Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack

Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack

Qilin ransomware, operating as a ransomware-as-a-service (RaaS) model, has emerged as a major cyber threat, targeting over 84 victims monthly in 2025 by exploiting remote monitoring and management (RMM) tools, stolen credentials, and a novel “bring your own vulnerable driver” (BYOVD) technique. The group’s attacks leverage both Windows and Linux systems, disrupting critical infrastructure and backup systems.

---

Attack Statistics and Impact

• Victim Count:

  • 84 victims monthly in August and September 2025, peaking at 100 victims in June 2025.
  • Over 40 victims monthly since July 2022, excluding January 2025.

• Geographic Targets:

  • U.S., Canada, U.K., France, and Germany are the most impacted countries.

• Sector Distribution:

  • Manufacturing (23%), professional/scientific services (18%), and wholesale trade (10%).

• Financial and Operational Impact:

  • Disruption of backup systems (e.g., Veeam) compromises disaster recovery.
  • Encryption of files and deletion of shadow copies prevent data recovery.

---

Attack Methodology

Initial Access and Credential Harvesting

• Leaked Credentials: Attackers use stolen administrative credentials from the dark web to access systems via VPN and RDP.
• Credential Extraction Tools:
  • Mimikatz, WebBrowserPassView.exe, BypassCredGuard.exe, and SharpDecryptPwd are used to extract passwords from Chrome, RDP, SSH, and Citrix.
  • Stolen credentials enable lateral movement and privilege escalation.

Network Reconnaissance and Lateral Movement

• Tools for Reconnaissance:
  • mspaint.exe, notepad.exe, iexplore.exe are used to inspect files for sensitive data.
  • Cyberduck is employed for file transfers to remote servers, masking malicious activity.
• RMM Tools for Lateral Movement:
  • AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, and ScreenConnect are installed to move across networks.

Evasion Techniques

• Security Bypasses:
  • PowerShell commands disable AMSI (Anti-Malware Scan Interface) and TLS certificate validation.
  • Tools like dark-kill, HRSword, Cobalt Strike, and SystemBC are used to terminate security software and maintain persistent access.
• BYOVD Exploit:
  • The eskle.sys driver is deployed to disable security solutions, terminate processes, and evade detection.

Ransomware Deployment

• Hybrid Attack Strategy:
  • Linux ransomware variant is deployed on Windows systems using WinSCP and Splashtop Remote’s SRManager.exe.
  • The Linux payload enables cross-platform encryption, targeting both Windows and Linux systems.
• Post-Attack Actions:
  • Event logs are wiped, and Windows Volume Shadow Copy Service (VSS) shadow copies are deleted.
  • Ransom notes are dropped in encrypted folders, demanding payment in cryptocurrency.

---

Targeted Infrastructure and Tools

• Veeam Backup Systems:
  • Credential extraction tools are used to compromise backup infrastructure, undermining disaster recovery.
• Splashtop and ScreenConnect:
  • Exploited for final ransomware execution and command execution.
• Cloudflare R2 Infrastructure:
  • Used to host fake CAPTCHA pages for spear-phishing campaigns.

---

Advanced Techniques and Adaptations

• BYOVD Exploit:
  • Attackers use legitimate drivers (e.g., eskle.sys) to bypass security defenses.
• Cross-Platform Capabilities:
  • Linux ransomware binaries are deployed via PuTTY SSH clients to Linux systems.
• Hyperconverged Infrastructure Targeting:
  • Updated samples include Nutanix AHV detection, expanding attacks to hyperconverged environments.

---

Working Example (if code-related)

Note: The context does not include direct code examples. However, the use of PowerShell commands to disable AMSI is illustrative of evasion techniques:

# Example PowerShell command to disable AMSI (for educational purposes only)
$AmsiContext = [Ref].Assembly.GetType("System.Management.Automation.AmsiContext")
$AmsiContext.GetField("amsiContext", [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Instance).SetValue($AmsiContext, $null)

Explanation: This script disables AMSI, a Windows security feature that detects malicious scripts. Attackers use such commands to evade detection by endpoint security tools.

---

Recommendations

• Preventive Measures:

  • Regularly update and patch RMM tools (e.g., Atera, ScreenConnect).
  • Monitor for unusual activity in RDP and SSH logs.
  • Implement strict access controls for backup systems (e.g., Veeam).

• Detection and Response:

  • Deploy tools to detect AMSI bypasses and BYOVD driver usage.
  • Use endpoint detection and response (EDR) solutions to monitor lateral movement.

• Mitigation Strategies:

  • Enable multi-factor authentication (MFA) for remote access.
  • Regularly back up data and test recovery processes.
  • Educate employees on phishing and social engineering attacks.

• Avoid Common Pitfalls:

  • Do not use unpatched RMM tools or third-party remote access software.
  • Avoid storing sensitive credentials in plaintext or unsecured databases.

---

Reference

Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack