Qilin Ransomware Operations Supported by Bulletproof Hosting Networks

Qilin, a sophisticated ransomware-as-a-service (RaaS) operation, has emerged as a significant threat actor in the global cybercrime landscape, leveraging bulletproof hosting (BPH) infrastructures to facilitate its extortion campaigns. The group, which initially operated under the name "Agenda" before rebranding to Qilin in 2022, utilizes BPH providers that are strategically located in pro-secrecy jurisdictions and structured through complex networks of anonymous shell companies. These hosting services are designed to be resilient against abuse complaints and law enforcement actions, enabling Qilin to conduct prolonged and undisturbed ransomware operations. Qilin's ransomware variants are written in both Golang and Rust, and the group is known to gain initial access to victim networks through spear phishing campaigns, as well as by exploiting Remote Monitoring and Management (RMM) tools and other common attack vectors. The group practices double extortion, demanding ransom payments not only to decrypt data but also to prevent the public release of stolen information. In a recent high-profile attack, Qilin claimed responsibility for a ransomware incident that severely disrupted operations and manufacturing at Asahi Group Holdings, a major Japanese brewing conglomerate, for nearly two weeks. Following this attack, Qilin attempted to sell the stolen Asahi data for $10 million USD, directly contacting the victim to increase pressure and bypass intermediaries. On October 15, Qilin announced a new wave of victims, including the Spanish Tax Administration Agency, Centurion Family Office Services LLC in the USA, Rasi Laboratories, Victory Christian Center in Tulsa, Richmond Behavioral Health Authority, Turnkey Africa, and Charles River Properties. The diversity of these targets demonstrates Qilin's broad targeting strategy, affecting organizations across government, healthcare, finance, manufacturing, and religious sectors. The use of bulletproof hosting is a critical enabler for Qilin, allowing the group to maintain its infrastructure and evade takedown efforts. Investigations by Resecurity have included direct engagement with Qilin operators, providing insights into their tactics and extortion strategies. The resilience of Qilin's infrastructure, combined with their aggressive extortion methods, poses a significant ongoing threat to organizations worldwide. The group's ability to quickly announce and publicize new victims further amplifies the pressure on targeted entities to comply with ransom demands. Qilin's operations highlight the persistent challenge posed by RaaS groups that exploit global hosting networks to sustain and expand their criminal enterprises. The continued evolution of Qilin's tactics and infrastructure underscores the need for robust cybersecurity defenses and international cooperation to disrupt such threat actors. Organizations are urged to remain vigilant against spear phishing and to monitor for unauthorized use of RMM tools, which are common entry points for Qilin attacks. The ongoing activity of Qilin demonstrates the critical role of bulletproof hosting in enabling large-scale ransomware campaigns and the importance of targeting these infrastructures in law enforcement efforts.