Contact Sales
+1 (614) 423-6718
Support
Blog
Partners
Downloads
Search
Close this search box.
Login

Qilin Ransomware: How to Detect & Protect Against This Exploit

Qilin ransomware has emerged as a significant threat to organizations, particularly those relying heavily on Active Directory for managing their IT infrastructure. Qilin ransomware has adopted a new method for stealing credentials from Google Chrome browsers by leveraging Active Directory Group Policy. In this guide, we will explore how Qilin ransomware operates, the risks it poses to your organization, and how you can leverage tools like Cayosoft Guardian to detect and mitigate these threats effectively.

Understanding Qilin Ransomware

Qilin ransomware is a highly organized and adaptive cyber threat that targets businesses and institutions by infiltrating their network and leveraging existing vulnerabilities. This ransomware has adopted sophisticated techniques to steal credentials from Google Chrome browsers by exploiting Active Directory Group Policy Objects (GPOs). The attack starts when Qilin gains network access through compromised VPN credentials. They then move laterally within the network, escalating privileges to compromise Active Directory Domain Controllers. They use Group Policy Objects (GPOs) to deploy a PowerShell script (IpScanner.ps1) across all domain machines via a logon script (logon.bat). This script extracts stored Chrome credentials and saves them to a shared location on the SYSVOL. After collecting the data, Qilin clears local files and events, then creates a new GPO with a batch file (run.bat) to deploy ransomware to all domain computers.

Detecting Qilin Ransomware with Cayosoft Guardian

Cayosoft Guardian customers can use a feature called Change Alerting Rules. If you are not a Cayosoft Guardian customer, you can start a free trial. In the next section we will take you step-by-step on how to create two new Change Alert Rules that will detect both scenarios.

Change Alert Rule – Group Policy with Logon Script Called logon.bat

1. In the Cayosoft Guardian web portal, expand the Change Monitoring node.

2. Click the Change History node.

3. In Saved Queries, select one of the predefined queries.

4. In this example, we use the predefined query called “All Active Directory Changes”.

5. Click Select.

6. Open the Properties Tab.

7. Click on the Advanced Tab.

8. Here we will use the following odata query to filter on the specific change that we are looking for.

(va_gpoPolicySettings_added/any(i:i/path eq ‘Computer Configuration/Policies/Windows Settings/Scripts/Startup’)) and (va_gpoPolicySettings_added/any(i:i/name eq ‘logon.bat’))

9. Click Apply.

10. Click Save As.

11. Input name: Detect Group Policies Changes that have startup script logon.bat (Possible Qilin Google Chrome Password Stealer Exploit).

12. Click Yes.

13. Select Add an Alert.

14. Navigate to the Workflow Steps.

15. Use the Toggle Feature to select how you wish to receive the alert.

Change Alert Rule – Group Policy with Logon Script Called run.bat

1. In the Cayosoft Guardian web portal, expand the Change Monitoring node.

2. Click the Change History node.

3. In Saved Queries, select one of the predefined queries.

4. In this example, we use the predefined query called “All Active Directory Changes”.

5. Click Select.

6. Open the Properties Tab.

7. Click on the Advanced Tab.

8. Here we will use the following odata query to filter on the specific change that we are looking for.
(va_gpoPolicySettings_added/any(i:i/path eq ‘Computer Configuration/Policies/Windows Settings/Scripts/Startup’)) and (va_gpoPolicySettings_added/any(i:i/name eq ‘run.bat’))

9. Click Apply.

10. Select Save As.

11. Input name: Detect Group Policies Changes that have startup script run.bat (Possible Qilin Ransomware Exploit).

12. Click Yes.

13. Select Add an Alert.

14. Navigate to the Workflow Steps.

15. Use the Toggle Feature to select how you wish to receive the alert.

Conclusion

Qilin ransomware represents a growing threat to organizations, particularly those relying on Active Directory. By understanding the tactics used by this ransomware and implementing proactive measures, such as those provided by Cayosoft Guardian, IT administrators can detect and respond to these threats before they cause significant damage. Staying vigilant and maintaining robust security practices is key to defending against such sophisticated cyber threats.

Both the above are offered through the full Cayosoft Guardian solution. To see more of these features in action, be sure to request a personalized demo. 

Cayosoft Guardian also offers a free version that enables threat detection and scanning capabilities. To access, download the free trial.

If you are an existing customer and would like more information on our latest threats, check out our threat library or visit our support site.

FAQs

Qilin ransomware is a sophisticated type of malware that targets organizations by infiltrating their networks and leveraging vulnerabilities, particularly within Active Directory environments. This ransomware variant is highly organized and adaptive, utilizing methods such as stealing credentials stored in Google Chrome browsers by exploiting Active Directory Group Policy Objects (GPOs). Once inside a network, Qilin ransomware can move laterally, escalate privileges, and compromise key infrastructure elements like Domain Controllers. The attack typically culminates in the deployment of ransomware across the entire domain, causing significant disruption and potential data loss.
Qilin ransomware exploits Active Directory by manipulating Group Policy Objects (GPOs) to execute malicious scripts across all domain machines. The attack begins with Qilin gaining access to the network through compromised VPN credentials. After escalating privileges, the attackers use GPOs to deploy a PowerShell script that extracts stored credentials from Google Chrome browsers. This script, executed via a logon script, saves the credentials to a shared location on the SYSVOL. After exfiltrating the data, the attackers use another GPO to deploy ransomware across all domain computers, making Active Directory a critical component of their attack strategy.

Detecting Qilin ransomware in your network requires monitoring for suspicious changes in Active Directory, particularly in Group Policy Objects (GPOs). Tools like Cayosoft Guardian can be highly effective in this regard. By setting up Change Alert Rules, you can monitor for specific scripts like “logon.bat” or “run.bat” being added to GPOs, which are indicative of a Qilin ransomware attack. Early detection allows IT administrators to respond quickly, mitigating the potential damage caused by the ransomware.

The signs of a Qilin ransomware attack include unexpected changes in Active Directory Group Policy Objects (GPOs), such as the creation of new scripts like “logon.bat” or “run.bat.” Other indicators include the presence of unusual PowerShell scripts (e.g., IpScanner.ps1) and the saving of credentials in unexpected locations like the SYSVOL share. Additionally, sudden clearing of local files and event logs can also be a sign that Qilin ransomware is actively trying to cover its tracks after exfiltrating sensitive data.

To protect your organization from Qilin ransomware, it is essential to implement robust security measures within your Active Directory environment. This includes regularly monitoring and auditing Group Policy Objects (GPOs) for unauthorized changes, using tools like Cayosoft Guardian to set up Change Alert Rules. Additionally, ensure that VPN credentials and other access points are secured with strong, unique passwords and multi-factor authentication (MFA). Keeping your software and systems up to date with the latest security patches is also crucial in defending against potential exploits used by Qilin ransomware.

Want to Learn More About Cayosoft Guardian?

Get A Demo

Cayosoft Guardian increases Active Directory security through advanced threat detection and recovery capabilities. Schedule a demo today!

Check out these relevant resources.