Full Report
The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. [...]
Analysis Summary
# Tool/Technique: Qilin Ransomware (Leveraging WSL for Linux Encryptors)
## Overview
Qilin (formerly Agenda) is an active ransomware operation targeting organizations globally. The key innovation observed is the utilization of the Windows Subsystem for Linux (WSL) environment within Windows hosts to execute Linux ELF-based encryptors, aiming to evade traditional Windows-focused security monitoring tools and Endpoint Detection and Response (EDR) solutions.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows hosts running WSL; Linux targets (specifically noted for VMware ESXi).
- Capabilities: Encryption of files, data exfiltration, evasion via native execution of dissimilar malware binaries.
- First Seen: Initial variant "Agenda" in August 2022; rebranded to Qilin by September 2022. The WSL execution technique was observed more recently (timeline implies recent activity in late 2025 based on report date context).
## MITRE ATT&CK Mapping
While the article describes a specific execution method, the overall goal falls under [Impact] and [Defense Evasion].
- **TA0004 - Privilege Escalation** (Related to BYOVD usage preceding encryption)
- **T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control** (Potential indirect link if used for initial setup/WSL activation)
- **TA0005 - Defense Evasion**
- **T1070.001 - Indicator Removal: File Deletion** (Implied during cleanup/disabling security tools)
- **TA0040 - Impact**
- **T1486 - Data Encrypted for Impact** (The core function of the ransomware)
*(Note: The specific use of WSL to run Linux ELF binaries on Windows is a novel implementation detail that intersects with existing techniques like T1059.006 - Command and Scripting Interpreter: Python or T1059.007 - Windows Subsystem for Linux, if T1059.007 were established, but is primarily a **Defense Evasion** tactic.)*
## Functionality
### Core Capabilities
- **Ransomware Encryption:** Encrypts victim files, with specific adaptations observed for targeting VMware ESXi virtual machines and servers.
- **Data Staging/Exfiltration:** Uses tools like Cyberduck and WinRAR for data theft prior to encryption.
- **Initial Access & Lateral Movement:** Relies on common remote access tools (AnyDesk, ScreenConnect, Splashtop) and stolen credentials.
### Advanced Features
- **WSL Execution for Evasion:** Installing or enabling WSL, then using it to execute Linux ELF binaries (the encryptor) directly on the Windows host, bypassing Windows PE-focused EDR/AV solutions.
- **Security Tool Disablement:** Employing Bring Your Own Vulnerable Driver (BYOVD) attacks using signed but vulnerable drivers (e.g., `eskle.sys`) to terminate AV/EDR processes.
- **Kernel Privilege Gain:** Using DLL sideloading to deploy kernel drivers (`rwdrv.sys` and `hlpdrv.sys`) for deeper system control.
- **Anti-Security Tooling:** Using third-party tools like "dark-kill" and "HRSword" to disable security software, alongside native commands (`sc.exe`) to stop services or executing vendor uninstallers (`uninstall.exe`).
- **Pre-Encryption Reconnaissance:** Utilizing built-in Windows utilities like `mspaint.exe` and `notepad.exe` to inspect documents for sensitive data prior to exfiltration.
## Indicators of Compromise
*Note: Specific file hashes or network indicators were not provided in the article summary.*
- File Hashes: [Not specified]
- File Names: `SRManager.exe` (Splashtop, used for launching payload), Linux ELF encryptor (transferred via WinSCP).
- Registry Keys: [Not specified]
- Network Indicators: [Not specified, standard RMM C2 likely used previously]
- Behavioral Indicators: Installation or activation of WSL; execution of Linux ELF files via `wsl.exe -e` command line; behavior associated with disabling security services/processes; use of known vulnerable drivers (`eskle.sys`, `rwdrv.sys`, `hlpdrv.sys`).
## Associated Threat Actors
- Qilin Ransomware Operation (formerly Agenda)
## Detection Methods
- **Signature-based detection:** Ineffective against the core encryption step if the Linux ELF payload signature is unrecognized by Windows AV/EDR.
- **Behavioral detection:** Critical for detecting the **setup phase**: enumeration of security tools, use of BYOVD techniques, system command execution aimed at disabling services (`sc.exe`), and the initial activation/installation of the WSL feature or subsequent execution of `wsl.exe`.
- **YARA rules:** Would need specialized rules targeting the characteristics of the Linux ELF encryptor binary itself.
## Mitigation Strategies
- **Restrict Unnecessary Features:** Disable or strictly control the installation and usage of the Windows Subsystem for Linux (WSL) on endpoints where it is not required for business operations.
- **Application Control:** Implement strict application allow-listing to prevent unauthorized software installation (like RMM tools) or execution of unknown scripts.
- **Vulnerability Management (Drivers):** Implement robust controls to prevent the loading of untrusted or vulnerable drivers (e.g., kernel patching, driver signing enforcement or HVCI).
- **EDR Focus:** Ensure EDR solutions are configured to monitor cross-platform behaviors, specifically process calls involving `wsl.exe`, and look for kernel-level manipulation attempts associated with BYOVD.
- **Process Monitoring:** Monitor for the execution of common reconnaissance tools (`mspaint.exe`, `notepad.exe`) in unusual sequences or contexts associated with data review before exfiltration.
## Related Tools/Techniques
- Bring Your Own Vulnerable Driver (BYOVD) Attacks
- Remote Management Tools (AnyDesk, ScreenConnect, Splashtop)
- Generic Ransomware Tactics (Data Exfiltration, Credential Theft)
- Use of legitimate tools for malicious purposes (Living off the Land binaries/scripts)