Qilin (Agenda) Ransomware: Complete Guide

Qilin ransomware, also known as Agenda ransomware, is written in Rust and Go programming languages, making it more versatile and difficult to analyze or detect. Qilin ransomware gained notoriety for targeting critical sector companies, but it is a threat to organizations across all verticals.

The ransomware operator’s affiliate program is not only adding new members to its network, but it is also weaponizing them with malware and supporting services to target education, healthcare, and other critical sectors of the worldwide economy.

The ransomware is 64-bit Windows PE (Portable Executable) files written in Go and specifically targets Windows-based systems. The group distributing the malware focused on healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand. Each ransom note dropped by the ransomware was customized for its intended victim. The investigation revealed that the samples contained leaked accounts, customer passwords, and unique company IDs used as extensions of encrypted files.

What kind of malware is Qilin?

Qilin ransomware is a Ransomware-as-a-Service (RaaS) affiliate program that uses Rust-based ransomware to target its victims. Qilin ransomware attacks are customized for each victim to maximize their impact and the threat actors can leverage tactics such as changing the filename extensions of encrypted files and terminating specific processes and services.

Qilin ransomware uses AES-256 encryption to encrypt the files on the victim’s system. The ransomware also uses RSA-2048 to encrypt the generated key. After successful encryption, the encrypted files are appended with a new random file extension, such as “.MmXReVIxLV”.

Everything we know about Qilin (Agenda) ransomware

This list contains the basic information about the new ransomware strain known as Qilin (Agenda).

Confirmed Name

• Agenda (Qilin) virus

Threat Type

• Ransomware
• Stealthy Malware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• Random extension

Ransom Demanding Message

• [random_string]-RECOVER-README.txt

Detection Names

• Avast Win64:Trojan-gen
• Sophos Mal/Generic-S
• Emsisoft Trojan.Ransom.Babuk.F (B)
• Kaspersky Trojan.Win32.DelShad.ivd
• Malwarebytes Generic.Malware/Suspicious
• Microsoft Ransom:Win32/Babuk.SIB!MTB

Ransomware family, type & variant

• Family: Qilin ransomware is part of the Qilin ransomware family
• Type: Qilin ransomware is a Ransomware-as-a-Service (RaaS) affiliate program
• Variant: Qilin ransomware is also known as Agenda ransomware

Distribution methods

• Dissemination of infected files
• Malicious hyperlinks
• RDP-based assaults
• Phishing
• Spam email campaigns

Consequences

• Data exfiltration
• File encryption

Is There a Free Decryptor Available?

No. There is no known public decryptor for Qilin (Agenda) ransomware available at this time.

What are Qilin ransomware’s IOCs?

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Qilin (Agenda) ransomware’s Indicators of Compromise (IOCs) include:

• Encryption: Agenda ransomware encrypts files using AES-256 encryption
• File extension: Agenda ransomware appends a configured file extension to the filenames of encrypted files
• Ransom note: Agenda ransomware drops a ransom note in each encrypted directory software
• Behavior: Agenda ransomware can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run
• Network compromise: Agenda ransomware is associated with the compromise of an entire network and its shared drivers

Qilin (Agenda) ransomware’s ransom note

The ransom note left by Qilin ransomware informs the victim that their files have been encrypted and demands a ransom payment. The ransom note may also mention that the threat actors have downloaded data, such as employee details and credentials, from the infected system. If the victim refuses to communicate with the threat actors, the data may be published.

Example of Agenda ransom note:

How does Agenda/Qilin ransomware spread

Qilin ransomware is a dangerous malware that can infect a computer or network in several ways, including:

• Dissemination of infected files. Qilin ransomware may spread through infected files that are downloaded and installed on the victim’s system without their knowledge.
• Malicious hyperlinks. Qilin ransomware may use malicious hyperlinks to infiltrate the victim’s system. This occurs when the victim unknowingly visits an infected website, and then malware is downloaded and installed without their knowledge.
• RDP-based assaults. Qilin ransomware may use RDP-based assaults to infiltrate the victim’s system. This occurs when the threat actors exploit vulnerabilities in Remote Desktop Protocol (RDP) to gain access to the victim’s system.
• Phishing. Qilin ransomware may begin with a phishing email that contains a malicious attachment or link. The victim is tricked into downloading and installing the malware on their system.

How does Agenda ransomware infect a computer or network

Agenda ransomware is a Go-based ransomware that targets Windows systems and is customized for each victim.

The ransomware uses several tactics and techniques to maximize its impact, including:

1. Safe mode execution. Agenda ransomware can reboot systems in safe mode to evade detection and prevent the victim from accessing their system.
2. Process and service termination. The ransomware stops server-specific processes and services to maximize its impact.
3. Shadow volume copy removal. Agenda ransomware removes shadow volume copies to prevent the victim from restoring their system to a previous state.
4. Antivirus process and service termination. The ransomware terminates various antivirus processes and services to evade detection.
5. Auto-start entry creation. Agenda ransomware creates an auto-start entry pointing at a copy of itself to ensure that it runs every time the system boots up.
6. Password modification. The ransomware changes the default user’s password and then enables automatic login using the modified credentials.
7. Spoofed user logon. Agenda ransomware takes advantage of local accounts to log on as spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is successful.
8. Persistence mechanism. The ransomware uses a persistence mechanism using DLL to ensure that it remains active on the victim’s system.

Do not pay the ransom or negotiate with the threat actors. Contact SalvageData experts immediately to restore your files and report the ransomware to local authorities.

How to handle a Qilin (Agenda) ransomware attack

Important: The first step is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.

To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by disconnecting it from the internet and removing any connected device.

Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Qilin actors (if you have them)
• A sample of an encrypted file

However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.

Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.

What NOT to do to recover from a Qilin (Agenda) ransomware attack

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contacting your Incident Response provider

A Cyber Incident Response is responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, then they will take care of everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.

Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the Qilin (Agenda) ransomware. Also, these services can patch your system, preventing new attacks.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent the Qilin (Agenda) ransomware from attacking your network again.

Also, we offer a digital forensic report that you can use for further investigation and to understand how the cyber attack happened.

Contact our experts 24/7 for emergency recovery service.

Prevent the Qilin (Agenda) ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Qilin ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Install antivirus and anti-malware software.
• Employ reliable cybersecurity solutions.
• Utilize strong and secure passwords.
• Keep software and operating systems up to date.
• Implement firewalls for added protection.
• Create a data recovery plan.
• Regularly schedule backups to safeguard your data.
• Exercise caution with email attachments and downloads from unknown or suspicious sources.
• Verify the safety of ads before clicking on them.
• Access websites only from trusted sources.

By adhering to these practices, you can fortify your online security and protect yourself from potential threats.