Security researchers have infiltrated a Russia-based ransomware-as-a-service operation, exposing how the business model works and how much of a cut the gang in charge of the operation gets.
The threat intelligence team at security company Group-IB managed the feat in March 2023, when it gained inside intelligence on the Qilin ransomware group. Qilin takes advantage of ransomware written in both the Rust and Golang languages, and it was first discovered in August 2022.
Qilin’s operation actively looks to recruit affiliates on the dark web and boasts a dedicated leak site, or DLS, that contains leaked account credentials and company IDs. And although the group is far from prolific — it has only posted examples of 12 ransomware attacks on its site between July 2022 and May 2023 — its reach is global. Qilin has claimed four victims in North America and one each in the UK, France, the Netherlands, Serbia, Colombia, Brazil, Japan, and Australia.
The group has so far been known to target organisations in education and healthcare, as well as other critical services.
Group-IB’s researchers were able to observe Qilin’s RaaS operations in some detail, including how the admin panel that affiliates can use to manage their attacks.