Qilin AKA Agenda A Must watch ransomware group in 2023

pQILIN also known as Agenda is a Ransomware Group that also provides Ransomware as a service Raas Qilins ransomwareasaservice RaaS scheme earns anywhere between 80 to 85 of each ransom payment according to new GroupIB findings It was first discovered in 2022 when it attacked Australias leading Information technology service organization ppQilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data as soon as Qilin completes initial access they commonly circulate laterally across the victims infrastructure attempting to find crucial statistics to encrypt After encrypting the data Qilin leaves a Ransom note Your networksystem was encrypted and the encrypted file has a new file extension and asks for the ransom to pay for the decryption keyppIt drops pwndlldll detected as a TrojanWin64AGENDASVT in the public folder and injects this DLL into svchostexe to allow continuous execution of the ransomware binary It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as apart from its evasionprone and hardtodecipher qualities it also makes it easier to customize malware to Windows Linux and other OS ppHere are some pointers to be noted ppFirst it was Randomly targeting the organizations but Now It seems like they are Mostly Interested in Critical Infrastructure the OT Companies In the year 2023 they have targeted 21 companies which include 5 OT victims Recently in Jun 2023 they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment Clarity Water Technologies LLC and have targeted 6 other companies and leaked some of their data  ppAs per our Dark web analysis the Victims they have targeted till now are from different countries which include Argentina Australia Brazil Canada Colombia France Germany Japan New Zealand Serbia Thailand The Netherlands UAE UK and United States ppFig1 Victim Countries ppAs per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting teams of experienced pentester for their affiliate program the group doesnt work in CIS countries ppQilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victims name Date of attack Description of the victim some images related to the victims sensitive data and when the ransom is not paid they also leak victims data on their dark web site  ppThey have Posted about 22 Victims on their Onion sites and some victims data has also leaked on their page  ppAlso Read How to get started with OT securitypp Qilin Darkweb front page where they publish the information about their victims  ppLogin page present in the Qilin ransomware site ppThey Normally leak two files one has the data and another has the list of all the sensitive files As shown in the image pp76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e ppfd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039 ppReference pphttpswwwtrendmicrocomenusresearch22hnewgolangransomwareagendacustomizesattackshtmlpphttpswwwtrendmicrocomeninresearch22lagendaransomwareusesrusttotargetmorevitalindustrieshtmlpphttpswwwgroupibcomblogqilinransomwareppInterested in learning more about AIpowered attacks and ways to prevent them on your networks Talk to our security expertppSee our IoT and OT security solution in action through a noobligation demo ppGain Ample visibility into your network and identify gaps today Sign up for a comprehensive asset discovery with vulnerability assessment today from SectrioppThis research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrios threat research teampp
Energy and persistence conquer all things These rules are our shield our persistent effort to safeguard our way of life pp
The lack of any large cyber incidents doesnt mean things are still deep under Instead this could well be the pp
In the past few years it has been seen that industrial control systems ICSs are also vulnerable to cybersecurity incidents pp
1499 W 120th Ave Ste 210
Westminster CO 80234


Tel 1 303 301 6200
Fax 1 303 301 6201
pp
1st Floor Rama Apartment17 St Anns Road
Harrow Middlesex HA1 1JU
Tel 44 0207 8265300
Fax 44 0207 8265352
pp
Office number 722
Building number 6WA
Dubai Airport Free Zone
AuthorityDAFZA
PO Box Box 54834Dubai
United Arab Emirates
Tel 9 714 214 6700
Fax 9 714 214 6714
pp
Level 13 RTech Park
Nirlon Knowledge Park
Off Western Express Highway
Goregaon E Mumbai 400063
Tel 91 22 4476 4567
pp
Pritech Park SEZ Block 09 4th Floor B Wing
Survey No 51 to 644 Outer Ring Road
Bellandur Village Varthur Hobli
Bengaluru Karnataka 560103 India
Tel 91 80 6659 8700
Fax 91 80 6696 3333
pp
175A Bencoolen Street
0803 Burlington Square
Singapore 189650
Tel 65 6338 1218
Fax 65 6338 1216
ppBy IndustryppBy ComplianceppSectrio HubSectrio EdgetechVulnerability ManagementThreat ManagementppMicro Segmentation5G Security SuiteThreat IntelligenceppAsset ManagementIncident ManagementConsulting ServicesSecurity for digital transformationppCompanyPartnersCareersContactBlogCase StudiesMedia CoverageWhitepapersSpanishSite Indexpp Copyright SECTRIO 2023 All Rights Reserved Privacy Policyp