Qilin Leads in Exploiting Unpatched Fortinet Vulnerabilities

The Qilin group has surged to prominence by aggressively exploiting critical vulnerabilities in Fortinet devices, underscoring a broader trend of sophisticated cyber extortion tactics targeting data-dependent sectors.

Global ransomware victims dropped to 463, a 15% decline from May’s 545, yet the intensity of attacks remained high, with Qilin claiming 81 victims through opportunistic intrusions leveraging unpatched FortiGate and FortiProxy systems.

Specifically, Qilin weaponized CVE-2024-21762 and CVE-2024-55591 for authentication bypass and remote code execution, enabling partially automated payload deployment.

This Ransomware-as-a-Service (RaaS) operation, active since its emergence with over 310 victims, has integrated zero-day exploits into its arsenal, focusing on perimeter devices to compromise enterprises in Spanish-speaking regions and beyond.

The group’s evolution includes psychological coercion via a “Call Lawyer” feature in its affiliate panel, simulating legal threats to accelerate ransom payments, alongside advanced capabilities like Rust and C-based payloads, Safe Mode execution, and network propagation.

Introduce Stealthy and Destructive Tactics

New entrants like Fog and Anubis are reshaping ransomware methodologies with modular toolkits and heightened destructiveness.

Fog employs a stealth-oriented approach, utilizing legitimate tools such as Syteca for keystroke logging and surveillance, delivered via Stowaway proxies, while leveraging Impacket’s SMBExec for lateral movement and GC2 for command-and-control through Google Sheets or SharePoint.

Data exfiltration relies on 7-Zip, MegaSync, and FreeFileSync, allowing evasion of endpoint detection and response (EDR) systems by blending open-source utilities with exploits in Veeam and SonicWall vulnerabilities.

Meanwhile, Anubis, an RaaS variant since December 2024, has added a file-wiping module activated by the /WIPEMODE parameter, which erases data contents while preserving file structures, rendering recovery impossible and amplifying extortion pressure.

According to Cyfirma Report, this ECIES-encrypted malware terminates processes, deletes Volume Shadow Copies, and excludes system directories to maintain host usability, signaling a shift toward irreversible damage to force swift concessions.

Emerging groups such as Warlock, built on the Chaos framework with randomized extensions and Bitcoin demands, and kawa4096 (KaWaLocker) with rapid multi-file encryption, further diversify the threat ecosystem, claiming 19 and 9 victims respectively, often via RDP brute-force or phishing vectors.

Global Distribution

Ransomware actors prioritized sectors with minimal downtime tolerance, including Professional Goods & Services (60 victims), Healthcare (52), and Information Technology (50), exploiting sensitive data and supply chain complexities for maximum leverage.

The United States bore the brunt with 235 incidents, followed by Canada and the UK at 24 each, driven by economic affluence and ransom payout potential.

Notable breaches included Qilin’s attack on Lee Enterprises, exfiltrating 350 GB of PII like Social Security numbers and financial records, and Interlock’s 941 GB theft from Kettering Health, disrupting electronic health records via custom RATs like NodeSnake.

Former Black Basta affiliates pivoted to Microsoft Teams phishing and Python-based RATs for credential theft and C2 via cloud platforms.

To counter these threats, organizations should adopt proactive measures: implement rigorous patch management for vulnerabilities like those in Fortinet and SimpleHelp RMM (CVE-2024-57726 et al.), enforce network segmentation to curb lateral movement, and enable multi-factor authentication (MFA) on privileged accounts.

Strategic investments in employee training, incident response planning, and cyber insurance, combined with regular security audits, are essential to mitigate the average $200,000 recovery costs and prevent operational halts affecting 31% of victims, ensuring resilience against this maturing ransomware ecosystem.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.