Operators of Qilin ransomware, also known as Agenda, have added more sophisticated encryption and defense evasion capabilities with the new Qilin.B variant, The Hacker News reports.
Aside from featuring Chacha 20 encryption retained from older variants of the ransomware, Qilin.B has been strengthened with AES-256-CTR encryption, which could be leveraged to compromise AESNI-capable systems, as well as RSA-4096 with OAEP padding, which ensures that files are not decrypted without the attackers' private key, a report from the Halcyon Research Team revealed. Qilin.B was also discovered by researchers to enable the termination of security tool services and backup and virtualization service process, as well as remove Windows Event Logs, volume shadow copies, and itself. "Qilin.B's combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent disruption of backup systems marks it as a particularly dangerous ransomware variant," said Halcyon. Such findings follow a Group-IB report noting Qilin affiliates to be receiving an 80% to 85% cut of ransomware payments as part of a ransomware-as-a-service scheme.