Analysis of Qilin Ransomware Using Selective Encryption Algorithm (Distributed Targeting Linux, ELF Type)
There has recently been a surge in the tendency for attacks targeting Korean asset and investment management companies. As described in this report, the ransomware encrypts files with an AES symmetric key and then encrypts that AES symmetric key with an RSA public key. This means that the possibility of decryption does not exist unless the RSA algorithm itself is broken.
Therefore, companies are advised to strictly follow the response guidelines below to protect their key assets and ensure stable operation.
The Qilin ransomware group first appeared in August 2022 and is also known as Agenda ransomware. The group conducts attacks by encrypting files and stealing data to extort, targeting various countries. In the PE type targeting Windows-based systems, it showed features such as spear phishing, language transition (Go → Rust), and attacking major industries. More information about the group is documented in “Analysis of Qilin Ransomware Using Selective Encryption Algorithm”[1]. This report will cover the ELF-type Qilin ransomware.
Qilin ransomware of the ELF type targets Linux-based and Unix-based systems, with server environments more likely to be damaged. While this type has encryption functions similar to PE-based ones, it also utilizes commands specialized for the Linux environment to take control of the system.
Difference Between PE Type and ELF Type
Before going into the analysis, this report will present a table that briefly shows the difference between the PE type and ELF type of Qilin ransomware. As one can see in Table 1, the password comparison is the same for both PE type and ELF type, but other behaviors are different.
|
Item |
PE |
ELF |
| Password Comparison |
SHA-256 |
SHA-256 |
| Recovery Disruption |
Deletes volume shadow copies and Windows event logs |
Manipulates ESXi’s VMFS file system and settings, and also disables Nutanix’s AHV VM high availability (HA) |
| Service Termination |
Terminates services related to data storage and management, backup and recovery, virtualization, and security |
X |
| Process Termination |
Terminates processes related to data storage and management, backup and recovery, virtualization, and security |
Terminates VM processes |
| Encryption Algorithm |
AES-256, ChaCha20, RSA-4096 |
AES-256, RSA-4096 |
| File Encryption Attempts |
Encrypts 1 time |
Encrypts 3 times |
|
Desktop Background Change |
O |
X |
| Ransom Note |
README-RECOVER-<encryption extension>.txt |
<encryption extension>_RECOVER.txt |
[Table 1] Differences between PE type and ELF type
Analysis Details
This report discusses the ELF-type Qilin ransomware distributed to target Linux environments. The ELF-type initial routine of Qilin ransomware operates when the correct password is entered through the “–password” argument similar to the PE type, comparing the password using the SHA-256 hash algorithm. Yet the ELF type is executed only if it additionally specifies the folder to be encrypted through the “–path” argument or if the “–whitelist” argument exists. Additionally, all processes executed are recorded in a file named <filename>.log.<8 random digits>.
This report bypassed the conditional statement, similar to the PE type. Unlike the PE type, a file named <ransomware filename>.lock file is created instead of a mutex to prevent duplicate execution based on the presence of this file. It also supports multiple arguments, and the detailed content of each argument value is shown in Table 2 below.
|
Argument Value |
Behavior |
|
–debug |
Enables debug logs |
|
–dry-run |
Checks files for encryption but does not perform it |
|
–help |
Displays help content |
|
–log-level |
Sets the log level (0 – 5) |
|
–no-df |
Ignores folder whitelist/blacklist |
|
–no-ef |
Ignores extension whitelist/blacklist. |
|
–no-ff |
Ignores file whitelist/blacklist |
|
–no-proc-kill |
Disables forced termination of VM processes |
|
–no-rename |
Disables encryption extension changes |
|
–no-vm-kill |
Disables forced termination of VM processes |
|
–path |
Designates the folders required for encryption upon execution |
|
–password |
Enters the password required upon execution |
|
–rename |
Enables encryption extension change (default) |
|
–timer |
Sets the encryption task delay |
|
–whitelist |
Enables the whitelist mode (default=blacklist). |
|
–yes |
Responds with “yes” to all questions |
[Table 2] Behavior by argument value (ELF type)
Qilin ransomware of the ELF type checks the Linux environment. If the Linux environment is ESXi or Nutanix, it performs routines that induce VM failures and data corruption.
