Qilin ransomware group has been well and truly busted – not by the authorities, but by cybersecurity investigators who went undercover and learned the gang’s dark trade secrets, including commissions crooks earn for successful attacks.
Group-IB revealed its sting operation, conducted this month, on a couple of Twitter posts, which said its “specialists infiltrated Qilin ransomware group in March 2023 and now can reveal the inside information on affiliates’ payment structure.”
It added: “For ransomware payments totaling $3m or less, affiliates earn 80% of the payment. For payments of more than $3m they get 85%.”
Qilin’s methodology was also exposed including juicy details of how ransomware operations are carried out, in a revelation the cyber-gang will probably not appreciate.
“Affiliates can configure ransomware with company name, ransom amount, timezone, and more using [malware] Qilin builder,” said the cybersecurity analyst, adding that the “intruder can customize [the] ransom note.”
Group-IB later posted an update in response to a tweeted query, in which it said it had strong reasons to believe Qilin is Russia-affiliated. Sharing a Russian-language bulletin from the cyber gang, it said: "The post is in Russian and mentions that the Raas [ransomware as a service] 'does not work in CIS [Commonwealth of Independent States] countries.'"
The CIS was set up in the aftermath of the Cold War to bring non-Western-aligned countries into closer cooperation. Ransomware gangs based in Russia are often tacitly allowed to practice by the Kremlin so long as they do not target the home country or its allies.
Your email address will not be published. Required fields are markedmarked