Ransomware as a Business: Inside Qilin’s Rise

Show Notes

Qilin is quickly becoming one of the most dominant ransomware groups in the world, and it’s not because of groundbreaking tactics. It’s because of their business model.

In this episode, we break down how Qilin operates as a ransomware-as-a-service group, why affiliates are flocking to them (hint: 80–85% payouts), and how that’s fueling explosive growth across industries worldwide. From real-world attack patterns to how they gain access and evade detection, we’re diving into what makes this group so effective, and why organizations should be paying attention. 

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_01 0:00

I think they're cuts at like 80%.

SPEAKER_02 0:02

Which is which is why they're why they're growing, right? 80% is crazy unheard of. Yeah.

SPEAKER_01 0:08

For they're giving their their affiliates 80% of the cut.

SPEAKER_02 0:12

Yeah, yeah. Yeah.

SPEAKER_00 0:16

You are now listening to the Secure AF Podcast.

SPEAKER_02 0:22

Hello and welcome to another episode of the Secure AF Podcast. I'll be your host today, Tanner. I've got with me here Andrew Hickman. He's our security engineering lead here. He runs the SOC and does all kinds of the blue team side of stuff here. We're going to talk today about a ransomware group that is on a pretty major rise over the last year. First, we'll talk about their name. So they are named after a Chinese mythological creature. I believe the Chinese pronouncing somebody who speaks Chinese is going to, or Mandra is going to correct me.

SPEAKER_01 0:58

And I welcome that, honestly. Yeah, please do.

SPEAKER_02 1:01

Please it's like Qi Lin. And uh you say Chilin, and I say Quillen, because it's with a Q. And uh this is Marka. Keelan. I pronounce my Q. Chilen. Whatever. So it is a mythological creature. It is a hooved creature. It's kind of like uh dragon unicorn. Yeah, pretty much.

SPEAKER_01 1:20

It's like a hybrid of different animals. Um look up mythical Chinese creature Q-I-L-I-N, and you'll see what it is.

SPEAKER_02 1:29

Um they represent good fortune, prosperity, and benevolence. Uh all things that you are not experiencing if you are under attack by not at all. Yeah, yeah. Um, so their name implies virtue, which I find interesting because they're not doing that, they're kind of doing the opposite. Yeah, I guess it's good fortune for them. Yeah, yeah, and for their for their affiliates, which we'll get into. Yeah. Um, so we saw them come out of the scene in 2022, is when we started seeing their stuff.

SPEAKER_01 1:58

Around then, yeah.

SPEAKER_02 1:59

Yeah, but uh they really blew up late 24 and through 25. Yeah, and and all the way into 26. We're seeing, if anything, even more. It's like they're still growing huge, and we'll talk about why that is. Yeah. Um, they're just a typical ransomware as a service. So when it comes to what they're doing, I don't feel like they're doing anything crazy.

SPEAKER_01 2:20

Which that's becoming more and more prevalent as well, right? Like we're seeing less and less of just these threat actor groups that are all self-contained, and we're seeing more and more of the ransomware as a service groups where you over the last five years, yeah. They develop the toolkits or whatever, you know, whatever attacks and uh or getting footholds, and then they'll get these smaller groups or people just to come in and you do the attack, you handle all this, we'll do the negotiating, and we'll, you know, you guys take, I think they're cuts at like 80%.

SPEAKER_02 2:54

Which is which is uh why they're why they're growing, right? 80% is crazy unheard of.

SPEAKER_01 2:59

Yeah. For yeah, they're giving their their affiliates 80% of the cut.

SPEAKER_02 3:03

Yeah, yeah. Yeah. Um, we uh and I guess ransomware is a service. We talked about it a lot on this podcast, but it's essentially what the way I have found from diving into them, even talking to some of the people, is they usually have a few core people that are like senior principal engineer level and they're developing new techniques, right? They're developing new methods, they're writing, they're riding the lockers, or at least doing business to a level where they're getting them from really good people, but they have really good internal methods and internal tooling and stuff like that. And when you come on to be an affiliate, you're typically gaining access to the locker, access to the tools, access to the methods, things like that.

SPEAKER_01 3:43

Do you think do you think that kind of operation, just kind of thinking about ideas here? Do you think that kind of operation increases their security or like their security posture where they can choose who they're bringing in to do these kind of things? Or do you think it opens the door to be a little less secure because you never quite know who you're anything?

