Skip to content
Threat Feed
critical threat

Qilin Ransomware Claims New Victim in Agriculture and Food Production Sector

The Qilin ransomware group, active since July 2022 and utilizing Golang, has claimed a new victim, Danone (International Delights) in the US Agriculture and Food Production sector, employing double extortion tactics involving data encryption and threatened data release.

The Qilin ransomware group, a highly active threat actor first observed in July 2022, continues its double extortion operations, with a recent claim against Danone (International Delights), a US-based company in the Agriculture and Food Production sector. Qilin ransomware is written in Golang, offering multiple encryption modes controlled by the operators, and its campaigns typically involve both data encryption and the threat of public release of stolen sensitive information if a ransom is not paid. The group has accumulated over 2000 victims across various industries, including manufacturing, business services, technology, and healthcare, primarily targeting entities in the United States. This ongoing activity highlights Qilin's persistent threat to critical infrastructure and diverse commercial enterprises globally.

Attack Chain

  1. Initial Access: Attackers gain entry through various methods, including the exploitation of public-facing applications, spearphishing via email, or leveraging valid but compromised accounts (e.g., T1566, T1190, T1078).
  2. Execution: Qilin operators execute malicious code using scripting interpreters like PowerShell or Unix Shell, or by deploying malicious system services (e.g., T1059.001, T1059.004, T1569.002).
  3. Persistence & Privilege Escalation: Persistence is established via scheduled tasks or boot/logon autostart execution. Privilege escalation is achieved through exploitation of vulnerabilities or techniques like OS credential dumping (e.g., T1053.005, T1547, T1068, T1003.001).
  4. Defense Evasion: The group employs techniques such as obfuscated files, modifying or disabling security tools, and impairing system defenses like firewalls to maintain access and avoid detection (e.g., T1027, T1562, T1562.004).
  5. Discovery & Lateral Movement: Attackers conduct extensive network reconnaissance, querying registries, sniffing network traffic, and using remote services (e.g., SMB/Windows Admin Shares, RDP) to identify high-value targets and move laterally across the compromised network (e.g., T1012, T1046, T1021.001, T1021.002).
  6. Collection & Exfiltration: Sensitive data is collected and often archived using utilities before being exfiltrated over alternative network mediums or to cloud storage services (e.g., T1560.001, T1041, T1567.002).
  7. Command and Control: Communication with C2 infrastructure is maintained through various methods, including obfuscated data and tunneling over common application layer protocols like web protocols (e.g., T1001, T1071.001, T1572).
  8. Impact: The final stage involves encrypting victim data, inhibiting system recovery mechanisms, and sometimes wiping disks to maximize disruption and coerce ransom payment (e.g., T1486, T1490, T1488, T1488.001).

Impact

The Qilin ransomware group's attacks result in severe operational disruption, data loss due to encryption, and potential public exposure of sensitive information through their double extortion model. With over 2000 victims reported since 2022, including a recent target in the US Agriculture and Food Production sector, the scope of their impact is significant and spans diverse industries like manufacturing, business services, technology, and healthcare. Successful attacks lead to direct financial losses from ransom demands, costs associated with incident response and recovery, and severe reputational damage. The loss of critical business data and systems can halt operations for extended periods, impacting supply chains and essential services.

Recommendation

  • Implement endpoint detection and response (EDR) solutions to detect and block malicious hashes listed in the IOCs.
  • Block connections to the malicious IP addresses and domains listed in the IOC table at the network perimeter firewall and DNS resolver.
  • Deploy and tune endpoint security rules, such as the Detect Qilin Ransomware Hashes rule, to identify and quarantine known Qilin ransomware samples.
  • Implement and continuously monitor the Detect Qilin C2 Network Connections rule to identify and alert on suspicious outbound network activity to known Qilin infrastructure.
  • Enable comprehensive logging for process creation, network connections, and file events on all endpoints to provide visibility for the detection rules and facilitate incident response.
  • Review and enforce strong password policies and multi-factor authentication (MFA) to mitigate initial access attempts via valid accounts (ATT&CK T1078).
  • Regularly patch and update all public-facing applications and systems to prevent exploitation of vulnerabilities (ATT&CK T1190).

