New Qilin.B Ransomware Variant Is Even Harder to Detect and Features Improved Encryption

• A new variant of the Qilin ransomware was observed by security researchers, who underline its enhanced tactics, techniques, and procedures.
• The encryption mechanisms leverage AES-256-CTR, Chacha20, and RSA-4096, which are among the best available.
• The Qilin.B variant also disables services related to security, backup, and virtualization.

A new variant of the notorious Qilin ransomware called Qilin.B has been identified. The new variant is written in Rust, a programming language known for its resilience against reverse engineering, according to security researchers at anti-ransomware firm Halcyon.

The new variant comes with effective defense evasion tactics, persistent disruption of backup systems, advanced anti-forensic techniques, and enhanced encryption mechanisms leveraging AES-256-CTR, Chacha20, and RSA-4096.

Qilin.B sabotages backup systems by deleting volume shadow copies (VSS), undermining critical recovery mechanisms. 

The malware effectively terminates services linked to security tools, clears Windows Event Logs, and deletes itself post-execution, complicating forensic analysis efforts.

It also targets and disables services related to security, backup, and virtualization, such as Veeam, VSS, SQL, Sophos, Acronisagent, and SAP. However, it strategically avoids encrypting essential system directories like Windows, system volume information, and program files.

Sharing network drives between elevated and non-elevated processes via altering system settings lets processes with different privilege levels access mapped drives. Persistence is acquired by executing upon system reboot due to adding an AUTORUN registry entry.

Qilin.B employs a dual encryption approach, utilizing AES-256-CTR for systems supporting AESNI and Chacha20 for others. The encryption keys are safeguarded with RSA-4096 and OAEP padding, rendering decryption impossible without access to private keys or seed values. 

The ransomware appends a unique string to encrypted files, serving as a company_id for tracking specific targets by affiliates. For every directory it processes, Qilin.B generates ransom notes that guide victims to a Tor website for payment instructions and file decryption procedures.

As malware evolves and becomes more dangerous, new variants keep appearing. Recently, the Grandoreiro banking malware returned with improved tactics for avoiding detection, including a new sandbox evasion code, a domain generation algorithm, and digitally signed legitimate certificates.