Recently, Qilin ransomware has been launching continuous attacks on companies in various countries and industries around the world, and cases of damage have also been identified in South Korea. This post analyzes the key features and encryption methods of Qilin ransomware, as well as the technical reasons why decryption is impossible, to provide insights that can help organizations effectively respond to similar threats in the future.

 

 

Summary

 

Qilin Ransomware Information

–         First emerged in August 2022

–         Launched ransomware attacks against companies from various countries and industries

–         Uses the Ransomware-as-a-Service (RaaS) model and double extortion technique

–         Initial access is mainly known to be through spear-phishing

 

Ransomware Malware Information

–         Uses a password as an argument when executed, compares it with the included password, and determines whether to execute or not

–         Performs volume shadow deletion, stops DB-related services, deletes event logs, and changes the desktop background

–         Checks the argument value before the ransomware is executed and has various features

–         Uses two encryption algorithms: AES and ChaCha20

–         Developed in Golang and Rust, which are highly portable to other platforms

–         Creates a QLOG folder in the temporary directory when executed to store the execution record

–         Encrypts the AES key-related information with an RSA public key and inserts it at the end of the file

 

1. Overview

1.1 Qilin (Agenda)

 

The Qilin ransomware group, also known as Agenda, first emerged in August 2022. They have been continuously attacking various countries including the Netherlands, Brazil, Serbia, the UK, Japan, Australia, and South Korea, among others. Like other ransomware groups, they encrypt files on infected systems and steal sensitive data from affected organizations. If the ransom is not paid, they publicly disclose the stolen data.

 

The initial access method is mainly known to be spear phishing. The threat actor changed the ransomware production language from Go to Rust to bypass analysis and detection. Various industries, including the education, healthcare, and key infrastructures (electricity, water supply, telecommunications, and medical services), have been identified as targets of the attacks.

 

2. Analysis

2.1 Initial Routine

Qilin ransomware only runs when the correct password is entered as the “–password” argument. When a password is entered, its value is calculated as a SHA-256 hash and compared to the SHA-2 hash hardcoded in the binary. If the two values match, the encryption process begins. Ransomware that takes a password as an argument usually uses the entered password as a key to decrypt the code before executing it. However, because the code of Qilin ransomware is already decrypted, even if an incorrect password is entered, the condition is bypassed, and the code continues to be executed.

 

In the main body, it bypasses the conditional statement and proceeds with the execution. It then uses the CreateMutexW() function to create a SHA-256 hash value of a different password embedded in each file as a mutex in order to prevent duplicate executions. It also supports multiple arguments, and the details of each argument value are shown in Table 1 below.

Argument	Behavior
-debug	Run in Debug Mode
-safe	Reboot into safe mode after encrypting files
–password	Enter password required to run
–paths	Encrypt only designated path
–timer	Delay before execution
–no-proc	Process not terminated when file is encrypted
–no-services	Service not stopped even if files are encrypted
–spread	Spread across the network via PsExec
–no-extension	Extension not changed after file encryption
–no-wallpaper	Desktop not changed after file encryption
–no-network	Network path not encrypted
–no-note	Ransom note not created
–no-destruct	Does not self-delete after file encryption

Table 1. Behavior by argument value
 

2.2. Preparing for Encryption

 

QIlin ransomware makes incident analysis and system recovery difficult by deleting event logs and backup-related data. It uses vssadmin.exe to delete volume shadow copies, and performs the following steps for complete deletion. It changes the startup type of the Volume Shadow Copy Service (VSS) to Manual and starts the service. Then, it uses vssadmin.exe to delete the volume shadow copies. Afterward, it stops the service and changes the startup type to Disabled. The commands are provided in Table 2 below.

Delete Volume Shadow Copy command
1. wmic service where name=’vss’ call ChangeStartMode Manual 2. net start vss 3. vssadmin.exe delete shadows /all /quiet 4. net stop vss 5. wmic service where name=’vss’ call ChangeStartMode Disabled

Table 2. Recovery-inhibiting commands

 

Then, a PowerShell script is executed to delete all event logs registered in the system without backup. As a result, only the record of deleting the system logs remains in the logs. For more information, refer to Table 3 below.

 

Script to Delete Event Logs
powershell” $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in  $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}

Table 3. Event log deletion script

 

It also maintains persistence through registry registration. In this case, the registry value name is generated in the format of “*Random 6 Characters”, and if an asterisk (*) is included in front of the value name, the ransomware is executed even in safe mode. However, without using the “–no-destruct” argument, it self-deletes, leaving only the registry value, so it no longer operates after a reboot.

 

Figure 3. Registering in the registry for persistence

 

In addition, Qilin Ransomware terminates specific services before encrypting files to disrupt the normal recovery process and maximize the success rate of file encryption. It terminates services based on string matching and changes the startup type to disabled. The targets include databases (MSSQL), email servers (Exchange), virtualization platforms (Hyper-V), backup software (Veeam, Veritas Backup Exec, Commvault, Acronis), accounting/ERP software (QuickBooks, SAP), and security solutions (Sophos), among others.

 

Some of the main examples are sql, vss, backup, vmms, veeamtransportsvc, and backupexecjobengine. This is done to disrupt recovery and continuity by stopping services related to data storage and management, backup and recovery, virtualization, and security.

 

Services Targeted for Termination

vmms, mepocs, memtas, veeam, backup, vss, sql, msexchange, sophos, msexchange, msexchange\\$, wsbexchange, pdvfsservice, backupexecvssprovider, backupexecagentaccelerator, backupexecagentbrowser, backupexecdivecimediaservice, backupexecjobengine, backupexecmanagementservice, backupexecrpcservice, gxblr, gxvss, gxclmgrs, gxcvd, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sapservice, sap, sap\\$, sapd\\$, saphostcontrol, saphostexec, qbcfmonitorservice, qbdbmgrn, qbidpservice, acronisagent, veeamnfssvc, veeamdeploymentservice, veeamtransportsvc, mvarmor, mvarmor64, vsnapvss, acrsch2svc, (.*?)sql(.*?)