SPEAKER_02 4:03

I would think it opens the door to be less because we've seen things like Conti, where you know they had an affiliate who didn't feel like he got paid what he was supposed to, or something along the lines of that. Yeah. And he ended up leaking the whole playbooks, all the tools, keys, everything like that. Uh, and that's probably if you have a smaller group that's tighter knit, that's probably less likely to happen.

SPEAKER_01 4:23

Yeah, but I also think that like if you're developing all this stuff and you have different options, like maybe that's one way that they kind of keep things secure is like, hey, if you're new to this, you only get access to this level of stuff. Or I mean, this is all just you know.

SPEAKER_02 4:37

I don't know. If you're an affiliate for them, come talk to me. I would love to anonymously interview you. Anonymously, yeah. We uh we ain't no feds, we don't say nothing. Yeah, um, but yeah, I would love to just pick brain of anybody who's involved, even even other groups too. Um, I just I think there's probably a lot of misconceptions, uh, because we basically only know what we've heard. And I have talked to some people, but they don't want to say too much. Yeah. Not with not with Quillin. I talked to some people that were with Conti back in the day. Um and some people with Klopp uh or one guy with Klopp. So it's it's we're going off of hearsay mostly.

SPEAKER_01 5:12

Yeah, I've only had conversations with them over the ransom chats.

SPEAKER_02 5:16

Right.

SPEAKER_01 5:16

When you're and that's a little bit different. And it even even talking to them just directly that way has been different from other groups for me. Really, how so a lot a lot of the times, like if I'm talking to a threat actor or one of these chats, I try to be human, right? Like I might be helping a company try to work through this, but you know, I'll be like, hey, you know, how's the day going? You know, how what's going on? Like, hey, let's talk about this, but you know, try to introduce a human, like try to not be, I know you're trying to extort a bunch of money from a company, but you know, but just try to again like try to remember the human, like they're doing this for whatever nefarious reasons, but you know, they're doing it and there's still a human there. And so try to make that connection, like, you know, hey, how do you guys, you know, do this? This is cool, whatever, you know. Um, but talking to them specifically, there was no there was no human element to it. It was like it was sheer business. It was uh like I'd be like, hey, hopping on, let's talk about this. And they'd be like, okay, please give us an update. You know, the any any kind of like attempt to to bring that out was just completely blocked. There was no like, we're we're not even acquaintances here. We want money and we want you to pay us. Just tell us about the the conversation about who's gonna pay and when. That's it was straight business.

SPEAKER_02 6:46

Interesting. I wonder if that has anything to do with the affiliate you're working with, or if that's how they roll.

SPEAKER_01 6:52

I always kind of thought that uh and I could be wrong here on the ransom as a service, but I figured the affiliate probably didn't handle most of the that extortion part of the conversation. Yeah. I figured that was mostly handled by, you know, the group itself. So, but I you know, I could be wrong there again. If we could talk to if someone, you know, wanted to just give us an interview.

SPEAKER_02 7:16

Yeah. When you start asking those uh those kind of questions in some of the the telegram chats, people get weird. So yeah, yeah, I can imagine. Yeah, they don't they don't really want to say too much about it. Yeah. Um one thing that I heard is that uh we saw Ransom Hub a lot in 2024. Yeah. Even into 25. Um, I guess they have fully disbanded from my understanding. Yeah, I think distrust issues and instability in their platforms. Yeah. Um, so I think a lot of those guys came over to Quillin.

SPEAKER_01 7:48

Well, especially, you know, talking about their payout.

SPEAKER_02 7:52

Yeah, yeah. Yeah, and that's uh it kind of it kind of is funny how many just standard business parallels there is in ransomware gangs where they really do. I always tell people like they really, really run it like a business. I mean, it is a it is a it's been my experience, yeah. Uh and it seems like as they go, they get more and more professional. I mean, that was one thing that surprised me about Lockbit back in the day is just how professional and good Lockbit was. Yeah, like Lockbit could answer any questions about the environment that you had. Yeah, they they had everything ready to go as far as tools. Um I do want to see a report from uh from Quillan. So they do they give you a report if you if you do pay. Because uh the lock the lockbit reports weren't they were like a like a bad pen test report, but yeah, but um I would love to see their their uh their quote unquote report of uh your environment because they they claim they'll give you uh like basically a pen test report. Yeah, and this is the things we found in your environment, yeah, how you should fix it, this is how to secure your environment, yeah. All those those sorts of different things. So if anybody has one that they like to share, we'll NDA up even. I I would love to see it.

