Qilin, the Russian cybercrime gang behind the ransomware attack on NHS suppliers that crippled major London hospitals this week, has a track record of cyberattacks spanning medical organisations, courts and even the Big Issue.
The Russian-speaking gang appears to be taking full advantage of Vladimir Putin’s well-known policy of turning a blind eye to international cybercriminals operating from his country, provided they do not target ex-Soviet countries.
Qilin, also known as Agenda, has hacked hundreds of victims in the two years it has been operating under its known identity.
Martin Zugec, director of technical solutions at antivirus company Bitdefender, said: “This is a wake-up call. Just because you have not been targeted in the past does not mean you are safe.”
With Qilin members demanding millions of pounds in ransoms from their victims, their latest hack on Tuesday – against an IT company that supplies a number of major NHS hospital trusts – has thrust their activities into the public spotlight.
“Qilin posted the first victim to their leak site in October 2022 and has steadily increased the number of posts each month, with May 2024 being their most productive month yet with 16 organizations named,” a spokesperson for cybersecurity firm Secureworks told The Telegraph. .
Leaking sites are used by ransomware gangs as part of their criminal business strategy.
Once their virus-laden software is introduced to the victims’ computers, normally via phishing, a message appears telling them to contact the gang.
To get victims to cooperate, Qilin and other ransomware gangs typically publish snippets of stolen data, such as scans of employees’ passports and payroll information, threatening to leak more unless they are paid a ransom.
Cybersecurity firm Secureworks told The Telegraph that Qilin delivers its malicious software to its targets’ computers by sending them emails containing viruses and other stealthy criminal tools.
Gang members then demand payment in hard-to-trace cryptocurrencies, with Qilin typically demanding millions.
Stolen information – usually consisting of personal data of the type useful for identity theft – then typically finds its way online and is sold again and again through networks of criminals looking for ways to exploit the information for money.
Qilin’s 112 known victims span thirty different countries, with Russia and the Commonwealth of Independent States (ex-Soviet satellite countries) being the notable exceptions.
Cybercrime is a lucrative business for the criminal underworld, with some of Qilin’s key players previously pictured driving around Moscow in supercars.
.@Synnovis our pathology provider has confirmed that they are the victim of a ransomware cyber attack.
Some patient care is canceled or diverted as urgent care takes priority. We apologize for the inconvenience. Our Emergency Department remains open.
➡️ https://t.co/DjqbR3Ah5L pic.twitter.com/mzgJ3JW7UW
— King’s College NHS (@KingsCollegeNHS) June 4, 2024
Qilin, until recently known as Agenda, has targeted the Australian state court of Victoria and Big Issue magazine, among dozens of other victims.
Victoria’s Courts Service confirmed in January that audio recordings of trials had been stolen and leaked online following a Qilin attack.
Experts told The Telegraph that Qilin’s victims, although typically made up of public sector organisations, were likely singled out because they are easy targets.
Mr Zugec, technical solutions director at anti-virus company Bitdefender, said: “The recent NHS attack by ransomware affiliates underlines a crucial trend in ransomware in 2024… attacks are becoming increasingly opportunistic.
“Unfortunately, healthcare providers, with their often complex IT systems and limited budgets, can become unintended victims.”
Online criminal organizations play a major role in the way Qilin operates. Instead of consisting of a dedicated group of criminals, Qilin rents out its hacking tools to individual cybercriminals.
In exchange for hacking lucrative targets, the individual criminals get access to Qilin’s expertise – and a significant cut of the money they help extort.
A spokesperson for US cybersecurity firm Secureworks told The Telegraph that Qilin’s affiliates can take up to four-fifths of all the money they extort from the gang’s victims, giving them an incentive to choose the softest, most lucrative targets.
Will Thomas, an instructor at cybersecurity training company the SANS Institute, said the Qilin gang was one of the largest of its kind and had grown so big by outlasting its rivals.
“From the start, Qilin appears to be like many other cybercriminal gangs operating a Ransomware-as-a-Service platform and data breach site to extort victims for ransom,” Thomas explains.
The data breach site is on the dark web, meaning only those who know exactly how to find it using specialized web browser software can see what is posted there.
Trend Micro, a cybersecurity company, warned that Qilin’s activities have increased since winter, signaling an increasing focus on attacking the soft underbelly of Western society; hospitals, healthcare organizations and the public sector.
“Ransomware detections at Agenda increased in early December 2023, in contrast to the number of detections in November, showing that operators are becoming more active or reaching a greater number of targets,” a Trend Micro spokesperson said.
However, Mr Thomas said the NHS hack could be the beginning of the end for Qilin.
“Whether they can withstand the pressure from law enforcement, only time will tell, but it doesn’t look likely after the success of Operation Cronos and Operation Endgame.”
These two police operations, both multinational efforts, have led to a number of arrests across the European continent in an effort to break up ransomware gangs whose members are known to operate within the reach of Western law enforcement and intelligence agencies.
Experts will now look closely at the digital traces left by Qilin to determine the identity of the criminals and bring them to justice in the future.