Qilin attacks the HAWITA Group
Incident Date:
March 5, 2024
Overview
Title
Qilin attacks the HAWITA Group
Victim
HAWITA Group
Attacker
Qilin
Location
First Reported
March 5, 2024
Ransomware Group Targets HAWITA Group
Ransomware group Qilin has targeted the HAWITA Group, but has not disclosed any other information. The HAWITA group is a producer of peat moss, substrates, planter pots, and Easypot. It is a globally operating company with more than 400 employees at present, eight production sites, and more than 4,500 ha of moor area in Germany and Baltic States.
Introduction to Qilin Ransomware
Qilin (aka Agenda) is a RaaS (Ransomware-as-a-Service) operation that first emerged in July of 2022. It is written in the Go and Rust programming languages and is capable of targeting Windows and Linux systems. Rust is a secure, cross-platform programming language that offers exceptional performance for concurrent processing, making it easier to evade security controls and develop variants to target multiple OSs.
Qilin's Attack Tactics
Qilin operators are known to exploit vulnerable applications including Remote Desktop Protocol (RDP). Each Qilin ransomware attack employs tactics such as altering the filename extensions of encrypted files and terminating specific processes and services. The utilization of Rust as the ransomware's foundation proves particularly effective due to its evasive nature and inherent complexity, allowing for seamless customization across various operating systems such as Windows, Linux, and others. Notably, the Qilin ransomware group can generate samples for both Windows and ESXi versions.
Qilin's Dark Web Presence
Qilin promotes its ransomware on the dark web, utilizing a proprietary DLS (Dedicated Leak Site) that contains distinctive company identifiers and leaked account information, as uncovered by experts from Group-IB Threat Intelligence.
Double Extortion Technique
The operators behind Qilin employ a double extortion technique, whereby they not only encrypt a victim's sensitive data but also exfiltrate it. Subsequently, they demand payment for a decryptor and insist on the non-disclosure of stolen data even after the ransom has been paid. Qilin ransomware features multiple encryption modes, all under the control of the operator.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.