SPEAKER_01 9:05

Yeah. Yeah, and that's kind of a a great reminder as well. Like, just get a pen test. Sure, yes, just get a pen test. Like, because at the end of the day, like for a group like Chielan, I mean that's what you're looking at, right? And it's uh an extortion motivated pen test.

SPEAKER_02 9:24

Well, that's what I tell everybody. You're getting a pen test, do it on your own terms. Right, yeah. You're gonna get one one way or another. You should do it on your own terms. Um, so about the percentage that you mentioned, everything that I've seen was typically around the 10, 15, 20 percent. Yeah, I think the most I've ever heard of was 25 percent for what the aff what the ransomware gangs are paying an affiliate. Right. So the fact that they're paying 80, yeah, and you said it's or sometimes more eighty under three million, eighty-five over three million.

SPEAKER_01 9:54

Yeah, those are the reports. I you know, I don't know. Like I I haven't talked to someone to verify, right? But the reports are that under three million on the ransom, if it's paid, Chi Lin pays out 80% to their affiliates. So much above three million, it's eighty-five percent.

SPEAKER_02 10:11

So much like a standard business, um, talent is following money. For sure. Yeah. It's just like any of the companies, you know, devs, really good high-level devs, text devs, they make a ton of money. I mean, the pay is crazy. Right. And it's essentially, I think it's probably gonna be the same here. Right. And or if you're a good talented hacker and you, you know, you have that network of maybe initial access brokers, you have your whole workflow figured out and everything like that. Why would you go take 20 when you could take 80?

SPEAKER_01 10:39

Right. And think about the talent pool that they're gonna be able to pull from with that too, right? So that's that goes both ways.

SPEAKER_02 10:46

So And we've seen, I mean, I wonder if they'll start pulling from, you know, what's left of LockBit and things like that. Because we've seen some crazy, crazy stuff come out of there.

SPEAKER_01 10:57

I mean, they they I'm sure they are. I mean, if that may be one of the reasons why we see some of these other groups that that just kind of fizzle out, it's because they're not necessarily that they've got been popped or compromised by law enforcement. It's that their talent is going elsewhere. And again, like he said, you know, talent's gonna follow the money. So if you know if this is what you do for a living and you know, hey, I'm good at what I'm doing.

SPEAKER_02 11:23

Yep.

SPEAKER_01 11:24

And I know there's a group out there that will pay out this much. Why would I waste my time for these little 15, 20 percent payouts, maybe, versus if I'm gonna put in effort and go work somewhere, right? Potential I'll have an 80% or more payout. It's kind of a no-brainer.

SPEAKER_02 11:44

I mean, I I've heard pretty abysmally low numbers for what some affiliates make per year. Yeah. I mean, like, you know, what uh it's not like if you it it's I guess it's closer to just normal job money.

SPEAKER_00 11:53

Yeah.

SPEAKER_02 11:54

You know, you're talking about people making forty, fifty thousand dollars a year. And it's like if I'm risking myself to go to prison and doing that sort of thing. Right. I I've like just go work a regular job at that point. Yeah. But if you're pulling in, you know, four times as much, it starts to get to the point where it's like, okay, I can see what it's entice for people.

SPEAKER_01 12:14

Got the little devil on your shoulder. Yeah, you know.

SPEAKER_02 12:16

Yeah.

unknown 12:17

Yeah.

SPEAKER_01 12:18

And that's kind of it's kind of curious too, because um it it just kind of makes me think about the possibility of how they operate internally. Like how much do they actually do as the as the ransomware as a service group, right? Like, are they legitimately just finding just developing the tools and people are having to find their own entries and footholds? Like, how much are they actually putting in if they're only taking so much, right? Or how large are they? Um, because I don't know. It could just be like a hey, you know, we'll take this much of the cut and we'll give you this toolkit or these tools, and we'll handle the negotiation side of it, but you do everything else. Yeah, you've got to do your own X fill, you gotta, you know, do all the work. So maybe something like that. Uh you know.

SPEAKER_02 13:06

I know um well in 2025, it's it was a 280% increase from 2024. Right. So I mean explosive growth. Yeah. I mean, if you're any business, 280% increase is insane. Yeah. Um, and I think it's probably going to only be even more in 2026. Right. Um I know it it accounted for what I it's it's hard to do the research on it, you know, ransomware live. Um, they said it was uh about 25% if you dig into their data. About 25% of all ransomware reported in 2025 was from this group. Right. Or at least 20%.

SPEAKER_01 13:48

And looking at the numbers from from this year, again, if if we go back just again, ransomware live, shout out. Um for the last 90 days, the last 90 days alone of the um I don't know, let's see how many total number. I was like 1700 something victims this year. Um, so from January to March 17th, uh they've had 378 victims.

