Qilin Ransomware Removal Guide

Signs of Infection

Qilin ransomware infection manifests through distinct system and network anomalies. On the file system, look for a sudden proliferation of encrypted files appended with the .qilin extension, though variant-specific extensions may also appear. A ransom note, typically named README_QILIN.txt or similar, will be placed in affected directories. Temporary directories (%TEMP%, %APPDATA%\Local\Temp) often contain suspicious executable files with random alphanumeric names (e.g., f7s83n.exe, tmp1234.bin) created during the initial execution phase.

Process behavior is a key indicator. Examine running processes for unknown executables, particularly those with high CPU or disk I/O activity as they encrypt files. Qilin often attempts to terminate or interfere with security software processes and may spawn cmd.exe or powershell.exe instances to execute commands for disabling backups (e.g., vssadmin delete shadows) and deleting Volume Shadow Copies.

Network signs include outbound connections to command-and-control (C2) servers over HTTPS or custom TCP ports, often following a pattern of beaconing at regular intervals. There may be spikes in traffic to IP addresses or domains associated with Qilin’s infrastructure, which are documented in the latest IOCs. Internal network scanning activity from the infected host, using tools like nbtstat or net view, can indicate a precursor to lateral movement.

Immediate Containment Steps

Within the first 15 minutes of detection, prioritize containment to prevent encryption spread and C2 communication.

1. Network Isolation: Immediately disconnect the infected host from all networks (wired and wireless). If possible, disable its network switch port or apply a quarantine rule in your network access control system. Do not rely solely on software-based firewalls on the compromised host.
2. Power Down vs. Isolation: If critical data is actively being encrypted and cannot be stopped via process termination, consider a hard shutdown to halt disk activity. Weigh this against the loss of volatile memory (RAM) forensic data. For forensic purposes, isolation is preferred if the encryption process can be stopped.
3. Credential Rotation Priority: Identify the compromised user account. Immediately rotate passwords for:
   • The local and domain account used on the infected host.
   • Any domain administrator or high-privilege service accounts that may have been active or cached on the system.
   • Enable multi-factor authentication where it is not already present.
4. Initial Triage: From a separate, clean management system, capture a list of running processes, recent network connections (netstat -ano), and newly created files on the infected host before proceeding with removal, if feasible.

Manual Removal Process

Warning: Manual removal is complex and carries risk. It is recommended for experienced professionals only. Recovery from backups is always preferable. Ensure you have a full disk image or snapshot before proceeding.

1. Terminate Malicious Processes:

   • Open the system’s task manager or a trusted process explorer tool from a pre-vetted USB drive.
   • Identify and end all suspicious processes related to Qilin. Look for high resource usage, random names, or processes located in %TEMP% or %APPDATA%. End any associated cmd.exe or powershell.exe processes running unusual commands.
   • Use the command line to stop services that may have been created: sc stop [ServiceName] and sc delete [ServiceName].

2. Delete Persistence Mechanisms:

   • Registry Run Keys: Navigate to and inspect these registry hives for suspicious entries. Common Qilin persistence locations include:
     • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
     • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • Scheduled Tasks: Open the Task Scheduler and look for recently created tasks with random names or tasks that execute scripts/executables from user temp folders. Delete them.
   • Service Registration: Check for new, suspicious services in HKLM\SYSTEM\CurrentControlSet\Services. If found, note the ImagePath and delete the service key after ensuring the service is stopped.

3. Remove Dropped Files:

   • Navigate to and delete the primary ransomware executable. Common locations are %TEMP%, %APPDATA%, %PUBLIC%, or C:\Windows\.
   • Delete any supporting payloads, DLLs, or configuration files dropped in these directories.
   • Do not delete encrypted user files or ransom notes at this stage, as they may be needed for analysis or decryption attempts.

4. Clean Registry Entries:

   • Using the registry editor, carefully remove the persistence keys identified in Step 2.
   • Search for and remove any other keys created by Qilin, potentially under HKCU\Software\ or HKLM\Software\ with random or generic names.
   • Check the Winlogon notify keys (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify) for illegitimate DLLs.

Verifying Removal

After the manual process, verify complete eradication.

1. System Scans: Perform a full system scan with your updated endpoint detection and response (EDR) solution and a dedicated anti-malware scanner. Use a secondary, offline scanner from a USB drive for a layered check.
2. Log Analysis: Review system logs (Event Viewer) for related errors or warnings around the infection time. Specifically check:
   • Security logs for unexpected logon events or process creation.
   • System logs for service installation events (Event ID 7045) or unexpected shutdowns.
   • PowerShell logs (if enabled) for malicious script execution.
3. Network Traffic Monitoring: Before reconnecting the host to the network, you can simulate connectivity in an isolated sandbox or monitor it closely on a segregated VLAN. Use a network monitoring tool to watch for any residual beaconing attempts to known Qilin C2 IPs/domains. Look for DNS queries to suspicious domains.
4. Persistence Check: Re-run checks on all persistence mechanisms (registry, tasks, services) to ensure no artifacts remain. Use autoruns analysis tools to verify.

Post-Removal Security Hardening

To prevent reinfection via similar vectors, implement these measures.

1. Configuration Changes:
   • Application Allowlisting: Implement application control policies to block execution from high-risk paths like %TEMP%, %APPDATA%, and public downloads folders.
   • Script Control: Restrict or heavily monitor the execution of PowerShell, WSH, and HTA scripts. Enable constrained language mode and deep script block logging for PowerShell.
   • Backup Hardening: Ensure backup systems are fully isolated from the production network (air-gapped or immutable). Test restoration procedures regularly. Harden the backup server to prevent access via admin tools like vssadmin or wbadmin from standard workstations.
2. Monitoring Rules (SIEM/SOC):
   • Create alerts for the creation of files with the .qilin extension or other known variant extensions.
   • Alert on processes attempting to delete shadow copies (vssadmin delete shadows) or disable Windows recovery features.
   • Alert on network connections to IP addresses and domains listed in the Current Qilin IOCs.
   • Monitor for rapid, mass file renames or encryption-like file modifications.
3. Policy Updates:
   • Enforce the principle of least privilege. No users should operate with local or domain administrator rights for daily tasks.
   • Implement robust network segmentation to limit lateral movement, especially between user workstations and critical file servers.
   • Mandate phishing-resistant multi-factor authentication for all remote access and privileged accounts.
   • Establish and test an incident response plan that specifically includes ransomware containment procedures.

For more information on Qilin’s behavior, refer to the Qilin Overview. For the latest threat data, including hashes and C2 addresses, always consult the Current Qilin IOCs. To assess your defensive coverage, review the Detection Rate page.