The Qilin(Agenda) Ransomware Campaign: Attack Vectors, Evasion Techniques, and Mitigation Strategies

Abstract

Qilin ransomware was a sophisticated cyber-attack that targeted critical infrastructure systems in various locations around the world. The attacks were highly sophisticated. Qilin was able to bypass authentication and execute remote code using an unpatched vulnerability in Fortinet\'s second FortiGate and Fortisuite devices. The service offers Ransomware-as-As a Service with the ability to load any payload as required. This review paper examines the warhead dispatch mechanism, the evasion tactic, and a multi-phase extenuation and recovery technique.

Introduction

Qilin emerged in 2022 as a ransomware-as-a-service (RaaS) platform providing advanced extortion tools to affiliates. Over 310 victims worldwide have been targeted, including notable organizations in healthcare (NHS UK), publishing, automotive, and government sectors, with a focus on Spanish-speaking countries.

Exploited Vulnerabilities:

Qilin leverages recently disclosed critical vulnerabilities in Fortinet products (CVE-2024-21762) and reuses known exploits like CVE-2024-55591, highlighting collaboration and reuse within cybercriminal ecosystems.

Attack Methodology:

• Unauthorized access via phishing or credential compromise

• Deployment of ransomware payloads (using a .NET dropper named NETXLOADER)

• Data exfiltration and encryption with AES-256 and RSA-4096

• Ransom demands with threats of public data leaks

• Use of advanced evasion techniques like reflective DLL injection and obfuscation

Innovations & Features:

• A "Call a lawyer" feature to psychologically pressure victims

• Use of sophisticated encryption and self-deletion to avoid forensic analysis

• Chrome credential stealer and backup corruption capabilities

• Detection evasion through code obfuscation and in-memory execution

Impacted Sectors:

Healthcare, publishing, government, automotive, finance, and retail sectors have all suffered attacks.

Response & Containment:

• Immediate network isolation and disabling of exploited services (RDP, SMB)

• Memory capture for volatile artifact recovery (using tools like Volatility)

• Backup verification and cautious restoration after threat removal

• Behavioral emulation in sandbox environments to generate detection signatures

• Recommendations to patch vulnerabilities, disable post-exploitation tools (PsExec), and implement advanced detection (EDR/XDR) and offline backups

Proposed Detection Tool:

To counter Qilin’s stealth reflective DLL injection (fileless malware), a novel memory-forensics-based detection utility is proposed. It:

• Acquires RAM images and analyzes for hidden DLL injections using Volatility plugins

• Detects high-entropy memory regions, unmapped DLLs, and suspicious memory protections

• Extracts indicators of compromise (IOCs) for forensic and SIEM integration

• Provides near-real-time detection focused on memory-resident ransomware activity

• Complements traditional antivirus/EDR by detecting threats that evade file-based scanning

Comparative Advantage:

Unlike signature-based antivirus and typical EDRs, the proposed tool specializes in detecting fileless, in-memory ransomware like Qilin through entropy analysis and behavior heuristics, filling a critical gap in ransomware defense.

Conclusion

The increasing complexity of ransomware threats is reflected in the Qilin campaign. A mature electronic menace landscape is represented by its use of furtive stevedores such as NETXLOADER, authorized manipulation techniques, and multi-stage infection mechanism. There are currently no decoding devices, so a layered defense method is essential. Organisations must establish patching, behaviour monitoring, direct entry, and backup procedures to protect against such advanced attacks.

References

[1] Fortinet, Fortinet PSIRT: CVE-2024-21762 - Remote Code Execution in FortiOS and FortiProxy, Feb. 2025. [Online]. Available: https://www.fortiguard.com/psirt/FG-IR-24-00162 [2] Veeam, CVE-2023-27532: Vulnerability in Backup & Replication - Sensitive Information Disclosure, Veeam Security Advisory, 2023. [Online]. Available: https://www.veeam.com/kb4424 [3] MITRE ATT&CK, “Enterprise Techniques: Initial Access, Privilege Escalation, Defense Evasion,” MITRE Corporation, 2024. [Online]. Available: https://attack.mitre.org [4] Group-IB, Qilin Revisited: Diving into the techniques and procedures of the recent Qilin Ransomware Attacks, July 2024. [Online]. Available: https://www.group-ib.com/blog/qilin-ransomware-analysis [5] Mandiant, Best Practices for Ransomware Defense, FireEye Intelligence Report, vol. 37, 2024. [6] A. Caseley et al., “Detection of Reflective DLL Injection via Memory Forensics,” Proc. 17th Conf. Digital Forensics Research Workshop (DFRWS), 2023, pp. 19–30. [7] Volatility Foundation, Volatility 3 Framework Documentation, 2024. [Online]. Available: https://volatility3.readthedocs.io [8] S. Stojanovic, “Combating Ransomware Through Fileless Malware Detection: A Memory-Only Approach,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 1311–1325, Mar. 2024. [9] Microsoft, PsExec Utility - Sysinternals Suite, Microsoft Docs, 2024. [Online]. Available: https://docs.microsoft.com/sysinternals/downloads/psexec [10] D. L. Johnson and T. Moore, “Cryptographic Implementation Failures in Ransomware Payloads,” ACM Transactions on Privacy and Security, vol. 27, no. 2, Apr. 2023.

Copyright

Copyright © 2025 Priyadarsana B, Priya P Sajan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.