Qilin Ransomware

Qilin ransomware operators are executing Linux ELF encryptors on Windows hosts by enabling or installing Windows Subsystem for Linux (WSL) after initial access. They transfer ELF payloads (e.g., via WinSCP), launch them inside WSL (wsl.exe -e), and combine this with BYOVD, DLL sideloading, remote‑access tools, and overlays to disable defenses and maximize impact across hybrid Windows/Linux environments.

Technical breakdown

• Initial foothold: Remote‑access tools (AnyDesk, ScreenConnect, Splashtop) and credential theft are used to move laterally and stage payloads.
• Payload delivery: ELF encryptors are transferred to Windows hosts (observed using WinSCP) instead of Windows PE binaries.
• Execution technique: Attackers enable/install WSL and run the ELF encryptor via WSL commands (for example, wsl.exe -e /path/to/encryptor).
• Evasion methods: BYOVD using signed vulnerable drivers (e.g., eskle.sys) to kill EDR/AV processes, DLL sideloading to drop kernel drivers, and use of tools like dark-kill/HRSword to disable or uninstall security agents.
• Targeting focus: Encryptors include features to handle ESXi and VM snapshots; affiliates prioritize high-value targets and data exfiltration prior to encryption.
• Detection gap: Many Windows EDR/AV solutions focus on PE behavior and userland Windows API telemetry, missing malicious activity executed inside WSL userland Linux processes.

Immediate mitigations (priority list)

1. Block or restrict WSL on endpoints where it is not required using group policy, Intune configuration, or system hardening baselines.
2. Harden remote access tooling: enforce MFA, restrict access to management tools by IP and conditional access, and require jump hosts with strong auditing.
3. Prevent BYOVD abuse: block known signed-but-vulnerable drivers; use driver blocklists and require driver installation policies; monitor kernel driver load events.
4. EDR/visibility for WSL: ensure telemetry includes child processes of wsl.exe, filesystem activity within %LOCALAPPDATA%\Packages\* or WSL distro folders, and command-line invocations of wsl.exe..
5. Endpoint controls: disable WinSCP, SCP/SFTP, and other unmanaged file transfer tools via app control policies; restrict execution of unsigned binaries and scripts.
6. Backups and offline copies: verify immutable or air-gapped backups and test restore procedures for VMware/ESXi and Windows workloads.
7. Limit lateral movement: enforce least privilege for service accounts, rotate credentials after suspected exposure, and require privileged access workstations (PAWs) for administrative tasks.

Detection and hunting guidance

• Hunt signals: unexpected enabling/installation of WSL (Enable-WindowsOptionalFeature or dism.exe), calls to wsl.exe with -e or command arguments, ELF files appearing inside Windows file system, and new WSL distributions created.
• Process lineage: flag wsl.exe spawning unfamiliar child processes or invoking binaries stored in user profile directories.
• Kernel telemetry: monitor for new driver loads (esp. eskle.sys, rwdrv.sys, hlpdrv.sys) and unsigned/replaceable kernel components; alert on driver installs outside change windows.
• File and clipboard anomalies: large exfiltration events; use of WinSCP or SCP; unexpected archive creation (WinRAR/Cyberduck usage).
• Behavioral correlation: combine telemetry for EDR kill attempts, service stop/uninstall commands, remote access sessions, and near-immediate WSL activation to raise triage priority.
• Network indicators: Splashtop/AnyDesk/ScreenConnect sessions originating from anomalous geolocations or at odd hours; C2 domains if available from threat intel.

Policy and architecture recommendations

• Endpoint hardening policy: explicitly enumerate allowed Windows optional features and disable WSL where not business‑required.
• Application control: implement allow‑listing (Microsoft AppLocker or Defender Application Control) to prevent execution of unauthorized utilities and transfer tools.
• Privilege management: require just‑in‑time and just‑enough access for admin tasks; separate admin workstations from internet‑facing or general‑purpose endpoints.
• EDR enhancement: work with vendor to extend monitoring into WSL context and capture Linux userland behaviors originating from wsl.exe..
• Backup sanctity: implement immutable snapshots for virtual infrastructure (ESXi) and enforce offline backup retention to mitigate ransomware encryption of backups.
• Incident playbooks: update IR runbooks to include WSL/ELF detection, driver removal isolation steps, and steps to preserve forensic evidence inside WSL filesystems.