SPEAKER_02 14:15

Yeah.

SPEAKER_01 14:15

That's the last 90 days. The next highest group was Akira at 164.

SPEAKER_02 14:21

That's substantial. Yeah. It's substantial. Yeah, it's I mean, it's it's just a crazy amount. It really is. Um, and so I mean, another thing that's kind of a little bit I don't know, I guess it's probably wild to people. It's not super surprising to me, but they're not doing anything special that I've seen. You know, they're not buying up O days and hitting O days. They're they're kind of just doing the same thing that everybody else is doing that I've seen. You know, I mean they're hitting Windows, they're hitting Linux, they're hitting ESX, which sure Linux. Um same if there's a popular vulnerability rolling around, we've we've seen them see them hit those, you know, edge devices, vpns, things like that. That's not uncommon. Yeah. Um, but that's not uncommon with anybody. No. Uh phishing, of course. We've seen some phishing from them. And then uh people are reporting that they're also just buying access, valid credentials, things like that. Yeah. So buying up, you know, any sort of a uh a leak for credentials or things like that. I mean, and that's it's kind of the exact same thing we're seeing with anybody else, you know. They're not they're not breaking off of anything, they're just they're doing their own thing. Right. It seems to be working for them. They're living off the land a lot, yeah, and abusing Active Directory. So it's it's not like I have crazy unique IOCs for them. There are some IOCs, and we can we can provide some information for those. Um for they're not always doing encryption either, right? We've seen some cases personally where they didn't encrypt, isn't that correct?

SPEAKER_01 15:56

Correct. Yeah. The so one specifically there was not encryption. No, sorry, two. In two of them, there wasn't ex encryption, there was just data exfiltration. And then the ransom notes weren't left in the environment, they were emailed.

SPEAKER_02 16:12

Right. And they they contacted with phone and everything like that, too, didn't they?

SPEAKER_01 16:15

They sure did. Yep, they contacted via email. Um, they shot out kind of shotgun blast emails to different people for the company. Um, and then they called people. So they have found numbers and called people.

SPEAKER_02 16:28

Yeah.

SPEAKER_01 16:29

Uh, and that's always interesting to me too. Um uh but uh and then another one that we've worked was uh was in encryption in the environment too.

SPEAKER_02 16:39

So I do know one thing that's a little bit unique to them is they do have unique payloads per affiliate. Yeah. People have been able to attribute specific affiliates based on uh initial attack payloads.

SPEAKER_01 16:50

Yeah, and that's what kind of that's one thing I was asking, you know, talking about how they give people access to their toolkit. So I wonder if that is one way, but they're were they're using to track their affiliates for their own safety.

SPEAKER_02 17:01

If I had to guess, it's probably tweaking a loader and giving them, you know, access to that loader. Right. Um, but it's it's really hard to say without actually having it in hand. Yeah. Uh and I don't think there's been any anyone to pull the actual loader itself yet. We've had lots of malware and IOCs, but I have not come across a sample of a loader.

SPEAKER_01 17:20

Yeah.

SPEAKER_02 17:21

Load methods and attacks and things like that, but like an actual dropper I've not seen.

SPEAKER_01 17:25

Well, and I think, you know, curious about that too, is they at least the the ones we've investigated, there's been a lot of like anti forensics done.

SPEAKER_02 17:35

Yeah.

SPEAKER_01 17:36

Um, I mean, as far as turning off syslog.

SPEAKER_02 17:39

Yeah.

SPEAKER_01 17:39

Or turning off logging on devices once they've gained access. Um and then they they clean up what they've done so they have they don't leave a lot of artifacts behind. Yeah.

SPEAKER_02 17:50

Um I've seen it um like Which I also wonder if that's per playbook or if that's per affiliate. I suspect it's per playbook from what we've seen so far.

SPEAKER_01 18:01

I mean, uh again, from the three that we've seen, it's it's been the same where there hasn't been a lot of artifacts. They've done anti-forensics, they've turned off syslog, they've turned off logging on gateway devices, things like that. So they definitely they they m try to make it very difficult to determine that initial entry point and what exactly they did to even find that, you know, the payload, like what actually and again for a couple of the cases, there's not really gonna be one if you just got into an environment through some maybe C you know CSV somewhere or CSV, CV somewhere. Yeah um been looking at too many Excel sheets. Um but um you know if they're not encrypting anything, not a lot to go off of. You just you gotta hope you have logs that kind of tell you where they were at or how they may have gotten things out or what exactly they may have pulled from. So um, you know, that doesn't help in the forensics department when you when you just have that one method of extortion.

