Hey! I heard about something really fascinating (and a little terrifying). The Qilin Ransomware gang has figured out another method for attacking Windows Machines – by exploiting a Windows capability called WSL (Windows Subsystem for Linux) to execute Linux ransomware from within Windows. Yes, I said that right and it sounds every bit as underhanded as it seems!
Why is that important? Most Windows antivirus software only looks for Windows malware. So, an attack could go on unnoticed for some time.
They are basically using a legitimate Windows feature against Windows. Crazy, right?
1. They first get onto a Windows system, often using stolen passwords or stolen remoting tools.
2. If the user does not have WSL enabled, they enable WSL.
3. The hackers use tools like WinSCP or Splashtop to drop a Linux encryptor file (a small program that encrypts files) into the system.
4. They then run the file inside WSL using commands like wsl.exe -e.
5. Since this code runs inside of WSL, most antivirus does not catch it.
6. But sometimes, they also disable security tools using older yet still signed Windows drivers, which is referred to as 'BYOVD' (Bring your own vulnerable driver).
Weird huh? The stuff they come up with is super scary smart!
A small business or even a developer could be in danger if WSL is enabled without protection.
So, What's Actually Going On Here?
Qilin is a group of hackers that emerged in 2022 using the name Agenda. Now they are getting clever and instead of attacking Windows directly, they attack Linux ransomware first from WSL.Why is that important? Most Windows antivirus software only looks for Windows malware. So, an attack could go on unnoticed for some time.
They are basically using a legitimate Windows feature against Windows. Crazy, right?
How the Attack Works
Let’s break this down in simple terms. Here is how the hackers do it:1. They first get onto a Windows system, often using stolen passwords or stolen remoting tools.
2. If the user does not have WSL enabled, they enable WSL.
3. The hackers use tools like WinSCP or Splashtop to drop a Linux encryptor file (a small program that encrypts files) into the system.
4. They then run the file inside WSL using commands like wsl.exe -e.
5. Since this code runs inside of WSL, most antivirus does not catch it.
6. But sometimes, they also disable security tools using older yet still signed Windows drivers, which is referred to as 'BYOVD' (Bring your own vulnerable driver).
Weird huh? The stuff they come up with is super scary smart!
Why It Is a Serious Concern
The bottom line:- Most folks are unaware WSL is installed or think it is a potential risk.
- Security software may not inspect WSL properly or at all.
A small business or even a developer could be in danger if WSL is enabled without protection.
How You Can Keep Safe
Do not panic, but feel free to take these steps to protect yourself:- Determine if WSL is running - if you do not use it, disable it.
- Be suspicious of strange activities through tools like WinSCP or Splashtop
- Update your security software to recognize Linux files when running in Windows .
- Avoid installing tools or drivers from unknown sources.
- Store your backups in a different system so you can always restore them and not rely on your existing files even if they are locked.
