Skip to content
Threat Feed
critical threat

Qilin Ransomware Claims New Financial Services Victim

The Qilin ransomware group, known for its Golang-based ransomware and double extortion tactics, has claimed a new victim in the Financial Services sector, www.tqfinancials.com, as part of its ongoing campaign, highlighting the persistent threat of data encryption and exfiltration.

The Qilin ransomware group, first observed in July 2022, has added www.tqfinancials.com, a Financial Services entity, to its list of victims as of July 3, 2026. This group utilizes ransomware written in Golang, supporting multiple encryption modes controlled by the operator. Qilin consistently employs a double extortion model, demanding payment for decryption keys and threatening to release exfiltrated data if demands are not met. The group has claimed a total of 1973 victims, with an average delay of 45.7 days between attack and public claim. The targeting of a financial services organization underscores the group's broad sector targeting and the severe risks of data compromise and business disruption.

Attack Chain

  1. Initial Access: Gaining unauthorized entry, potentially via "Exploit Public-Facing Application" or "Phishing" as listed in Qilin's TTPs.
  2. Execution & Defense Evasion: Running malicious code, often using "Command and Scripting Interpreter: PowerShell" and employing "Obfuscated Files or Information" or tools like "EDRSandBlast" to bypass security.
  3. Credential Access: Harvesting credentials using tools like "Mimikatz" or leveraging "OS Credential Dumping: LSASS Memory".
  4. Discovery & Lateral Movement: Mapping the network with tools such as "Nmap" and moving across systems using "Remote Services" like "PsExec" or "WinRM".
  5. Collection & Exfiltration: Gathering sensitive data from various systems and exfiltrating it to attacker-controlled infrastructure, potentially via "EasyUpload.io" or "MEGA" or over FTP using credentials like dataShare:2bTWYKNn7aK7Rqp9mnv3.
  6. Impact: Deploying the Golang-based ransomware payload to encrypt systems, accompanied by "Data Encrypted for Impact" and "Inhibit System Recovery" actions, including dropping ransom notes like "DtMXQFOCos-RECOVER-README.txt".

Impact

The impact of a Qilin ransomware attack on a Financial Services organization like www.tqfinancials.com includes severe operational disruption, potential data breaches due to double extortion tactics, and significant financial losses from downtime and recovery efforts. While specific data stolen for this victim is not detailed, Qilin's standard operating procedure involves data exfiltration, posing risks of regulatory fines, reputational damage, and loss of customer trust. The group has a history of impacting a wide range of sectors, with Manufacturing (301 victims), Business Services (262), and Technology (178) among its top targets, indicating its capability to severely compromise diverse organizations.

Recommendation

  • Deploy the provided IOCs (MD5 hashes, IP addresses, FTP URLs) to your network perimeter defenses (firewall, IDS/IPS, DNS filters) and endpoint detection and response (EDR) solutions to block known Qilin infrastructure.
  • Enable comprehensive logging for process creation, network connections, and PowerShell activity (log source: process_creation) to detect the execution of tools like Mimikatz, Cobalt Strike, Nmap, and PsExec.
  • Implement and enforce strong access controls and multi-factor authentication (MFA) across all critical systems to mitigate credential compromise and lateral movement.
  • Regularly patch and update all public-facing applications and systems to remediate known vulnerabilities that could be leveraged for initial access, as Qilin has been observed to exploit public-facing applications.
  • Deploy robust endpoint detection rules such as "Detect Mimikatz Credential Dumping Activity" and "Detect Common Cobalt Strike Beacon Processes" to identify and block the execution of known Qilin tools and TTPs.

