- Qilin ransomware uses WSL to stealthily run Linux encryptors on Windows systems
- Attackers bypass Windows defenses by running ELF binaries inside WSL environments
- EDR tools miss WSL-based threats, leaving critical sectors vulnerable to Qilin extortion campaigns
Experts have found that ransomware hackers have been found running Linux encryptions on Windows in an attempt to avoid detection by security tools.
Trend Micro researchers reported observing the operation of Qilin ransomware executing the Windows Subsystem for Linux (WSL) function on compromised endpoints.
WSL is a Windows feature that allows administrators to run a complete Linux environment directly on a Windows machine without the need for a virtual machine or dual boot setup. It allows developers and system administrators to use Linux command line tools (such as bash, grep, ssh, apt, etc.) natively alongside Windows applications.
Focusing on Windows PE behavior
Trend Micro says attackers are using WSL to be able to launch the ELF executable on a Windows device and bypass traditional Windows security software.
“In this case, threat actors were able to run the Linux encryptor on Windows systems by leveraging the Windows Subsystem for Linux (WSL), a built-in feature that allows Linux binaries to run natively on Windows without requiring a virtual machine,” Trend Micro said.
“After gaining access, the attackers enabled or installed WSL using scripts or command-line tools, then deployed the Linux ransomware payload within that environment. This gave them the ability to run a Linux-based encryptor directly on a Windows host while also bypassing many defenses that focus on detecting traditional Windows malware.”
According to the post, many Windows Endpoint Detection and Response (EDR) products focus on Windows PE behavior and miss suspicious activities occurring within WSL.
Qilin is a ransomware-as-a-service (RaaS) operation first observed in 2022. It was initially known as Agenda and, since its name change, has become one of the most active extortion platforms.
Its largest and most high-profile victims tend to be critical, data-rich organizations: healthcare providers and laboratories (the 2024 Synnovis attack that disrupted NHS services is widely cited), local and regional government entities in the US, utilities and manufacturing, and large private companies, including recent lawsuits against firms like Asahi.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
