Qilin ransomware top dogs treat their minions to on-call lawyers for fierier negotiations – Source: go.theregister.com

The latest marketing ploy from the ransomware crooks behind the Qilin operation involves offering affiliates access to a crack team of lawyers to ramp up pressure in ransom negotiations.

Researchers at Cybereason noticed a recent post to an underground cybercrime forum penned by one of its mods, claiming to have added a “Call lawyer” button to its affiliate panel.

With a single click, the feature ostensibly summons a legal expert into ransom negotiation chat windows to offer professional advice on matters such as:

• A legal assessment of the data stolen by the ransomware affiliate
• What exact laws and regulations the victim has violated by allowing the theft of said data
• An evaluation of the potential costs associated with cleaning up the mess, should the victim choose not to pay a ransom

The lawyers can also supposedly step in and orchestrate the negotiations directly themselves, and advise the victim how exactly Qilin can inflict “maximum damage” if a ransom is not paid.

In the same forum post from the Qilin mouthpiece, the group claimed to also have an in-house team of journalists who can work together with the legal department to craft blog posts to apply further pressure on victims.

Now, if you’re reading along and thinking to yourself, “surely not,” you would probably be right.

Not only are ransomware gangs like Qilin, an organization that is perfectly happy to attack hospital networks, cancer centers, and women’s clinics, known to be serial liars, but experts have also cast their doubts over the viability of the service.

Cybercrime researcher at Tripwire, Graham Cluely, dismissed this as little more than a marketing stunt.

“Make no mistake… their goal is just to attract more affiliates, increase the success rate of ransomware attacks, and try to convince victims that they are dealing with sophisticated criminals,” he blogged.

Among the other new tools Qilin claims to have added to its affiliate panel are 1 petabyte of storage – a portion for affiliates’ personal use and another for victim data, email and phone-spamming capabilities, network propagation, and an option to launch DDoS attacks, which was added in April, according to Cybereason.

A growing threat

Cybereason said Qilin is becoming one of the most dominant ransomware-as-a-service (RaaS) groups around. 

Former rivals such as LockBit, ALPHV, Everest, and RansomHub, the previous crown-holder which rumors suggest was absorbed by DragonForce, have all fallen for various reasons, most commonly due to law enforcement disruption efforts.

The group has been around since 2022 and has slowly built a reputation based on high-profile attacks, including those on critical infrastructure organizations.

• Scattered Spider snared financial orgs before targeting shops in Britain, America
• Qilin ransomware gang boasts of cyberattacks on cancer clinic, Ob-Gyn facility
• Five months after takedown, LockBit is a shadow of its former self
• Here’s what we know about the DragonForce ransomware that hit Marks & Spencer

Scattered Spider, the loosely organized group suspectedly comprised mainly of Western youngsters, is a known affiliate of Qilin. 

The hugely damaging attacks it has been responsible for have earned Scattered Spider a place in the hall of cybercrime infamy, and its reliance on Qilin’s tooling speaks to how regarded the RaaS group is among its peers.

Qilin’s new additions to its affiliate panel can be seen as an attempt to position itself more of a full-service cybercrime platform, not just a typical ransomware outfit, Cybereason said. ®