|
Manipulating ESXi VMFS File System |
| for I in $(esxcli storage filesystem list |grep ‘VMFS-5’ |awk ‘{print $1}’); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null; done |
[Table 3] Manipulating the ESXi VMFS file system
|
Manipulating ESXi Advanced Settings |
| esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity esxcfg-advcfg -s 20000 /BufferCache/FlushInterval |
[Table 4] Manipulating the ESXi advanced settings
|
Disabling Nutanix AHV VM HA |
| for vm_id in `acli vm.list | grep -oP ‘([a-f0-9-]{36})’ | awk ‘{print $1}’`; do acli vm.update $vm_id ha_priority=0; done |
[Table 5] Disabling Nutanix AHV VM HA
주요 파일을 잘못 암호화하여 시스템이 손상되는 것을 방지하기 위해, 암호화에서 제외되는 확장자와 파일 및 경로가 별도로 지정되어 있다. 자세한 목록은 아래 [표 7], [표 8], [표 9]와 같다.
To prevent the system from being damaged by mistakenly encrypting important files, certain extensions, files, and paths are specifically designated to be excluded from the encryption process. The detailed lists are shown in Tables 6, 7, and 8.
|
File Extensions Excluded From Encryption |
|
v00, v01, v02, v03, v04, v05, v06, v07, v08, v09, b00, b01, b02, b03, b04, b05, b06, b07, b08, b09, t00, t01, t02, t03, t04, t05, t06, t07, t08, t09, g6Fx_dqnnL (encryption extension, varies for each file) |
[Table 6] File extensions excluded from encyption
|
File Name Excluded From Encryption |
|
initrd, vmlinuz, basemisc.tgz, boot.cfg, bootpart.gz, features.gz, imgdb.tgz, jumpstrt.gz, onetime.tgz, state.tgz, useropts.gz |
[Table 7] File names excluded from encryption
|
Paths Excluded From Encryption |
|
/boot/, /proc/, /sys/, /run/, /dev/, /lib/, /etc/, /bin/, /mbr/, /lib64/, /vmware/lifecycle/, /vdtc/, /healthd/ |
[Table 8] Paths excluded from encryption
File Encryption
Once the paths, files, and extensions excluded from encryption are verified, the ELF type uses only the AES-256 before encrypting files unlike the PE type which selects the algorithm for encryption. As such, the file is encrypted with AES-256 (symmetric key) and the encryption key is encrypted with RSA-4096 (public key).
Once all verification procedures are completed, the entire file data is encrypted. After encryption is completed, the string “—–END CIPHERTEXT BLOCK—-“ is added at the end of the file to clearly distinguish the encrypted data section. Then up to 512 byptes of data is inserted at the beginning of the encrypted data. The final file structure consists of “encrypted data + encrypted key data + a string indicating the end + encrypted data (up to 512 bytes).” When the encryption process is completed, there are no clues left in the local environment that can allow the files to be decrypted.
The biggest difference between the ELF type and the PE type is that, in the case of the ELF type, the file is encrypted 3 times to make decryption difficult. Instead of encrypting the original file 3 times, the process mentioned above is repeated (see Figure 7). Similar to the PE type, the first encryption has a form where the original file size can be accurately determined. However, when the first encrypted part is encrypted again 2 more times, the original file size cannot be determined. After undergoing second and third encryption, the size of the data is about 3 times the original.
[Figure 1] Data structure added affter file encryption (when the original 16-byte file is encrypted)
AhnLab Response Overview
The detection names and the engine date information of AhnLab products are shown below.
[V3]
- Ransomware/Linux.Qilin.1395184 (2025.09.17.00)
[EDR]
- DefenseEvasion/EDR.Remove.M11361 (2023.10.18.01)
- Ransom/EDR.Decoy.M10879 (2023.12.18.03)
※ For more information, please refer to the attachment.
