A new cybercriminal group, Qilin, is rapidly establishing dominance in the murky world of ransomware by providing not just ransomware-as-a-service (RaaS) but a full soup-to-nuts cybercrime service .In addition to the malware, Qilin also provides a full suite of legal guidance for criminals together with operational and storage features. According cybersecurity company, Cybereason, Qilin is positioning itself not just as a ransomware group, but as a full cybercrime service.
“Qilin is a ransomware-as-a-service (RaaS) group that has been active since October 2022, steadily building its reputation through a series of high-impact cyberattacks across various industries. The group operates by providing its ransomware tools and infrastructure to affiliates, taking a 15–20% share of the ransom payments,” says Cybereason.
Qilin is promoted on a Russia Darknet forum as a sophisticated RaaS service and marketed as a highly configurable tool capable of adapting to diverse attack scenarios. A unique feature of Qilin’s offering is the “Call Lawyer” function, which provides legal consultation to increase pressure during ransom negotiations.
Qilin’s lawyers conduct ransomware negotiations
The Russian-language website boasts: “If you need legal consultation regarding your target, simply click the “Call lawyer” button located within the target interface, and our legal team will contact you privately to provide qualified legal support.”
Qilin adds: “The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings.”
Cybercriminals are offered the ability to conduct negotiations with the victim organization through Qilin’s legal department. The legal department also offers advice on how to inflict maximum financial damage on the company if it refuses to comply with the criminals ransomware demands. Other services designed to maximize the damage caused by a ransomware attack include looking for legal violations across different jurisdictions in data stolen from the victim organization in order to enable cybercriminals to exert even more pressure to make the company pay the ransom.
Another reason that Qilin is fast emerging as a dominant ransomware group is that it is taking advantage of recent setbacks suffered by once-dominant groups such as RansomHub, LockBit, Everest, and BlackLock, who have recently suffered abrupt shutdowns, operational failures, and defacements of their dark web infrastructure.