SPEAKER_02 19:08

That's true. It makes things a little bit more difficult, um, easier to recover from to an extent.

SPEAKER_01 19:14

Yeah, uh yeah, for sure. I think it kind of varies too, depending on the um what's the uh the industry, like whatever industry you're working in. Because sometimes, you know, even just your data leaving the environment might be just it might be game over, you know. That's true. Um but if if you know you can handle event like that where hey, maybe there's some uh reporting that's coming your way, but you can bounce back from it, great. Um but uh they definitely don't shy away from trying to extort you even from that. So and it's kind of interesting to me. Like I think we saw um um I think we saw one of the one of the ransoms that they requested was as low as sixty thousand dollars. Oh wow. Which that was just uh data exfiltration as well. And so there wasn't a ransom. They had gotten in, they claimed, you know, X amount of data, uh, provided some samples, and then they would have provided a report and how they got in all this for like sixty thousand dollars, right? Um, and I think another one was like around 400 or 600,000. So it wasn't like in the millions, you know, but it's a lot of money still. Um, but that's still that's an expensive pen test, right?

SPEAKER_02 20:35

It is, it is, and whenever you're talking about they get 80%. The 60,000 is like if you got 10% of 60,000, are you going to fully compromise a company and sit on it and do everything like that for 10 grand? Yeah, probably or you know what however well like you're you're or six grand even, like a lot of them are 10%, you know. I mean, it's you're probably not gonna not gonna bother for that. So you so you're probably gonna have an initial amount that's much higher.

SPEAKER_01 21:04

Yeah. So is your time worth at the end of the day?

SPEAKER_02 21:07

It's it's interesting. Um I think that the thing to really write home about it is not that they have some crazy techniques to this these they're you know writing their own O days or anything like that. They're tearing up the the market, I guess I could say the the the attack space is just because they have a better business model. Yeah, yeah. I mean that's really it. That's really it. They they're better compensation for their affiliates, better business model. Yeah, they are the competition. Yeah, they are. They are.

SPEAKER_01 21:44

They uh it's yeah, it's kind of crazy to think about just how all that I mean it's it's its own little economy, right? It is, you know, thinking of thinking about it, like I mean, yeah, it's all criminal, it's a criminal enterprises, but they have their own little economy and and social socials. I guess and oh yeah for sure. Um yeah just it's just interesting how all that how all that functions.

SPEAKER_02 22:07

Well they they advertise if you go on the crime boards you you find you find posts from Quillin where they say hunting for affiliates, these are the things that we do, this is what we pay. And the comments are all like, oh wow, you guys pay really well.

SPEAKER_01 22:21

I wonder if how they're operating is causing other groups to are they drawing negative attention to themselves from other groups, you think?

SPEAKER_02 22:32

Oh, probably. Yeah. I wouldn't be surprised by that. I mean, we've seen threat actors attack other threat actors before. Yeah. So it wouldn't surprise me. Um I don't know if it's happened, but it wouldn't surprise me. Yeah.

SPEAKER_01 22:43

And we mentioned uh we mentioned the name and where it came from, but uh Chilen is um uh they're out of Russia, right?

SPEAKER_02 22:50

Allegedly, that's what I've heard.

SPEAKER_01 22:51

Yeah.

SPEAKER_02 22:52

I've also heard a lot of people falsely claim that people are from Russia. I think people like to jump to it. Yeah. So I'm always a little bit skeptical when I hear that. But the only thing I've heard so far is that they're from Russia.

SPEAKER_01 23:03

Yeah. And I think based off of like the I mean, they call people, like I've heard feedback from people who've spoken to, you know, Eastern European actions, European accidents. Yeah, heavy, heavy Europe Eastern European accident.

SPEAKER_02 23:16

Yeah, which we've seen several Eastern European countries get involved in attacks, though, not just Russia.

SPEAKER_01 23:20

Yeah, that's true. I think most of the I think there's only been like a handful of times where the threat actors have actually called the customers we're working with.

SPEAKER_02 23:29

That's not super common.

