@BushidoToken Threat Intel

This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like they deserve special attention and investigation. Qilin has been covered already by experts from Trend Micro , Secureworks , Group-IB , SentinelOne , SOCRadar , BleepingComputer , and MalwareHunterTeam . Kudos to them, because without these researchers sharing their findings with the community, we would be a lot less informed about this prominent ransomware gang. Background Active since at least May 2022, Qilin ransomware is named after the mythical Chinese creature  which you may  pronounce as "Chee-lin". The origin of this cybercriminal threat group, however, is believed to be from Russia. Like many other ransomware campaigns run by organised cybercriminal gangs, Qilin ransomware is used for domain-wide encryption of servers and workstations and its operators steal vast quantities of data. A ran...

  In February 2022, following the Russian invasion of Ukraine, the operators of Conti ransomware announced their support of the Russian government. They shortly walked back their support, seemingly after rifts by members of the group. Not long after that, hundreds of thousands of messages from internal chat logs were shared publicly by two accounts on Twitter called @ContiLeaks and @TrickLeaks. This treasure trove of information revealed a wealth of insights about the inner workings of a sophisticated Russian cybercrime business linked to the Conti and Ryuk ransomware campaigns and Trickbot malware botnet , which are tracked as Wizard Spider (by CrowdStrike ), DEV-0193 (by Microsoft ), GOLD ULRICK (by Secureworks ), and  Ryuk as FIN12 (by  Mandiant ) . Following the fallout of the internal chat leaks, the Conti ransomware group carried on, seemingly business as usual. In April 2022, the Government of Costa Rica had to declare a state of emergency following a sprawling C...