Summary:
Microsoft has reported on X (formerly Twitter) that the North Korean hacking group Moonstone Sleet has recently deployed Qilin ransomware in a limited number of attacks, marking a shift in their operational tactics. Previously tracked as Storm-1789, the group initially shared similarities with other North Korean threat actors like Diamond Sleet and Onyx Sleet but has since developed its own infrastructure, tactics, and custom tools. Historically, Moonstone Sleet has relied exclusively on proprietary ransomware, making this the first known instance of them utilizing a ransomware strain developed by a Ransomware-as-a-Service operator.


Moonstone Sleet primarily targets organizations for financial gain and cyberespionage, employing a range of sophisticated techniques. These include trojanized versions of legitimate software such as PuTTY, custom malware loaders, malicious game applications, and npm packages. Additionally, they use fake software development companies, including C.C. Waterfall and StarGlow Ventures, to engage with potential victims on LinkedIn, freelancing networks, Telegram, and email.

Qilin ransomware, the strain Moonstone Sleet is now deploying, has been active since August 2022 and has claimed over 310 victims. Initially slow-moving, the group gained momentum in late 2023, when affiliates began using an advanced Linux encryptor to target VMware ESXi virtual machines. Qilin’s ransom demands have ranged from $25,000 to millions of dollars, depending on the size and nature of the targeted organization. Among its victims are major enterprises, including the automotive manufacturer Yanfeng, U.S. newspaper publisher Lee Enterprises, Australia’s Court Services Victoria, and pathology services provider Synnovis. The attack on Synnovis in 2023 resulted in severe disruptions to NHS hospitals in London, leading to the cancellation of hundreds of surgeries and medical appointments.


Security Officer Comments:
Microsoft previously linked Moonstone Sleet to a variant of FakePenny ransomware, which they deployed in May 2024. In that case, the attackers demanded a ransom of $6.6 million in Bitcoin following a successful compromise. This incident underscores North Korea’s ongoing use of ransomware as a tool for financial gain, a pattern seen in previous state-backed campaigns. Notably, North Korean cyber actors have been connected to multiple high-profile ransomware operations, including the 2017 WannaCry outbreak, which crippled hundreds of thousands of systems worldwide, as well as the Holy Ghost and Maui ransomware campaigns in 2022, which specifically targeted healthcare organizations.

Moonstone Sleet’s latest adoption of Qilin ransomware indicates an evolution in their strategy, possibly signifying collaboration with or exploitation of third-party RaaS providers to enhance their attack capabilities.


Suggested Corrections:

Suggested Correctionss for Moonstone Sleet and Qilin Ransomware:

• Enable Multi-Factor Authentication (MFA) – Require MFA for all critical accounts, especially those with remote access, to reduce the risk of credential-based attacks.
• Restrict Remote Desktop Protocol (RDP) Access – Disable RDP where unnecessary and enforce strict access controls with network-level authentication and strong passwords.
• Monitor for Trojanized Software – Be cautious of software downloaded from unofficial sources, particularly PuTTY, npm packages, and other tools Moonstone Sleet has used for malware delivery.
• Use Endpoint Detection and Response (EDR) – Deploy EDR solutions to detect and block ransomware payloads, custom malware loaders, and other malicious activity.
• Implement Network Segmentation – Restrict lateral movement by segmenting networks, ensuring that ransomware cannot easily spread across critical systems.
• Regularly Back Up Data – Maintain secure, offline backups and test recovery procedures to ensure business continuity in the event of a ransomware attack.
• Harden Cloud Security – Monitor cloud accounts and enforce security policies to detect unauthorized access attempts, especially for services targeted by Moonstone Sleet.
• Train Employees on Social Engineering Risks – Conduct regular security awareness training to help employees recognize phishing attempts, LinkedIn scams, and fraudulent freelancer job offers.
• Apply Security Patches Promptly – Keep software, operating systems, and third-party applications up to date to protect against vulnerabilities exploited in ransomware attacks.
• Block Known Indicators of Compromise (IOCs) – Utilize threat intelligence feeds to proactively block domains, IPs, and hashes associated with Moonstone Sleet’s infrastructure.

Link(s):
https://www.bleepingcomputer.com/ne...orean-hackers-now-deploying-qilin-ransomware/