- Qilin ransomware uses WSL to stealthily run Linux encryptors on Windows systems
- Attackers bypass Windows defenses by running ELF binaries in WSL environments.
- EDR tools ignore WSL-based threats, leaving critical sectors vulnerable to Qilin extortion campaigns
Ransomware hackers have been spotted running Linux encryptors in Windows in an attempt to avoid detection by security tools, experts have discovered.
Trend Micro researchers reported observing the operation of Qilin ransomware running Windows Subsystem for Linux (WSL) functionality on compromised endpoints.
WSL is a Windows feature that allows administrators to run a full Linux environment directly on a Windows machine without the need for a virtual machine or dual-boot setup. It allows developers and system administrators to use Linux command line tools (like bash, grep, ssh, apt, etc.) natively alongside Windows applications.
Focus on Windows PE behavior
Trend Micro claims that attackers use WSL to be able to launch the ELF executable on a Windows device and bypass traditional Windows security software.
“In this case, the threat actors were able to run the Linux encryptor on Windows systems by leveraging the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to run natively on Windows without requiring a virtual machine,” Trend Micro said.
“After gaining access, the attackers activated or installed WSL using scripts or command-line tools and then deployed the Linux ransomware payload into this environment. This gave them the ability to run a Linux-based encryptor directly on a Windows host while avoiding many defenses focused on traditional Windows malware detection.
According to the publication, many Windows Endpoint Detection and Response (EDR) products focus on Windows PE behavior, ignoring suspicious activities occurring within WSL.
Qilin is a ransomware-as-a-service (RaaS) operation first observed in 2022. It was first known as Agenda, and since its name change, it has become one of the most active extortion platforms.
Its largest and most high-profile victims tend to be critical, data-rich organizations: healthcare providers and laboratories (the 2024 Synnovis attack that disrupted NHS services is widely cited), local and regional government entities in the United States, utilities and manufacturing industries, and large private companies, including recent complaints against companies such as Asahi.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
