9f1ae780c3e24ecc4bf06 |
| hash_md5 | e4c1add9f7606e3fa57976b908b4b375 |
| hash_md5 | ea1f8794c73b26724314e5356f1f4128 |
| hash_md5 | f588802958c35fe18eb87bc36651a3d1 |
| hash_md5 | f982da00c547913fd0ae7d0da0fc77e7 |
| hash_md5 | fdc6848dad660414bed9ad1b381cf6e3 |
| ip | 176.113.115.209 |
| ip | 176.113.115.97 |
| ip | 188.119.66.189 |
| ip | 31.41.244.100 |
| ip | 85.209.11.49 |
| url | http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=abf9c42a-1ce2-43e2-a6ae-ffe1f669d054 |