Threat behavior
Ransom:Linux/Qilin.A!MTB compromises the VMware infrastructure and disrupts its critical services like vmware-vpxa and vpxd as well as backup tools like veeam and snapshotd. Then performs destructive storage operations in ESXi using its commands. Qilin creates and deletes dummy disks on the VMFS-5/6 volumes to corrupt any data integrity while increasing cache memory settings to speed up encryption.
Quilin then encrypts files on 32 directories, excluding critical paths such as /boot/, in the paths '/var/lib/vmware' and '/backup', appending the fixed extension of .gQ_UbazLFd. It writes ransom note gQ_UbazLFd_RECOVER.txt in folders that were encrypted, such as /etc/motd, which was modified to display payment Expression of Interest to for the threat actor to gain End Point Ownership. It will be noted that kvm and qemu remain untouched, which keep enough of the system processes intact and usable while the attack is occurring.
Command-line arguments are used to allow for changes, such as --dry-run (for reconnaissance), --no-vm-kill (keeps virtual machines running uninterrupted), and --password (for authentication). Propagation includes SSH/vCenter to use credentials which have been compromised using vulnerability like CVE-2023-27532, and any exfiltrated data would be transferred using FTP to 194[.]165.16[.]13. The !MTB detection suffix signifies that Microsoft Defender identified the payload based on the presence of distinctive patterns in the code. These patterns include the .gQ_UbazLFd extension, and the process kill sequence (esxcli vm process kill). This is the Go-based version of Qilin prior to the Rust versions, which lacked sophisticated evasion capabilities and whose encrypted communication was fixed.
Ransom:Linux/Qilin!rfn drops encrypts files as:
- .gQ_UbazLFd file extension
Drops ransomware note as:
- gQ_UbazLFd_RECOVER.txt
- README-RECOVER-<company_id>.txt
Drops payload artifacts and malicious scripts:
- /tmp/kworker_rand
- LSM_API_service
It also terminates the below processes:
- vmware-vpxa
- vpxd
- vmware-usbarbitrator
- veeam
- backup
- snapshot
- mysql
- postgresql
- mongod
Communicates to following hosts:
- 185[.]208.156[.]157
- 194[.]165.16[.]13
- 185[.]196.10[.]19
Prevention
To minimize exposure to Ransom:Linux/Qilin!rfn, and malware in general, Microsoft recommends best practices such as:
- Prioritize patching critical vulnerability: CVE-2023-27532.
- Enforce multifactor authentication (MFA) for all remote access.
- Implement network segmentation to restrict lateral movement.
- Disable unused services.
- Backup Strategy: Maintain 3-2-1 backup rules (3 copies, 2 media types, 1 offsite) with immutable storage.
- Monitor Audit logs for unusual activity (e.g., mass file renames, PsExec launches).
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
