Ransomware crew Qilin steals data from Scientology Cult

Qilin Page showing Scientology data samples.

The ransomeware crew Qilin announced an IT break-in with data theft at Scientology. More precise information is still missing, but some screenshots of documents with personal and sensitive information are said to prove this.

The screenshots of some stolen documents presented on Qilin’s darknet leak site indicate that the cyber gang has infiltrated the IT systems in the United Kingdom of the Scientology organization, which is considered by many to be a cult. Approvals of costs for UK visas are found there, but also lists of members along with account balances and their level within the organization – which are not limited to England but include people from South America, for example.

The Qilin Crew have said “The full leak will be published soon, unless a company representative contacts us via the channels provided”

Qilin is one of the most active cyber gangs, responsible for many break-ins, including into renowned companies. It is behind the attack on the Japanese Asahi brewery, which led to beer supply shortages(https://www.heise.de/news/Asahi-Brauerei-Daten-von-fast-2-Millionen-Personen-abgeflossen-11096297.html?from-en=1).

Qilin usually targets three types of target, where payouts are big:

  • Manufacturing
  • Legal & Professional Services
  • Financial Services.

They also regularly target critical infrastructure and larger organizations with a big pocketbook, using an online website to estimate potential payouts in advance, to focus on high-value financial opportunities.

An FBI report identified over 1,700 ransomware attacks in 2024, with reported earnings totaling $91 million. However, the actual figures are likely much higher due to the opaque and underreported nature of the cyber extortion ecosystem. The U.S. Department of Health and Human Services (HHS) also reported Qilin-related losses across multiple victims, with damages ranging from $6 million to $40 million, primarily affecting healthcare and government agencies across the Americas.

General data

Common forms of Initial Access are gained through:

  • Spearphishing
  • Remote Monitoring & Management Software Exploitation
  • Lateral Movement & Exploitation
  • Multifactor Authentication (MFA) Bombing
  • SIM Swapping

Qilin is reported to have the following features:

  • Chrome Extension Stealer
  • Encryption Enhancements (Faster, more secure, and apparently almost impossible to decrypt)
    • AES-256-CTR – Advanced Encryption Standard (AES) with a 256-bit key and Counter (CTR) mode of operation. 
      • Optimal Asymmetric Encryption Padding (OAEP) to enhance security making it more resistant to certain attacks. 
      AES-NI (Advanced Encryption Standard New Instructions) capabilities for x86 architecture to accelerate the AES encryption and decryption processing. 
    • ChaCha20 for modern, fast, and secure streamed cipher communications.
  • Security Evasion
    • Clears Windows event logs and deletes itself to hinder forensics evidence and IR research and response.
  • Backup Corruption
    • Deletes Windows Volume Shadow Copy Service (VSS) to hinder recovery in forcing payouts.

Check Also

Mexican Duo sentenced to prison for distributing counterfeit Adderall pills

The Mexican duo have been sentenced to prison for distribution of methamphetamine and conspiracy to distribute methamphetamine in a counterfeit Adderall conspiracy investigated by the Homeland Security Task Force (HSTF) Washington, D.C., and HSTF Dallas.

Leave a Reply

Your email address will not be published. Required fields are marked *