Qilin Ransomware Exploits WSL to Deploy Linux Encryptors

The Qilin ransomware group has adopted a sophisticated new tactic, leveraging the Windows Subsystem for Linux (WSL) to deploy Linux-based file encryptors directly on Windows machines. This method allows the malicious software to slip past conventional security tools that are primarily designed to monitor for Windows-specific threats. By operating within the WSL environment, the ransomware can execute its encryption routines while remaining largely invisible to endpoint detection and response (EDR) systems.

Initially appearing on the cybercrime scene as “Agenda” in August 2022, the operation underwent a rebranding to Qilin just one month later. It has since grown into one of the most prolific ransomware threats globally. According to recent analyses from cybersecurity firms Trend Micro and Cisco Talos, the group has successfully targeted more than 700 organizations across 62 different countries this year alone. Their activity has intensified, with the gang reportedly listing over 40 new victims each month during the latter half of 2025.

To infiltrate corporate networks, Qilin’s affiliates employ a combination of legitimate software and remote administration tools. Programs like AnyDesk, ScreenConnect, and Splashtop provide them with remote access, while utilities such as Cyberduck and WinRAR are used for data exfiltration. Intriguingly, the attackers also use common Windows applications including Microsoft Paint and Notepad to manually review documents for sensitive information before stealing them.

A key part of their attack strategy involves Bring Your Own Vulnerable Driver (BYOVD) attacks to disarm security software. The group deploys signed but vulnerable drivers, like eskle.sys, to terminate antivirus and EDR processes. They further use DLL sideloading techniques to install additional kernel drivers, such as rwdrv.sys and hlpdrv.sys, which grant them elevated kernel-level privileges. Cisco Talos researchers noted the use of tools named “dark-kill” and “HRSword” to systematically disable security software and erase any traces of their malicious activities.

In December 2023, reports surfaced of a new Qilin encryptor specifically designed for Linux systems, with a pronounced focus on encrypting VMware ESXi virtual machines and servers. This encryptor includes command-line options for enabling debug mode, performing test runs without actual encryption, and customizing how virtual machines and their snapshots are locked.

Trend Micro researchers have now observed that the attackers use WinSCP to transfer the Linux ELF encryptor to compromised devices. The encryptor is then launched via the Splashtop remote management software directly from within the Windows operating system. Although the encryptor was initially thought to be cross-platform, it is in fact a Linux ELF executable, meaning it cannot run natively on a Windows system without a compatible runtime environment.

This is where WSL becomes a critical component of the attack. The threat actors enable or install the Windows Subsystem for Linux after gaining access to a device. They then use this environment to execute the Linux ransomware payload. By running the encryptor through WSL, they effectively bypass many security defenses that are tuned to detect Windows portable executable (PE) file behavior, as the malicious activity occurs outside the usual Windows process monitoring scope.

This technique underscores a significant evolution in ransomware tactics. Operators are increasingly adapting to mixed IT environments, using built-in system features against their targets to maximize their impact and avoid detection. As many corporate networks utilize both Windows and Linux systems, this approach allows ransomware groups to cast a wider net while complicating defensive efforts.

(Source: Bleeping Computer)