- Qilin ransomware uses WSL to run Linux encryptions stealthily on Windows systems
- Attackers bypass Windows defenses by executing ELF binaries in WSL environments
- EDR tools miss WSL-based threats, leaving critical sectors vulnerable to Qilin’s extortion campaigns
Ransomware hackers have been seen running Linux encryptions inside Windows in an attempt to avoid detection by security tools, experts have found.
Researchers at Trend Micro reported observing the Qilin ransomware operation running the Windows Subsystem for Linux (WSL) feature in compromised endpoints.
WSL is a feature of Windows that allows administrators to run a complete Linux environment directly on a Windows machine without the need for a virtual machine or dual-boot setup. It lets developers and system administrators use Linux command-line tools (like bash, grep, ssh, apt, etc.) natively alongside Windows applications.
Focus on Windows PE behavior
Trend Micro says the attackers use WSL to be able to launch the ELF executable on a Windows device and to bypass traditional Windows security software.
“In this case, the threat actors were able to run the Linux encryption on Windows systems by taking advantage of the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to run natively on Windows without requiring a virtual machine,” Trend Micro said.
“After gaining access, the attackers enabled or installed WSL using scripts or command-line tools, and then deployed the Linux ransomware payload in that environment. This allowed them to perform a Linux-based encryption directly on a Windows host while avoiding many defenses that are focused on detecting traditional Windows malware.”
According to the publication, many Windows Endpoint Detection and Response (EDR) products focus on Windows PE behavior and miss suspicious activity in WSL.
Qilin is a ransomware-as-a-service (RaaS) operation that was first observed in 2022. It was first known as Agenda, and since the rebranding, it has grown into one of the most active extortion platforms.
Its biggest and most high-profile victims have tended to be data-rich and critical organizations: healthcare providers and laboratories (the 2024 Synnovis attack that disrupted NHS services is widely cited), US local and regional government units, utilities and manufacturing, and large private companies, including recent claims against firms such as Asahi.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
