Ransomware-as-a-service (RaaS) operation Qilin has been arming its affiliates with malware and supporting services to target education, healthcare, and other critical sectors of the worldwide economy, paying out an industry-leading 80% to 85% of takings to the partners.

Researchers from Group-IB were able to infiltrate the Qilin operation in March, and what they found was a one-stop shop for aspiring cybercriminals to get their hands on advanced, customizable ransomware, a defined payment structure, and encryption services to support double-extortion operations (i.e., demanding money to decrypt the data, as well as an additional fee not to release the data on a Wark Web leak site).

Ransomware attacks backed by Qilin operators typically begin with a phishing email, the Group-IB team observed. The Qilin ransomware variant itself has evolved from its July 2022 roots, initially written in Go programming language (Golang) while its current iteration is written in Rust. That makes it difficult to detect and simple to customize for each campaign, Group-IB said in its report on the RaaS operation.

"Having infiltrated Qilin, Group-IB Threat Intelligence researchers were able to analyze the inner workings of the affiliate program and all sections of Qilin's admin panel," the Group-IB report said.

The Qilin RaaS team provides information on everything from intelligence on targets, customizable buildable malware, and even ransomware note templates, the Group-IB team found.

The researchers warn that RaaS operator Qilin is actively recruiting new affiliates and improving its tools and operations, making it an important emerging ransomware threat to keep an eye on.

"Although Qilin ransomware gained notoriety for targeting critical sector companies, they are a threat to organizations across all verticals," the Group-IB report warned. "Moreover, the ransomware operator’s affiliate program is not only adding new members to its network, but it is weaponizing them with upgraded tools, techniques, and even service delivery."