Hal Leonard Australia Hit by Qilin Ransomware Attack

Hal Leonard Australia has reportedly fallen victim to an attack by the Qilin ransomware group. The group obtained several pieces of corporate information, including private contracts, agreements, all financial documentation, projects, email correspondence, and much more. Hal Leonard Australia is a subsidiary of Hal Leonard Corporation, which is the world’s largest music print publisher. Hal Leonard Corporation operates in more than 65 countries and represents some of the most esteemed artists, such as The Beatles, Miles Davis, Diana Krall, Justin Timberlake, Stevie Wonder, Irving Berlin, and Rodgers & Hammerstein.

In addition to their publishing work, Hal Leonard offers various digital services, such as music and media production tools, online music lessons, and digital sheet music. The Australian branch, Hal Leonard Australia, focuses on serving the Australian market, catering to the needs of musicians, educators, and retailers in that region.

The Qilin Ransomware Operation

Qilin, a Ransomware-as-a-Service (RaaS) operation, uses a Rust-based ransomware to carry out targeted attacks on its victims. Each Qilin ransomware attack employs tactics such as altering the filename extensions of encrypted files and terminating specific processes and services. The utilization of Rust as the ransomware's foundation proves particularly effective due to its evasive nature and inherent complexity, allowing for seamless customization across various operating systems such as Windows, Linux, and others. Notably, the Qilin ransomware group can generate samples for both Windows and ESXi versions.

Qilin promotes its ransomware on the dark web, utilizing a proprietary DLS (Dedicated Leak Site) that contains distinctive company identifiers and leaked account information, as uncovered by experts from Group-IB Threat Intelligence. The operators behind Qilin employ a double extortion technique, whereby they not only encrypt a victim's sensitive data but also exfiltrate it. Subsequently, they demand payment for a decryptor and insist on the non-disclosure of stolen data even after the ransom has been paid. Qilin ransomware features multiple encryption modes, all under the control of the operator.