Javiertech

By

javiertech

·

Tags:

, ,

Qilin Ransomware: When Hackers Bring Their Own Weapons and Burn the Backups

Okay, mi gente, let’s talk about something that really shows how far ransomware has evolved: the Qilin (also known as Agenda) attack.

This isn’t your average “click a bad link and lose your files” situation. No, señor. This is a professional, multi-stage operation where the attackers bring their own weapons, hit Windows and Linux at the same time, and even destroy your backups to make sure there’s no easy way out.

Brutal and smart. A dangerous combo.

The Setup: They Walk Right In

Like most big breaches, it starts with the simplest trick: stolen credentials.

The Qilin crew got in through VPN or RDP using passwords they phished or bought on the dark web. Some victims got fooled by fake CAPTCHA pages hosted on legit services like Cloudflare R2—clever social engineering to steal cookies and bypass MFA.

Once inside, they blended in like normal users and quietly took over admin rights. That’s when things got interesting.

Step One: BYOVD (Bring Your Own Vulnerable Driver)

Now here’s the nasty part. Instead of breaking Windows, Qilin used something already trusted: a legitimate driver called eskle.sys, originally made for gaming anti-cheat software.

But this driver had vulnerabilities, and once loaded, it gave them kernel-level control. That means they could kill antivirus and EDR processes, disable monitoring, and do it all without raising alarms.

Imagine a burglar wearing a uniform so the security guards wave him right in. That’s BYOVD, amigos.

Once the defenses were blinded, they created a fake admin account (“Supportt”), reset passwords, and planted a hidden backdoor (a SOCKS proxy) disguised inside Veeam directories. Everything looked normal, but the attackers now had full remote control.

Step Two: Spreading Like Fire

From there, they moved fast. They used PowerShell, Mimikatz, and other tools to dump credentials, especially from Veeam Backup servers, which often store admin passwords for half the network.

With those credentials, they jumped to domain controllers, databases, and even Linux systems. They used legitimate IT tools like Atera, AnyDesk, and ScreenConnect to look like real administrators. Clever, no?

Then came the cross-platform pivot. They used PuTTY from Windows hosts to open SSH into Linux servers and virtual infrastructure like VMware and Nutanix. This is where Qilin went from bad to genius: one ransomware payload that could hit everything.

Step Three: Cross-Platform Ransomware Boom

Here’s the part that really impressed (and terrified) me.

Instead of running a Windows ransomware EXE, they dropped a Linux ransomware binary on Windows systems and executed it through Splashtop Remote. Windows defenses didn’t even know what to do with that. The binary wasn’t a normal Windows file, so EDR tools just watched it happen.

¡Zas! Encryption began on both Windows and Linux files at once.

Qilin targeted local disks, network drives, Linux shares, and even virtual machine storage. By the time it was done, everything—from workstations to ESXi hypervisors—was locked.

To make recovery impossible, they wiped shadow copies, deleted backups, and stopped any related services. So even if you wanted to restore your data, there was nothing left to restore from.

Step Four: The Ransom and the Reality

Once the encryption was complete, a ransom note was dropped on every system. Pay us, or your data goes public. Simple, cruel, effective.

And because the backups were gone, many victims had no real choice. That’s why this case is such a wake-up call. It shows how ransomware has evolved from a one-machine problem into a full-scale digital siege.

What You Can Do (Seriously, Listen Up)

Here’s how you fight back, mi gente:

  1. Block the BYOVD trick. Use Microsoft’s vulnerable driver blocklist and keep it updated. Enable Memory Integrity on Windows 10/11. And don’t give everyone admin rights—make attackers work for it.
  2. Watch those remote tools. If you don’t use Atera, Splashtop, or ScreenConnect, any sign of them is a red flag. If you do use them, log every action they take and alert on strange behavior.
  3. Protect your backups like gold. Separate them from the main network. Use immutable or offline storage—backups that can’t be deleted or changed. No matter how modern your setup, if the bad guys can log into your backup server, it’s game over.
  4. Catch them early. Look for weird logins, sudden EDR shutdowns, or accounts like “Supportt” popping up out of nowhere. Honeypot accounts (fake admin credentials) can be a beautiful trap. When attackers bite, you get the alert.
  5. Test your disaster recovery. Don’t wait until you’re under attack to see if your backups work. Practice recovery regularly, and assume one day your backup server will be targeted.

Qilin’s attack isn’t just another ransomware case. It’s a lesson in how the old lines between Windows, Linux, and “safe backups” don’t exist anymore.

Attackers don’t see platforms; they see opportunities.

So, amigos, take a page from their playbook, but flip it. Be cross-platform in your defense, not just your operations. Because when they come bringing their own drivers and burning your backups, the only way to survive is to be ready everywhere.

Stay sharp, stay secure, and stay safe!

Leave a comment