Live Latest activity →

Qilin - How to Detect

Last updated: 2026-04-21

Qilin Ransomware Detection Guide

Behavioral Indicators

Qilin ransomware exhibits distinct behavioral patterns during execution that can be detected by endpoint monitoring solutions. The malware typically initiates with a parent process, often a legitimate system binary like cmd.exe, powershell.exe, or wscript.exe, spawning the malicious payload. This payload then launches multiple threads to perform its destructive tasks.

Key runtime behaviors include:

  • Mass File Encryption: The process will rapidly enumerate and open a high volume of files across local drives and accessible network shares. It makes characteristic API calls to CryptEncrypt, CryptGenKey, or similar cryptographic functions. Look for a process writing to files with new, appended extensions while also reading the original file content.
  • Process and Service Termination: Prior to encryption, Qilin attempts to terminate processes and stop services that could lock files (e.g., database services, email servers, backup software, and security tools). This generates events for TerminateProcess and ControlService (SERVICE_CONTROL_STOP).
  • VSS Deletion: To hinder recovery, the malware uses command-line execution (vssadmin.exe delete shadows /all /quiet) or direct API calls to delete Volume Shadow Copies.
  • Credential Access for Lateral Movement: Qilin may use tools like Mimikatz or built-in Windows credential dumping techniques (e.g., accessing LSASS memory via OpenProcess) to harvest credentials for spreading within the network.
  • Boot Safety Mode: Some variants attempt to configure the system to boot into Safe Mode on the next restart, potentially bypassing some security controls, by modifying the SAFEBOOT option in the system configuration.

Network Indicators

Qilin communicates with command-and-control (C2) servers for key exchange, campaign identification, and potentially to exfiltrate a small amount of data pre-encryption.

  • C2 Communication: Traffic is typically conducted over HTTPS on non-standard ports (e.g., 7443, 8080, 8443) to blend with common web traffic. The TLS certificate may be self-signed or from an uncommon Certificate Authority.
  • Beaconing: Infected systems beacon to the C2 at regular intervals (e.g., every 5, 10, or 30 minutes) with a heartbeat containing a system identifier. The initial beacon often contains system information like hostname, OS version, and domain name.
  • DNS Queries: Look for DNS requests to newly registered or algorithmically generated domain names (DGA). These domains may have a short Time-To-Live (TTL) value.
  • Pre-Encryption Traffic: A small HTTP(S) POST request may be observed just before encryption begins, sending a unique victim ID and receiving an encryption key. Data exfiltration, if present, is usually limited to key files and occurs in a compressed archive via a separate POST request.
  • Internal Reconnaissance: Following initial compromise, you may see SMB and RDP connection attempts from the infected host to other internal IPs as the actor or malware performs network discovery.

File System Artifacts

Qilin creates several files during its execution. The encryption process itself leaves the most obvious artifacts.

  • Encrypted Files: Qilin appends a unique extension to encrypted files. The extension varies by campaign but often includes a pattern like .[id]-[email].ql or .[id].qilin. For example, [email protected]. The original filename is usually preserved.
  • Ransom Notes: The malware drops a ransom note in every directory containing encrypted files. Common filenames include README.txt, README.html, RESTORE_FILES_INFO.txt, or HOW_TO_RECOVER_FILES.html. The note contains payment instructions and a unique victim identifier.
  • Malware Executable: The initial payload is often dropped in user writable locations such as:
    • %APPDATA%\<random>
    • %TEMP%\<random>.exe
    • C:\ProgramData\<random>\ The filename is often random or mimics a legitimate system file (e.g., svchost.exe, winupdate.exe).
  • Tool Dropping: It may drop other utilities used in the attack chain, such as PsExec.exe, net.exe, or credential dumping tools, into temporary directories.
  • Log Files: Some variants create a log file in %TEMP% or %APPDATA% detailing encryption progress, errors, or skipped files (e.g., log.txt, status.dat).

Registry and Persistence Mechanisms

Qilin primarily uses simple run-once execution but may employ persistence mechanisms to survive reboots, especially in targeted attacks.

  • Run Registry Keys: Common persistence is achieved via:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run The value typically points to the dropped executable in %APPDATA% or %TEMP%.
  • Scheduled Tasks: Tasks may be created to execute the payload at specific times or upon user login. Task names are often generic (e.g., “SystemUpdate”, “Maintenance”).
  • Service Installation: In some cases, Qilin may install itself as a Windows service with a random or disguised name to run with SYSTEM privileges.
  • File Association Hijacking: Rarely, it might modify file associations (e.g., .txt file handler) to execute the malware when a user opens a common file type.
  • Safe Boot Configuration: As mentioned in behavioral indicators, the registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option may be modified to set the OptionValue to force a Safe Mode boot.

YARA Rule Guidance

When developing YARA rules to detect Qilin ransomware samples, focus on its unique cryptographic routines, string constants, and configuration data.

  • Encryption Routine Strings: Look for hardcoded strings related to its file-walking and encryption logic, such as specific API function names called dynamically (CryptAcquireContextA, CryptGenKey, CryptExportKey) or error messages related to these functions.
  • Ransom Note Content: Target unique phrases from the ransom note that are compiled into the binary. These could include strings like “Your files are encrypted”, “Your personal ID:”, “Contact us:”, or the specific email format ql@[...].onion.
  • Campaign Identifiers: The binary often contains the campaign ID or the victim ID format as a string pattern (e.g., [A-Za-z0-9]{8}-[A-Za-z0-9]{4}).
  • File Extension Pattern: The specific file extension pattern used by the variant (e.g., ".ql", ".qilin") is often stored as a wide or ASCII string within the code section.
  • Configuration Blocks: Qilin binaries may have an embedded configuration block containing the C2 domain/IP, RSA public key for key encryption, and campaign ID. Look for a structured sequence of null-terminated strings followed by a large blob of base64 or hex data (the public key).
  • Anti-Analysis Checks: Include strings for common sandbox or VM artifacts it checks for, such as "VBox", "vmware", "qemu", or usernames like "sandbox".

For the latest samples, IOCs, and a general overview of this threat, please refer to the dedicated Qilin resource pages: Current Samples, Current IOCs, and Qilin Overview.

Related

← Qilin Overview Removal Guide Incident Response Protection Guide IOCs Detection Rate All Families