{
	"id": "893b9cb6-abaf-484e-a3ae-00268c89a494",
	"created_at": "2026-04-06T01:29:02.899344Z",
	"updated_at": "2026-04-10T03:19:56.080926Z",
	"deleted_at": null,
	"sha1_hash": "5b7d3d5826c63ee9dd209679e0bb703b04b5ab21",
	"title": "New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76162,
	"plain_text": "New Qilin.B Ransomware Variant Boasts Enhanced Encryption\r\nand Defense Evasion\r\nBy Halcyon RISE Team\r\nPublished: 2024-10-24 · Archived: 2026-04-06 01:11:08 UTC\r\nResearchers at anti-ransomware solutions provider Halcyon have documented a new version of the Qilin\r\nransomware payload dubbed Qilin.B for tracking.  \r\nAccording to the Power Rankings: Ransomware Malicious Quartile report, Qilin (aka Agenda) is a ransomware-as-a-service (RaaS) operation that emerged in July of 2022 that can target both Windows and Linux systems. \r\nQilin\r\noperations include data exfiltration for double extortion.  \r\nKey Aspects:\r\nEnhanced Encryption: Qilin.B combines AES-256-CTR encryption for systems with AESNI capabilities\r\nwhile retaining Chacha20 for other systems, and uses RSA-4096 with OAEP padding to protect encryption\r\nkeys, making file decryption without the private key or captured seed values impossible.\r\nSecurity Evasion: Written in Rust, Qilin.B terminates services associated with security tools, clears\r\nWindows Event Logs to hinder forensic analysis, and deletes itself to reduce traces of its presence, making\r\ndetection and response or attempts to reverse-engineer the payload more difficult.\r\nCorrupting Backups: Qilin.B disrupts system backup efforts by deleting volume shadow copies (VSS)\r\nwhich thwarts critical recovery mechanisms.\r\nInside Qilin.B\r\nQilin.B is a new, more advanced version of the Qilin ransomware family. It builds on previous iterations by\r\nincorporating additional encryption capabilities and more sophisticated operational tactics.  \r\nNotably, Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while still\r\nretaining Chacha20 for systems that lack this support.  \r\nAdditionally, RSA-4096 with OAEP padding is used to safeguard encryption keys, making file decryption\r\nwithout the attacker's private key or captured seed values impossible.\r\nKey Features and TTPs\r\nFile Encryption \u0026 Mechanism\r\nEncryption Methods: Qilin.B uses either AES-256-CTR or Chacha20, based on system support. The\r\nransomware appends a configurable string to encrypted files, which also serves as a company_id. This is\r\nhttps://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion\r\nPage 1 of 4\n\nused by affiliates to identify and track specific targets.\r\nRansom Notes: For every directory processed, Qilin.B generates ransom notes titled \"README-RECOVER-[company_id].txt\" containing instructions to access a Tor website for payment details and\r\ndecryption.  \r\nExecution Flow\r\nOnce executed with the correct password (e.g., build1.exe --password [random_password_string]), Qilin.B\r\nperforms the following:\r\n1. Verifies Administrative Privileges.\r\n2. Detects Virtual machine environments.\r\n3. Checks for AESNI instruction set support.\r\n4. Loads its Configuration.\r\n5. Creates a Mutex for process exclusivity.\r\n6. Generates an Autorun registry entry to ensure persistence.\r\n7. Prioritizes its process and begins terminating critical processes related to Security and Backup.\r\n8. Continuously removes Windows Event Logs to evade detection.  \r\nProcess and Service Termination\r\nQilin.B terminates or disables services associated with security, backup, and virtualization. The services it targets\r\ninclude those with the following patterns:\r\nExamples: Veeam, VSS, SQL, Sophos, Acronisagent, SAP.\r\nFile Selection and Enumeration\r\nQilin.B uses GetLogicalDrives() and EnumResourceW() to locate mounted drives and shares for encryption. It\r\nalso enumerates network folders located in %APPDATA%\\Roaming\\Microsoft\\Windows\\Network Shortcuts\r\nand the %DESKTOP% folder.\r\nExcluded Directories: It avoids encryption of critical system directories, including windows, system\r\nvolume information, intel, netlogon, and program files.\r\nBackup Disruption\r\nQilin.B disrupts backup operations by deleting volume shadow copies using the command:\r\nvssadmin delete shadows /all /quiet\r\nhttps://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion\r\nPage 2 of 4\n\nDefense Evasion\r\nQilin.B employs several evasion techniques:\r\nLog Clearing: The ransomware clears Windows Event Logs to hinder forensic analysis, executed with the\r\nfollowing PowerShell command: Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | ForEach-Object {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)}\r\nSelf-Deletion: After execution, Qilin.B deletes itself to reduce traces of its presence on the system.\r\nRust Compilation: Being compiled in Rust makes Qilin.B naturally harder to reverse-engineer.\r\nPersistence\r\nQilin.B maintains persistence by adding the following AUTORUN registry entry to ensure it executes upon\r\nsystem reboot:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003crand6char\u003e = \"\u003cpath\u003e\\qilin.exe\" --\r\npassword \u003cpassword\u003e --no-vm --no-admin\r\nSystem Modifications\r\nQilin.B modifies system settings to share network drives between elevated and non-elevated processes which\r\nallows mapped drives to be accessed by processes with different privilege levels by adding the following registry\r\nentry:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\SystemEnableLinkedConnections = 1\r\nIndicators of Compromise (IOCs)\r\nNote: these will be unique for each attack and contain compromised user credentials of the target.\r\nFile System IOCs:\r\nRansomware Binary:\r\nSHA256: XXXXXXXXXXXXXX [redacted]\r\nDLL Payload:\r\nSHA256: XXXXXXXXXXXXXXX [redacted]\r\nRansom Note:\r\nFilename: \"README-RECOVER-[company_id].txt\"\r\nEncrypted Files:\r\nhttps://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion\r\nPage 3 of 4\n\nFile extension: \".[company_id]\" (configurable company name for tracking purposes)\r\nConclusion\r\nQilin.B’s combination of enhanced encryption mechanisms, effective defense evasion tactics, and persistent\r\ndisruption of backup systems marks it as a particularly dangerous ransomware variant.  \r\nBy leveraging AES-256-CTR, Chacha20, and RSA-4096, along with advanced anti-forensic techniques, Qilin.B\r\nposes a significant threat to enterprise networks. Early detection through process monitoring and identification of\r\nIOCs is critical to mitigating its impact.\r\nHalcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to\r\ndefeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material\r\ncapture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to\r\nfind out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference\r\nguide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource\r\nsite.\r\nSource: https://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion\r\nhttps://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.halcyon.ai/blog/new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion"
	],
	"report_names": [
		"new-qilin-b-ransomware-variant-boasts-enhanced-encryption-and-defense-evasion"
	],
	"threat_actors": [],
	"ts_created_at": 1775438942,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b7d3d5826c63ee9dd209679e0bb703b04b5ab21.pdf",
		"text": "https://archive.orkl.eu/5b7d3d5826c63ee9dd209679e0bb703b04b5ab21.txt",
		"img": "https://archive.orkl.eu/5b7d3d5826c63ee9dd209679e0bb703b04b5ab21.jpg"
	}
}