Critical Ransomware TLP:CLEAR

Qilin Ransomware

Threat Hunting Guide • 4-6 hours

#1 ransomware threat to US SLTT organizations in Q2 2025. Covers GPO-based Chrome credential harvesting, BYOVD EDR evasion with dark.sys, Veeam backup targeting, and detection rules for Splunk, KQL, and Sigma.

🎯

Hunt Modules

⏱️

Duration

4-6 hrs

💀

Confirmed Victims

792+

⏳

Avg Dwell Time

18+ days

🌍

Origin

Russia

📄

Download Full Hunting Guide

Complete guide with 10 hunt modules, step-by-step procedures, detection queries (Splunk, KQL, Sigma), and IOCs.

Download PDF - Free

10 Hunt Modules

Initial Access - VPN & Phishing Detection

30 min • Critical

Veeam & Backup Infrastructure Targeting

30 min • Critical

Chrome Credential Harvesting via GPO

45 min • Critical

Credential Dumping & WDigest Abuse

30 min • High

BYOVD EDR Evasion (dark.sys)

30 min • Critical

Remote Access Tools (RMM Abuse)

30 min • High

Data Exfiltration (Cyberduck/Cloud)

30 min • High

Lateral Movement & PsExec

30 min • High

Pre-Encryption Indicators

30 min • Critical

C2 Communication (Cobalt Strike/SystemBC)

30 min • High

Detection Rules

Copy these queries to detect Qilin activity in your environment.

VPN Access from Multiple Countries

index=vpn_logs action=success
| iplocation src_ip
| stats dc(Country) as country_count, values(Country) as countries by user
| where country_count > 1
| sort -country_count

Veeam Backup Job Modification

index=veeam_logs (action="JobDeleted" OR action="JobDisabled" OR action="TapeDeleted")
| stats count by action, job_name, user
| sort -count

Shadow Copy Deletion

index=windows sourcetype=WinEventLog:Security
(CommandLine="*vssadmin*delete*" OR CommandLine="*wmic*shadowcopy*delete*")
| stats count by ComputerName, User, CommandLine

Chrome Credential Access (Non-Chrome Process)

DeviceFileEvents
| where FolderPath has "\\Google\\Chrome\\User Data\\"
| where FileName in ("Login Data", "Cookies", "Web Data")
| where InitiatingProcessFileName !in ("chrome.exe", "GoogleUpdate.exe")
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName

BYOVD - Suspicious Driver Loading

DeviceEvents
| where ActionType == "DriverLoad"
| where FileName in~ ("dark.sys", "eskle.sys", "procexp.sys", "gdrv.sys", "dbutil_2_3.sys")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

WDigest Registry Enablement

DeviceRegistryEvents
| where RegistryKey has "SecurityProviders\\WDigest"
| where RegistryValueName == "UseLogonCredential"
| where RegistryValueData == "1"
| project Timestamp, DeviceName, RegistryKey, InitiatingProcessFileName

Qilin Chrome Credential Harvesting via GPO

title: Qilin Chrome Credential Harvesting via GPO
id: INT-QILIN-001
status: experimental
description: Detects Chrome credential access from GPO logon scripts
logsource:
    category: file_access
    product: windows
detection:
    chrome_data:
        TargetFilename|contains: '\Google\Chrome\User Data\'
        TargetFilename|endswith:
            - 'Login Data'
            - 'Cookies'
    suspicious_process:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    condition: chrome_data and suspicious_process
level: high

Qilin BYOVD EDR Killer Detection

title: Qilin BYOVD EDR Killer Detection
id: INT-QILIN-002
status: experimental
description: Detects vulnerable drivers used by Qilin for EDR evasion
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\dark.sys'
            - '\eskle.sys'
            - '\gdrv.sys'
    condition: selection
level: critical

Need More Detection Rules?

The full guide includes 15+ additional detection signatures and YARA rules.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning for your specific environment. Sources: Cisco Talos, Sophos X-Ops.

Key Indicators

File Names

                        w.exe, encryptor_1.exe, encryptor_2.exe, dark.sys, HRSword.exe, pars.vbs, logon.bat
                    

Registry Keys

                        WDigest\UseLogonCredential=1

                        Terminal Server\fDenyTSConnections=0

                        Lsa\DisableRestrictedAdmin=0

CVEs Exploited

                        CVE-2023-27532 (Veeam)

                        CVE-2024-21762 (FortiOS)

                        CVE-2024-55591 (FortiOS)

Tools Used

                        Cobalt Strike, SystemBC, Mimikatz (Themida), Cyberduck, AnyDesk, PsExec
                    

Full IOC list with SHA256 hashes and IP addresses available in the PDF download.

← Back to Threat Hunting Guides

🛡️

Automate Qilin Detection

BRACE continuously monitors for Qilin indicators and 100+ other ransomware groups. Get automated detection rules deployed to your SIEM.

Learn About BRACE Talk to an Expert