SPEAKER_01 23:31

But every time they have called, I want to say it's like three or four, they've always been Eastern Eastern European. One guy was very friendly. Yeah. He was just like, Hello, I'm sorry you're going through this. We can help you if you pay the ransom. And then just was kind of like he was kind of like nervous to be calling, you could tell. Yeah. And then uh they were just like, Well, why are you guys doing this? And he was like, Oh, I I know, I'm sorry, but if you want help, you have to have to pay. And they were just kind of polite for being, you know, a guy who just ransomed an environment. I mean, um catch more with honey. That's true, yeah. Again, but that's kind of like my tactic when I'm talking to him in these chats, too.

SPEAKER_02 24:12

Like, I try to like, hey dude, what's you know? I like to talk a lot of crap to see uh if if the paying if intentions of paying are not there. Yeah, I like to talk a lot of crap and uh talk about like where they screwed up to see if I can get them to give a little bit more information. Yeah, I've had some success with that, where just like, oh, you guys suck, you did this, lol, you're a noob, you don't even know what you're doing. Yeah, and they'll kind of like say sometimes they'll their ego will get the best of them and they'll start spilling some more information that you maybe didn't know.

SPEAKER_01 24:43

Right.

SPEAKER_02 24:43

Um that that can be uh, you know, it's just different tactics, I guess.

SPEAKER_01 24:47

Yeah, I always I don't know. I I try just to be very straightforward when I'm talking to them, especially if I'm doing it at the behest of like another company, or if there's a position where, like, you know, um, am I gonna say something that's gonna make them come, you know, attack again, do a you know, another reprisal attack or something.

SPEAKER_02 25:08

We do our job, do our job well. That's true.

SPEAKER_01 25:10

Well, yeah, it depends on on how ingrained we get into an environment after that kind of stuff too. So that's true. Sometimes it's just um an incident response. Hey, here's all your problems, fix them, but whether they're doing that or not. Like, and I don't necessarily like I mean, I'll sleep at night because it's not like I'm doing it, but of like, here's a list of problems, you gotta fix these as soon as possible. We'll do what we can on stuff, but but it's up to those companies at the end of the day to go make those changes.

SPEAKER_02 25:37

And that's very true. You don't want to put a bigger target on that. Yeah, yeah, that's fair.

SPEAKER_01 25:42

All right, so we covered where they're from, allegedly, kind of how they operate. Um, what other interesting things about Sheeland? We got I I got a timeline of key events if we want to go through those, where they started out in 2022. Yeah. Um, where they established their presence on the ramp form. Uh oh yeah, they were first detected as agenda ransomware. That was July of 22. Um, and then in September they rebranded to Chi Lin and they used a lot of Rust-based variants.

SPEAKER_02 26:18

Yep. Yeah, which it's just that's kind of popular in general at this point. Yeah. It's and even with myself, it's it's easy to make it's easy to make Rust work really well against EDR.

SPEAKER_01 26:30

Yeah. 2023, they targeted a lot of VMware ESXi and Linux variants.

SPEAKER_02 26:37

Uh we have seen them attack ESXi from the OS level, which is a little bit unique. They're not the only ones that are doing it. It's it's become more common. Yeah. Um, but that is uh that is something where if you do find that you're dealing with them, um your ESXi is likely compromised at the system level. Yeah. You taught you're probably looking at a total system rebuild, not a virtual machine rebuild. Yeah, that's rough.

SPEAKER_01 27:04

Yeah. Don't want that. Get a pen test. Um yeah, and then in 2025 when Ransom Hub went dark, um, pretty confident that Chi Lin absorbed a lot of those affiliates. Yeah. Which probably caused their explosion in 2025 because it was April. And then from there, I'm sure they just gained more and more uh more and more affiliates as it went on. Again, we can take a look at their percentage of attacks that they have for last year. I mean, they're already for the last 90 days, have like a quarter of the victims already. So they're probably going to continue that into this year. They're probably not going to slow down, they're probably going to grow faster. Uh, is that sustainable? I don't know. I think we kind of saw something not as not as similar, but with like Lockbit, how prolific they were for a long time. Um, you get a big target on your back.

SPEAKER_02 27:56

Lockbit garnered a whole lot of attention from federal agencies. Yeah.

SPEAKER_01 28:02

And I, you know, just uh hypothesis here, but if you're a ransomware group that's responsible for 25% of the attacks that we're seeing worldwide, you've probably got a pretty big target on your back. Almost almost certainly. Uh yeah. In 2025, they had uh in June of 2025 alone, they had 81 victims, which was a massive surge. Uh using credential harvesting for uh via GPOs and attacks. Yeah. And then early this year they're they're just killing it. They're busy. I've talked, you know, I do that talk about um the history of ransomware.

SPEAKER_02 28:42

Yeah.

