Threat Intelligence Tarot
Vol. II · 136
Criminal (Russian-speaking RaaS)
risk 5/5
The Beast of Edicts
Qilin
Agenda · Water Galura
HealthcarePathology and laboratory servicesCritical infrastructureManufacturing
Active since ~2022 · Extortion, Financial gain
The Beast of Edicts issues its decrees with both halves of itself: one head encrypts the data, the other publishes the names of the dead. Hospitals close. The Beast tallies the silence as leverage.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1490
Inhibit System Recovery
Impact
T1078
Valid Accounts
Persistence
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1059.001
PowerShell
Execution
T1027
Obfuscated Files or Information
Defense Evasion
Notable Operations
  • Synnovis pathology services attack causing NHS surgery cancellations (June 2024)
  • Lehigh Valley Health Network patient data leak (2023)
  • Rust and Go-based ransomware variants
  • Veeam backup credential theft as standard playbook
Defenses
  • Backup software credential isolation in separate domain or tenant
    Veeam Hardened Repository Guide
  • Healthcare diagnostics continuity-of-operations plans for ransomware scenarios
    HHS HICP
  • Immutable and offline backup copies tested quarterly
    CIS Control 11
  • PowerShell logging and constrained language mode on clinical endpoints
    CIS Control 8
Reversed: Their Weakness
Backup software (Veeam, etc.) credential isolation and out-of-band recovery infrastructure remove the easy pivot this operator depends on. Pathology continuity plans built for ransomware specifically have proven to limit damage at follow-on victims.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Incorporated HungerNext →The Inheritor
Related Adversaries
The National Brownout
Brain Cipher
6 shared TTPs
The Self-Encrypting Thorn
Cactus
5 shared TTPs
The Loud Shame
8Base
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.