Detection coverage 2

Detect Qilin Ransomware Hashes

high

Detects known Qilin ransomware samples by their MD5 hashes, indicative of malware presence on the system.

sigma tactics: impact techniques: T1486 sources: file_event, windows

Detect Qilin C2 Network Connections

high

Detects outbound network connections to known Qilin ransomware command-and-control (C2) infrastructure IP addresses or unusual FTP connections for data exfiltration.

sigma tactics: command_and_control, exfiltration techniques: T1041, T1071.001 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

5

domain

54

hash_md5

5

ip

1

url

TypeValue
domainwww.idelights.com
urlhttp://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=2a85afa5-7c66-4fe2-a552-df3f6954cb9c
domainozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion
domainkbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion
domainijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
domainji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion
hash_md508a2405cd32f044a69737e77454ee2da
hash_md50d68a310f4265821900249bec89364c2
hash_md511d795baafa44b73766e850d13b8e254
hash_md5144183a4217ae0914ba0c865858d07cd
hash_md519ff6488a259d750ec18902fe75a713b
hash_md51bde76f3197123dcc2ecd0bfef567484
hash_md51c4bea81c0da22badd9b7eab574c51cd
hash_md52020979e080d7ac9c0403172573c7de8
hash_md524a8fcd08d9e40d32929b57de9b15385
hash_md52bb209ccfc5103eccab523c875050cfa
hash_md52f76a29d4e4292d7f29a29345717812c
hash_md53158a3849ea2695d6ec5aea6512fd030
hash_md5348b0ce6af4698061678c8e92b4b2675
hash_md537155f0bca29ccd6b6d4f5b2bc42eb4d
hash_md53b10127e65fa3e215d21e0a2e7fd32be
hash_md5417ad60624345ef85e648038e18902ab
hash_md5420a2c53386678396f972f09cc7f3a5c
hash_md54a3f22021e4415e8211633fb3735a046
hash_md54ea8adecc5bd45a76cc61430c560924f
hash_md553c8a4f0497929de4a5039b2c14bf426
hash_md5575b26c1cc06609722f98e2beaed6a8a
hash_md55862f9fc9c9a0d766eba29eb4945f619
hash_md559d756280b06cf113ca43abc0050edd5
hash_md55cffa3126b9effc279d32b2cf4ef2278
hash_md564a590760fdbb84356544cc90ac3d50f
hash_md5670fe8faaede4e2e033311fb662d2a4a
hash_md56f893b1cc5cf534c59eabe932c1bf21e
hash_md56fc6164b3a08669992acad3764fb1922
hash_md5826a8e8c05983aa3a884d7abcfa473ac
hash_md588630916b0c6633ca28c8896416a93ee
hash_md588bb86494cb9411a9692f9c8e67ed32c
hash_md58ca5c9745e8a0e18167a9b932821645a
hash_md5964c13b68dc6b6b918b66a9a10469d2a
hash_md5996c394d0f6d6967df9542c52f6f4661
hash_md59befad1d56d2bd8195813aea1f37f921
hash_md59ea321b6a0f069caab7092cfe1cbbde0
hash_md59f510626c7327a7c2328bc5131726638
hash_md5a6302fdb63e2244c1246a73a7d65d09e
hash_md5a7ab0969bf6641cd0c7228ae95f6d217
hash_md5a7e7d00d531cb7ca27d0f3bee448573f
hash_md5ab05a1925fee8334a2114811d5283364
hash_md5b04e8ee43aba85fa5c585b9335c953c2
hash_md5b4a6152514919a637c22a58bea316fc7
hash_md5bed0f34673cc93560c17e3ab04ea5d19
hash_md5d1c331c17ddd4abe0d53755461c1ec9a
hash_md5d309e3d77ed6a336eb3ad263ddf9db90
hash_md5d6e7547ad7dfd1fbc62e8282aebcc391
hash_md5dd42c3e017889c107a81da78d87dc8af
hash_md5e01776ec67b9f1ae780c3e24ecc4bf06
hash_md5e4c1add9f7606e3fa57976b908b4b375
hash_md5ea1f8794c73b26724314e5356f1f4128
hash_md5f588802958c35fe18eb87bc36651a3d1
hash_md5f982da00c547913fd0ae7d0da0fc77e7
hash_md5fdc6848dad660414bed9ad1b381cf6e3
ip176.113.115.209
ip176.113.115.97
ip188.119.66.189
ip31.41.244.100
ip85.209.11.49