Table 4. Services that have ended

 

Additionally, it continuously checks the processes during file encryption and terminates the processes. Like service termination, this is intended to disrupt recovery and operational continuity by stopping data storage and management, backup and recovery, virtualization, and security-related services.

 

Process to be terminated

vmms, vmwp, vmcompute, agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, sql, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, cagservice, qbidpservice, qbdbmgrn, qbcfmonitorservice, sap, teamviewer_service, teamviewer, tv_w32, tv_x64, cvmountd, cvd, cvfwd, cvods, saphostexec, saposcol, sapstartsrv, avagent, avscc, dellsystemdetect, enterpriseclient, veeamnfssvc, veeamtransportsvc, veeamdeploymentsvc, mvdesktopservice

Table 5. Processes to be terminated

 

To prevent the system from being corrupted by encrypting key files, specific extensions, files, and paths are excluded from encryption. For a detailed list, refer to Tables 6, 7, and 8 below.

 

Extensions Excluded from Encryption
themepack, nls, diapkg, msi, lnk, exe, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, theme, mpa, nomedia, spl, cpl, adv, icl, msu, 9_bJ6s6BxF (The extension varies for each file)

Table 6. Extensions excluded from encryption

 

File Names Excluded from Encryption
desktop.ini, autorun.ini, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log, autorun.inf, bootmgr, bootmgr.efi, bootmgfw.efi, #recycle, autorun.inf, boot.ini, bootfont.bin, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db, #recycle, bootsect.bak

Table 7. File extensions excluded from encryption

 

Excluded paths
windows, system volume information, intel, admin$, ipc$, sysvol, netlogon, $windows.~ws, application data, mozilla, program files (x86), program files, $windows.~bt, msocache, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old, appdata, boot, windows, windows.old, $recycle.bin, admin$

Table 8. File extensions excluded from encryption

 

2.3. Encrypting Files

Once the exclusion settings, paths, files, and extensions are confirmed, the user must select the algorithm to be used for file encryption. There are two types of algorithms that can be used for file encryption: the AES-256 algorithm and the ChaCha20 algorithm. By default, files are encrypted using the AES-256 (symmetric key) algorithm, and the encryption key is encrypted using the RSA-4096 public key.

 

However, if the affected system does not support AES-NI (Advanced Encryption Standard-New Instructions), files are encrypted using the ChaCha20 algorithm. Systems that do not support AES-NI are typically those with CPU models released before 2011 or those with mainboards that support AES-NI Enable/Disable feature and have it set to Disable.

 

Once all verification procedures are complete, the entire file data is encrypted. After encryption, the string “—–END CIPHERTEXT BLOCK—-” is appended to the end of the file, separating the encrypted data segment. The AES symmetric key encrypted with the RSA public key is then inserted. As a result, no clues are left behind in the local environment that can be used to decrypt the file.

Figure 4. Data structure added after file encryption

 

 

2.4. Ransom Note

The figure below shows the screen of a system infected with Qilin ransomware, with the desktop background changed.

 

Figure 5. Test environment after encryption and desktop change

 

The ransom note is created with the file name “README-RECOVER-<encrypted extension>.txt”, and the file analyzed in this post uses “9_bJ6s6BxF”. The ransom note is created in all paths except for the encryption exclusion folder, so the ransom note is created in most directories in the system global.

 

The ransom note claims to have downloaded sensitive data from the system and network, and threatens to publish the data on their Data Leak Site (DLS) if the victim does not comply with their demands. The stolen data is said to include employee personal information (resident registration numbers, driver’s licenses, etc.), resumes, customer data, invoices, and the company’s financial information and trade secrets. The threat actor demands that the victim access the DLS website using the credentials provided in the note.

Figure 6. Ransom note (README-RECOVER-9_bJ6s6BxF.txt)

 

3. AhnLab’s Responses

The diagnostic name and engine date information of the AhnLab product group are as follows.

 

3.1 V3 Diagnosis

• Ransomware/Win.Qilin.C5753179 (2025.04.16.03)
• Ransomware/Win.QilinCrypt.C5545083 (2023.11.20.02)
• Ransomware/Win.Qilin.C5792289 (2025.08.27.01)
• Ransomware/Win.Qilin.R727382 (2025.09.24.03)
• Trojan/Win.Generic.C5503103 (2023.10.09.02)
• Trojan/Win.Evo-gen.C5771612 (2025.06.17.02)
• Trojan/Win.Generic.C5545081 (2023.11.20.02)
• Ransom/MDP.Delete.M2117 (2019.01.31.00)
• Ransom/MDP.Command.M2255 (2019.06.19.00)
• Ransom/MDP.Event.M1946 (2018.06.06.00)
• Ransom/MDP.Edit.M1870 (2018.03.06.00) 

 

3.2 EDR Diagnosis

• Persistence/EDR.RunKey.M11517 (2023.12.12.00)
• Ransom/EDR.Decoy.M2470 (2022.09.30.00)
• SystemManipulation/EDR.Event.M2486 (2022.07.09.00)

 

※ For more information, please refer to the attachment.

MD5

08a2405cd32f044a69737e77454ee2da

0d68a310f4265821900249bec89364c2

0d70b3825647082d779987f2772bd219

119856ec134acc86ef76044cbf291f54

11d795baafa44b73766e850d13b8e254