SPEAKER_01 28:43

Um, and I talk about them a bunch just because how interesting it is, like how quickly that they've spun up and uh brought in all these new affiliates and just how prolific they have become just in this last year alone.

SPEAKER_02 28:56

If people aren't aware of how the credential harvesting thing works, um you've probably heard of like Red Line Stealer and and you know, some of the you know, Quasar Red, which I guess that's a drawer for another Stealer, but most the any of the stealers, and they will go out to these forums and you'll buy access to stealer logs. Um, or somebody who's running a really wide net will will try to get stealer logs and everything. And they're typically it's targeting user computers and and low-level things like that. You know, they're putting out uh downloads and and different. We found them in Steam games, we found them in all kinds of stuff. And uh they are they're hoping that they're gonna hit a machine that also has logged into their company with a VPN, right? Something like that. They want to they want to gain that level to access to stuff. Um, and then if they get a lot of that good stuff, it goes into like a high-level uh Steeler log and they'll sell that to these groups. Right.

SPEAKER_01 29:51

All right, so let's get into some details about industries and who they target, because I think this will be important. And people watching this who are part of XYZ industry are like, oh, I'm you know, healthcare, do we need to worry? Or I, you know, we're in construction, what do we do? And it's like well, if you're in an industry, you should be concerned. Yeah. Yeah. Uh they don't really have a specific industry they like to target. Uh, though in the past, what we know so far from like, you know, year-to-date kind of stuff, uh, or from last year to date, um, professional services was the most hit at 112 victims. Um, manufacturing and industrial products was 98 victims, healthcare and sciences was 67, engineering and construction was 58, consumer and retail was a little under 53, and then also prominent in the government. Uh, so anything education, uh, US state, local entities, uh, things like that, they were pretty, they were hitting them pretty hard. Uh geographically, the United States was hit the hard hardest, followed by Canada, UK, France, Germany, Australia, Brazil, and over 60 other countries. So, and that's one thing that I kind of look at as well uh with trying to determine where these groups are based out of, like uh where they're hitting the most. Obviously, a lot of countries or or a lot of threat groups are just gonna hit the United States because, you know, our economy and what what all that looks like and how the businesses we have. Um but I I always I'm always curious, like, are they hitting any targets in Russia? That might give you a little hint of of where they are or where they aren't.

SPEAKER_02 31:36

Yeah, it's but it's typically they will avoid any former USSR nations. Yeah. Uh any any of the comblock nations, they they don't want to hit it all.

SPEAKER_00 31:48

Yeah.

SPEAKER_02 31:48

Uh and they'll they'll go as far as I I don't know if we're seeing it with them, but I mean the old thing where they look to see what what languages are installed on a computer, what language is native. Um and if it's you know Cyrillic keyboard, they will they will bounce out of that machine and not touch it.

SPEAKER_01 32:03

Is that a defense mechanism for companies? I don't know.

SPEAKER_02 32:06

I have known people that have tried it.

SPEAKER_01 32:08

I don't I don't know how effective it is. This is a critical server. We're gonna put it all in a rush shape. Install the Cyrillic keyboard. Yeah. I don't know. I mean, it's a thought, you know, if you're that concerned about it, who knows? Yeah. Um, and then uh organizations like who they target, again, it's pretty much anyone they can get into. Um, they tend to focus on high value entities and have avoided small businesses. Now, I can say that's not completely true. They have hit small businesses, um, but it they probably do the, you know, how much effort are we gonna have to put into this versus what's what's the reward? Um, they're probably far more likely to target companies that have some kind of cybersecurity policy that they know about or would have the money to pay out on the attack. Um and I you just kind of learn, I mean, it's been from our experience to like small companies just typically don't even have the ability to pay out if they want to do.

SPEAKER_02 33:09

Typically not.

SPEAKER_01 33:10

So it's like if you go in and comprise compromise a small business, yeah, you may shut down their business, but most of the time they use Zoom info. Yeah.

SPEAKER_02 33:18

We've just seen a lot, we've seen a lot of reactors that pull up Zoom info and they go, What does this company do in a quarter?

SPEAKER_01 33:23

Yeah. And then um, it was the top threat to US SLTT governments, and they accounted for 24% of the incidence in Q2. So Wow. They're they're targeting government entities. Yeah, no problem. So, and then platforms, you know, anything from Windows, Linux, VMware, VMware ASXi, um, any kind of virtualization disruption as well. So, again, going into 2026 for them, they're not slowing down at all. And they're maintaining their pace for the end of the year last year. They're probably only going to ramp up more. Um, they're yeah, you know, as they get more talent, as more affiliates will migrate to them just because that's where the money is. Um, I think we'll we'll probably see them several times this year.

