Enhanced Qilin.B Ransomware Adopts Anti-Detection Tactics

Cybersecurity experts have identified a new version of Qilin ransomware, named Qilin.B, which employs sophisticated encryption and evasion strategies to make detection and decryption nearly impossible.

This latest variant, tracked as Qilin.B, reflects an ongoing evolution of tactics that make it a significant threat in the ransomware landscape.

According to recent reports, Qilin.B now supports AES-256-CTR encryption for systems with AESNI compatibility, while continuing to use the Chacha20 encryption algorithm for systems that lack it. Additionally, RSA-4096 with OAEP padding is utilized to secure encryption keys, ensuring that decryption remains unattainable without the attackers’ private keys or specific seed values.

Initially spotted in mid-2022, Qilin ransomware first appeared coded in Golang before shifting to the Rust programming language, a change that contributes to its resilience and versatility.

An earlier analysis in May 2023 indicated that Qilin operates as a ransomware-as-a-service (RaaS) model, allowing affiliates to earn between 80% and 85% of ransom payments. Unlike traditional double extortion attacks, recent Qilin operations involve stealing credentials stored in Google Chrome, broadening the tactics used by this ransomware group.

Analysts have also observed that Qilin.B expands on its predecessors by incorporating more refined encryption and additional measures to bypass security tools, clear Windows Event Logs, and remove itself post-infection. The ransomware is particularly disruptive to recovery efforts, as it terminates services tied to backup, virtualization tools, and critical applications, such as Veeam, SQL, and SAP, and deletes shadow volume copies to obstruct data restoration.

In a broader context, the ongoing evolution of ransomware tactics is underscored by another newly discovered ransomware, Embargo, which features Rust-based tools.

Embargo’s attacks are enabled through a malicious loader called MDeployer, which facilitates ransomware deployment and encryption on compromised networks. To further evade security, this campaign employs a technique called Bring Your Own Vulnerable Driver (BYOVD), used here to execute MS4Killer—an endpoint detection and response (EDR) killer designed to run persistently and terminate protective software.

This evolving threat landscape, especially the increased ransomware targeting of critical sectors like healthcare, illustrates how disruptive these attacks can be. Recent data shows that ransomware attacks on U.S. healthcare facilities have cost up to $900,000 per day in downtime, with ransom demands averaging $4.4 million per incident.


To minimize the risk of ransomware attacks, organizations should prioritize strong cybersecurity practices, including regular software and operating system updates, robust data backups, and endpoint security. Implementing multi-layered defenses like EDR solutions and conducting employee training to identify phishing tactics can further reduce vulnerability.