Detection coverage 2

Detect Mimikatz Credential Dumping Activity

high

Detects common command line arguments used by Mimikatz for credential dumping, often employed by ransomware groups like Qilin for privilege escalation and lateral movement.

sigma tactics: credential_access techniques: T1003.001 sources: process_creation, windows

Detect Common Cobalt Strike Beacon Processes

high

Detects suspicious process creation patterns often associated with Cobalt Strike beacons, a tool frequently used by ransomware groups like Qilin for command and control.

sigma tactics: command_and_control techniques: T1059.001, T1059.003, T1071.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

54

hash_md5

5

ip

1

url

TypeValue
hash_md508a2405cd32f044a69737e77454ee2da
hash_md50d68a310f4265821900249bec89364c2
hash_md511d795baafa44b73766e850d13b8e254
hash_md5144183a4217ae0914ba0c865858d07cd
hash_md519ff6488a259d750ec18902fe75a713b
hash_md51bde76f3197123dcc2ecd0bfef567484
hash_md51c4bea81c0da22badd9b7eab574c51cd
hash_md52020979e080d7ac9c0403172573c7de8
hash_md524a8fcd08d9e40d32929b57de9b15385
hash_md52bb209ccfc5103eccab523c875050cfa
hash_md52f76a29d4e4292d7f29a29345717812c
hash_md53158a3849ea2695d6ec5aea6512fd030
hash_md5348b0ce6af4698061678c8e92b4b2675
hash_md537155f0bca29ccd6b6d4f5b2bc42eb4d
hash_md53b10127e65fa3e215d21e0a2e7fd32be
hash_md5417ad60624345ef85e648038e18902ab
hash_md5420a2c53386678396f972f09cc7f3a5c
hash_md54a3f22021e4415e8211633fb3735a046
hash_md54ea8adecc5bd45a76cc61430c560924f
hash_md553c8a4f0497929de4a5039b2c14bf426
hash_md5575b26c1cc06609722f98e2beaed6a8a
hash_md55862f9fc9c9a0d766eba29eb4945f619
hash_md559d756280b06cf113ca43abc0050edd5
hash_md55cffa3126b9effc279d32b2cf4ef2278
hash_md564a590760fdbb84356544cc90ac3d50f
hash_md5670fe8faaede4e2e033311fb662d2a4a
hash_md56f893b1cc5cf534c59eabe932c1bf21e
hash_md56fc6164b3a08669992acad3764fb1922
hash_md5826a8e8c05983aa3a884d7abcfa473ac
hash_md588630916b0c6633ca28c8896416a93ee
hash_md588bb86494cb9411a9692f9c8e67ed32c
hash_md58ca5c9745e8a0e18167a9b932821645a
hash_md5964c13b68dc6b6b918b66a9a10469d2a
hash_md5996c394d0f6d6967df9542c52f6f4661
hash_md59befad1d56d2bd8195813aea1f37f921
hash_md59ea321b6a0f069caab7092cfe1cbbde0
hash_md59f510626c7327a7c2328bc5131726638
hash_md5a6302fdb63e2244c1246a73a7d65d09e
hash_md5a7ab0969bf6641cd0c7228ae95f6d217
hash_md5a7e7d00d531cb7ca27d0f3bee448573f
hash_md5ab05a1925fee8334a2114811d5283364
hash_md5b04e8ee43aba85fa5c585b9335c953c2
hash_md5b4a6152514919a637c22a58bea316fc7
hash_md5bed0f34673cc93560c17e3ab04ea5d19
hash_md5d1c331c17ddd4abe0d53755461c1ec9a
hash_md5d309e3d77ed6a336eb3ad263ddf9db90
hash_md5d6e7547ad7dfd1fbc62e8282aebcc391
hash_md5dd42c3e017889c107a81da78d87dc8af
hash_md5e01776ec67b9f1ae780c3e24ecc4bf06
hash_md5e4c1add9f7606e3fa57976b908b4b375
hash_md5ea1f8794c73b26724314e5356f1f4128
hash_md5f588802958c35fe18eb87bc36651a3d1
hash_md5f982da00c547913fd0ae7d0da0fc77e7
hash_md5fdc6848dad660414bed9ad1b381cf6e3
ip176.113.115.209
ip176.113.115.97
ip188.119.66.189
ip31.41.244.100
ip85.209.11.49
urlhttp://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=abf9c42a-1ce2-43e2-a6ae-ffe1f669d054