Qilin: The Russian RaaS Group Who Crippled UK Healthcare

Date:

June 5, 2024

World map

Ciaran Martin, former chief executive of the U.K.’s National Cyber Security Centre, that ransomware-as-a-service (RaaS) operators Qilin were behind the attack against pathology services provider Synnovis that delayed diagnostics testing and forced the cancellation of medical procedures.

“These criminal groups – there are quite a few of them – they operate freely from within Russia, they give themselves high-profile names, they’ve got websites on the so-called dark web, and this particular group has about a two-year history of attacking various organisations across the world,” The Independant reports Martin as saying.

Synnovis’ chief executive Mark Dollar told The Record that “taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had.”

“Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised,” wrote Dollar. “We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected.”

So, who is Qilin?

According to the latest Ransomware Malicious Quartile reference guide, Qilin (aka Agenda) is a RaaS operation that first emerged in July of 2022 that is written in the Go and Rust programming languages and is capable of targeting Windows and Linux systems.  

Rust is a secure, cross-platform programming language that offers exceptional performance for concurrent processing, making it easier to evade security controls and develop variants to target multiple OSs.  

Qilin operators are known to exploit vulnerable applications including Remote Desktop Protocol (RDP).‍ The Qilin RaaS offers multiple encryption techniques giving operators several configuration options when conducting the attack.‍

Qilin operations include data exfiltration for double extortion with the threat to expose or sell the data via their leaks site should the victim fail to come to terms with the attackers. The affiliate program offers an 80% take for ransoms under $3 million and 85% for those over $3 million.

Qilin is assessed to be a big game hunter selecting targets for their ability to pay large ransom demands, as well as targeting the healthcare and education sectors.‍ Ransom demands are likely to be in the millions of dollars based on their affiliate profit sharing model which pays a higher percentage for ransoms over $3 million.

Notable victims include Big Issue Group, Ditronics Financial Services, Daiwa House, ASIC S.A., Thonburi Energy Storage, SIIX Corporation, WT Partnership Asia, FSM Solicitors and more.

You can learn more about the most active ransomware and data extortion groups in the quarterly Power Rankings: Ransomware Malicious Quartile report.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.