Qilin, the Russian cybercriminal gang behind the ransomware attack on NHS providers that hit major London hospitals this week, has a track record of cyberattacks across medical organisations, courts and even the Big Issue.
The Russian-speaking gang appears to be taking full advantage of Vladimir Putin’s well-known policy of turning a blind eye to international cybercriminals operating from his country, provided they do not target ex-Soviet countries.
Qilin, also known as Agenda, has hacked hundreds of victims over the two years it has been operating under known identities.
Martin Zugec, director of technical solutions for anti-virus company Bitdefender, said: “This is a wake-up call. Just because you haven’t been targeted in the past doesn’t mean you’re safe.”
With Qilin members demanding millions of pounds in ransom payments from their victims, their latest hack on Tuesday – against an IT company supplying several large NHS hospital trusts – has forced their activities into the public eye.
“Qilin posted the first victim to their leaked site in October 2022 and have steadily increased the number of posts each month, with May 2024 being the most prolific month to date with 16 organizations listed,” said a spokesperson for cyber security company Secureworks by the Telegraph.
Ransomware gangs use leak sites as part of their criminal business strategy.
Once their virus-laden software is introduced to victims’ computers, usually through a phishing scam, a message promises to contact the gang.
To ensure victims cooperate, Qilin and other ransomware gangs typically publish excerpts of stolen data such as employee passport scans and payroll data, threatening further leaks if not bought with ransom money.
Cyber security firm Secureworks told the Telegraph that Qilin injects its malware into targets’ computers by sending them emails containing viruses and other stealthy criminal tools.
Gang members then demand payment in hard-to-find cryptocurrencies, and Qilin typically demands millions.
Stolen information – usually containing personal data of the kind useful for identity theft – usually finds its way online, being sold again and again through networks of criminals looking for ways to exploit the information for money.
Qilin’s 112 known victims span 30 different countries, with Russia and the Commonwealth of Independent States – former Soviet satellite countries – being notable exceptions.
Cybercrime is a lucrative business for the criminal underworld, and some of Qilin’s key players have previously been seen driving supercars around Moscow.
.@Foxes our pathology provider has confirmed that they are victims of ransomware cyberattacks.
Care for certain patients is being canceled or diverted as priority is given to urgent care. We apologize for the inconvenience. Our Emergency Departments remain open.
➡️ https://t.co/DjqbR3Ah5L pic.twitter.com/mzgJ3JW7UW
— Kings College NHS (@KingsCollegeNHS) June 4, 2024
Until recently known as Agenda, Qilin has targeted Australia’s Victoria state court service and the Big Issue magazine, among many other victims.
Courts Service Victoria confirmed in January that audio recordings of trials had been stolen and leaked online following the Qilin attack.
Experts told the Telegraph that Qilin’s victims, although usually public sector organisations, were likely to have been singled out because they were easy targets.
Mr Zugec, director of technical solutions at anti-virus company Bitdefender, said: “The recent SNS attack by ransomware affiliates highlights a critical trend in ransomware 2024… attacks are becoming more opportunistic.
“Unfortunately, healthcare providers, with their often complex IT systems and limited budgets, can become an unintended casualty.”
Online criminal affiliates play a major role in how Qilin operates. Rather than consisting of a dedicated group of criminals, Qilin rents its hacking tools to individual cyber crooks.
In return for hacking lucrative targets, the individual criminals get access to Qilin’s expertise – and a significant cut of the money they help extort.
A spokesman for US cyber security company Secureworks told the Telegraph that Qilin affiliates can take up to four-fifths of any cash they collect from the gang’s victims, encouraging them to choose the softest and most profitable targets.
Will Thomas, an instructor with the SANS Institute cyber security training company, said the Qilin gang was one of the largest of its kind and had grown to such an extent that they outran their rivals.
“From the beginning, Qilin looks like many other cybercrime gangs that run a Ransomware-as-a-Service platform and data leakage site to extort victims for ransom,” explained Mr. Thomas.
The data leak site is on the dark web, meaning that only those who know exactly how to find it using specialized web browsing software can view the contents of the post.
Trend Micro, a cyber security company, has warned that Qilin’s activities have been increasing since the winter, suggesting an increased focus on targeting the underbelly of Western society; hospitals, healthcare organizations and the public sector.
“Ransomware detections on the program increased starting December 2023, in contrast to the number detected in November, indicating that its operators are becoming more active, or hitting a greater number of targets,” said a Trend Micro spokesperson .
However, Mr Thomas said the SNS hack could be the beginning of the end for Qilin.
“Whether they can withstand the pressure from law enforcement, only time will tell, but it is unlikely to be expected after the success of Operation Cronos and Operation Endgame.”
The two police operations, which are multinational efforts, have seen a number of arrests across the European continent in an effort to break up ransom gangs whose members are known to operate within reach of Western law enforcement and intelligence agencies.
Experts will now be looking closely at the digital traces left by Qilin to piece together the identities of the criminals and, in the future, bring them to justice.