Inside the Qilin Ransomware Investigation
▼ Summary
– Security analysts often investigate incidents with limited visibility, such as when the Huntress agent is installed post-compromise or on only one endpoint.
– In a Qilin ransomware case, analysts started with managed antivirus alerts and Windows Event Logs to uncover threat actor activities, including rogue ScreenConnect and Total Software Deployment installations.
– The threat actor attempted to deploy malicious files via ScreenConnect, including an infostealer and scripts, but faced execution failures and script-blocking errors.
– Analysts used multiple data sources like PCA logs and AmCache.hve to track file hashes and failed execution attempts, despite the files being absent from the endpoint.
– Validating findings across data sources provided a clearer incident picture, emphasizing the importance of not relying on single indicators for accurate remediation.
For security analysts, piecing together the digital evidence left behind after a cyberattack is a core part of the job. This forensic process involves examining logs, antivirus alerts, and other traces to reconstruct the attacker’s path from initial entry to final actions. However, investigations are rarely straightforward, as limited visibility often complicates the picture. An organization might deploy security tools only after a breach has occurred, or coverage might be incomplete across all devices. In these challenging scenarios, investigators must creatively combine every available data source to uncover the truth.
A recent investigation into a Qilin ransomware attack perfectly illustrated this challenge. The Huntress security agent was installed on just a single endpoint after the encryption had already taken place. Analysts were not looking through a keyhole; they were peering through a pinhole. Despite this severe limitation, they managed to extract a significant amount of intelligence about the incident.
The investigation began with a single compromised endpoint and no access to broader EDR or SIEM telemetry. The team started with the most immediate clues: managed antivirus alerts that triggered once the agent was active. These alerts pointed analysts toward a specific set of Windows Event Logs.
Within these logs, a clear timeline emerged. On October 8, 2025, a threat actor gained access and installed two key tools: the Total Software Deployment Service and a rogue instance of the remote management tool ScreenConnect. This malicious ScreenConnect installation was linked to the IP address 94.156.232[.]40, which public threat intelligence platforms flagged as suspicious. Interestingly, a legitimate version of a similar remote access tool had been installed months earlier, suggesting the attacker may have been attempting to blend in.
The investigation then pivoted to activity conducted through this rogue ScreenConnect instance. On October 11, the actor transferred three files to the endpoint: `r.ps1`, `s.exe`, and `ss.exe`. Only the PowerShell script, `r.ps1`, remained on the machine. Its code revealed the attacker’s intent to harvest information about RDP connections, including IP addresses, domains, and usernames. However, a PowerShell log showed the script failed to run because script execution was disabled on the system.
The other two files, `s.exe` and `ss.exe`, were no longer present, requiring deeper forensic work. Analysts turned to alternative data sources like the AmCache.hve file and Program Compatibility Assistant logs. These logs revealed that the attacker had first disabled Windows Defender, then attempted to execute both files. Both attempts failed. The `s.exe` file, identified by its hash as an infostealer, triggered an “Installer failed” message. The `ss.exe` file also crashed immediately upon launch.
Following these failed executions, the threat actor re-enabled Windows Defender remotely. Almost instantly, the antivirus began detecting and logging failed attempts to create ransom notes. This sequence strongly suggests the ransomware payload itself was launched from a different machine on the network, targeting shared drives. The investigation confirmed the presence of a Qilin ransom note on the endpoint.
Qilin operates as a ransomware-as-a-service, meaning different affiliates use the same core malware but employ varied attack methods. While Huntress has observed other Qilin attacks starting with RDP logins, the specific tools and failed execution attempts in this case were unique to this affiliate.
This case underscores the immense value of correlating multiple data sources. Without the luxury of comprehensive EDR data, analysts relied on a patchwork of logs and artifacts. By validating findings across Windows Event Logs, PCA logs, and antivirus records, they avoided building a narrative around a single, potentially misleading clue. This methodical approach provided a validated, accurate picture of the attack, which is crucial for determining the incident’s scope and guiding effective remediation efforts.
(Source: Bleeping Computer)
