Qilin attacks WT Partnership Asia

Incident Date:

October 10, 2023

World map



Qilin attacks WT Partnership Asia


WT Partnership Asia




Kowloon, China

Hong Kong, China

First Reported

October 10, 2023

The Qilin Ransomware Attack on WT Partnership Asia

The Qilin ransomware gang has attacked WT Partnership Asia. WT Partnership is a global construction consultancy firm with offices in various regions, including Asia. They provide a range of services related to the construction and real estate industry, including cost management, project management, quantity surveying, and other consultancy services. The firm has a presence in several countries, and they work on a wide array of projects in different sectors, such as commercial, residential, industrial, infrastructure, and more.

Qilin posted WT Partnership Asia to its data leak site on October 10th, threatening to publish stolen “miscellaneous including confidential agreements, projects, customers’ information, etc” if the organization fails to pay an unspecified ransom.

Ransomware-as-a-Service (RaaS) Operation

Qilin, a Ransomware-as-a-Service (RaaS) operation, uses a Rust-based ransomware to carry out targeted attacks on its victims. Each Qilin ransomware attack employs tactics such as altering the filename extensions of encrypted files and terminating specific processes and services. The utilization of Rust as the ransomware's foundation proves particularly effective due to its evasive nature and inherent complexity, allowing for seamless customization across various operating systems such as Windows, Linux, and others. Notably, the Qilin ransomware group can generate samples for both Windows and ESXi versions.

Dark Web Promotions and Double Extortion

Qilin promotes its ransomware on the dark web, utilizing a proprietary DLS (Dedicated Leak Site) that contains distinctive company identifiers and leaked account information, as uncovered by experts from Group-IB Threat Intelligence. The operators behind Qilin employ a double extortion technique, whereby they not only encrypt a victim's sensitive data but also exfiltrate it. Subsequently, they demand payment for a decryptor and insist on the non-disclosure of stolen data even after the ransom has been paid. Qilin ransomware features multiple encryption modes, all under the control of the operator.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.