Group-IB researchers managed to infiltrate the Qilin ransomware group in March 2023 and discovered that affiliates received 80% to 85% of each ransomware payout.
The researchers infiltrated an encrypted messaging app Tox, used by Qilin ransomware group members. They monitored private conversations with a Qilin recruiter Haise, who was identified from another dark web group, RAMP.
What is Qilin ransomware?
Qilin is a cyber extortion gang that operates a Ransomware-as-a-Service (RaaS) program based on double extortion. The group demands a ransom in exchange for a decryptor to unlock files from encrypted devices and threatens to publish sensitive data on their data leak site. Qilin listed 12 companies on its data leak site between July 2022 and May 2023.
The ransomware group uses Rust-based malware, which is difficult to detect because of the solid cryptographic properties of the Rust programming language. The group had initially developed the malware in the Go programming language before switching to Rust.
Additionally, many Qilin ransomware attacks are customized for each victim to achieve maximum impact.
“To do this, the threat actors can leverage such tactics as changing the filename extensions of encrypted files and terminating specific processes and services,” the researchers stated.
The malware can also be modified to target Windows, Linux, VMware ESXi servers, and other operating systems.
Qilin’s attack chain begins with phishing emails containing malicious links to lure targets to disclose sensitive information or download malware.
The group explicitly says it does not target CIS (Commonwealth of Independent States), which includes Russia and former Soviet states. Group-IB believes Qilin ransomware is pro-Russian.
Qilin affiliates receive the lion’s share of each ransomware payout
Group-IB researchers obtained Qilin’s payment structure and discovered that an affiliate was entitled to the lion’s share of each ransomware payout.
According to Qilin’s payment structure obtained by Group-IB researchers, an affiliate was earning 80% from a ransomware payout of $3 million or less and 85% for any payout exceeding $3 million.
Additionally, the affiliate program assisted members throughout the hacking process by providing them with an administrative panel to manage their ransomware operation.
“Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery,” the researchers stated.
The highly-organized ransomware affiliate program is divided into various sections such as Targets, Blogs, Stuffers, News, Payments, and FAQs.
The ‘Targets’ section contains crucial information such as files, directories, and extensions to encrypt or ignore, the encryption mode, ransom notes, and processes to terminate, while the ‘Blogs’ section contains the list of victims and if a ransomware payout has been received.
Next, the ‘Stuffers’ section manages user accounts and privileges, while the ‘Payments’ section contains transaction details and account balances.
Lastly, the ‘FAQ’ section contains support information and step-by-step instructions on using the ransomware, while the ‘News’ section allows the group to post updates related to their ransomware partnerships.
“The industrialization of cybercrime as a whole has allowed cybercriminals to specialize in what they do best; they are no longer a one-man-band, but technically skilled specialists with a very specific role within their community, renting their skills as a service, or in the case of affiliates for a cut of the profit,” said Victor Acin, KrakenLabs Manager at Outpost24.
While Qilin is not the first ransomware group to spend most of the ransomware payout on its affiliates, it is among the top-paying RaaS operators.
For example, GandCrab ransomware affiliates receive between 60% to 70% of each ransomware payout for payments between $500 and $1,200.
Similarly, NetWalker pays back up to 80% of its ransom, while BlackCat returns 80% to 90% of each ransomware payout to its affiliates.