SPEAKER_02 34:16

Unfortunately, I think you're correct. Yeah. More than we already have.

SPEAKER_01 34:20

Yeah. For sure. But, you know, it's just the nature of the beast, really. It is. You know, people just or organizations, companies, whatever, just they uh it's like that if you pretend it's not there, if you pretend it it's not gonna happen, like you know, it just doesn't exist. We don't know what that mentality is.

SPEAKER_02 34:41

Yeah, that's just this like turning a blind eye to your security.

SPEAKER_01 34:44

Yeah, and it's just I don't know, talking to Kim about this, you know, our CISO like a lot of it comes down to like some companies just don't even have the policies and procedures in place. Like they just don't know, or you know, they can't afford a sock. They're they know that they need some kind of security, but they have no idea where it even began. Yep. And so I it's something that I talk about on the SOC brief a lot as well. Because I, you know, we do that podcast just as a way to try to get, you know, anyone who's in a SOC or interested in that that blue team side of things, just some information about what's going on. And I just kind of impressed like even if you don't have a SOC, if you have some type of security team, like having open communications or lines of dialogue with with your C-suite or whoever your leadership is is like critical. Um because that's gonna be your first step in helping identify those kind of uh risks to the organization. Um, and so if you're listening to this and you're like, wow, these guys are prolific and they sound like they're going everywhere, like what's the concern for my group? And you know, we only have a SOC, but still there. Like they're any company out there who has some kind of web presence is gonna be at risk. And yeah, they might avoid the much smaller, like small businesses, but if they think there's the possibility of a payout, or if it's an easy layup for them to attempt, you know, you know, if we're talking about, I think some of the duel times has been as low as 18 days for them, uh, even even quicker. So um, you know, they can get in and get out, or get in, figure out, you know, what they need to take. Is this gonna be worth it? I'm curious how many I always think about this too. It's kind of a silly thought, but like, how many times has a as a group got into an environment, looked around, and went, nah, it's not worth it, and got out.

SPEAKER_02 36:42

We just well, it's hard to attribute that for certain. Yeah. But we've definitely seen where they got in and didn't go further. Right. And I don't know if that's we caught an initial access broker and before they could sell it or anything like that. Um, because I think that's also people talk about dwell time.

SPEAKER_01 37:02

Yeah.

SPEAKER_02 37:03

How much of that is an initial access broker gained access and took a couple months to get a soldier.

SPEAKER_01 37:08

To sell it, yeah.

SPEAKER_02 37:09

I think that's probably a significant portion of it.

SPEAKER_01 37:11

Yeah, most likely nowadays, for sure. Especially again with the brainsware as a service and all these affiliate groups and stuff. And I don't know, like it's not really there uh anymore, but there's you know, different breach forms, and you know, there's so many. There's still a lot of them, yeah. That you can just again, if if you're just a guy who's like, well, I found access, I'm not gonna do anything with it, you know. I'm not doing anything illegal, but I'll sell this information to someone else who will do something with it, you know. Um, there's probably a lot of those kind of characters out there too. So um I don't know. It's just uh just kind of uh kind of curious about that. Yeah. All right. Well, I think that is gonna wrap up our episode discussing Chi Lin.

SPEAKER_02 38:03

Yeah, Chi Lin. Chi Lin. A little bit of a short one today, but yeah, I think it's uh an interesting thing to talk about because it really is changing the landscape.

SPEAKER_01 38:13

Truly, yeah. Again, the the ransomware as a service stuff just keeps growing. Yeah. And uh again, what their payouts that they're giving affiliates like. We'll see how long it goes before uh someone figures them out or decides you gotta go.

SPEAKER_02 38:30

Whether it's another group or see how much attention that they get from law enforcement. Yeah.

SPEAKER_01 38:35

Yeah. Well, again, I think they're probably getting attention from other groups too. If if if groups are losing their their talent to them because certain payouts.

SPEAKER_02 38:43

Almost certainly. Is it sustainable? We'll find out next week. Find out on Dragon Ball Z. On the Secure AF podcast.

SPEAKER_01 38:51

Oh, yeah. On the Secure AF podcast. Thanks, everybody. All right. Bye.

SPEAKER_00 39:06

The Secure AF Podcast is a production of alias Cybersecurity. Visit us online at alias cybersecurity.com. All rights reserved.