Threat Intelligence Feeds

Oilin Ransomware Group

1. Overview

Oilin is a financially motivated ransomware group that emerged in the second half of 2023. Though comparatively new to the ransomware ecosystem, Oilin has displayed a high level of operational maturity, strategic targeting, and rapidly evolving tooling. The group operates under a double extortion model, exfiltrating sensitive data before encrypting victim systems, and threatening to publish or sell the stolen data if ransom demands are not met.

Unlike some more vocal ransomware brands, Oilin maintains a low public profile, favouring quiet, opportunistic campaigns against selected organisations. Its targeting spans legal services, healthcare, finance, education, and professional services, making it a concern for data-sensitive sectors across the UK, Europe, and North America.

2. Origin and Evolution

Oilin was first observed in the wild in late 2023, initially through dark web data leaks and incident response engagements. Early analysis of the group’s payloads suggested a level of sophistication not typically seen in new entrants, leading researchers to hypothesise that Oilin may have emerged from the remnants of disrupted or dormant ransomware collectives, such as Hive or Ragnar Locker.

Since its appearance, Oilin has continued to refine its tooling, adopting support for Windows environments, and deploying custom ransomware payloads tailored for stealth and impact. The group’s infrastructure and communication channels suggest a structured, well-funded operation.

3. Tactics, Techniques, and Procedures (TTPs)

Oilin combines traditional ransomware tactics with emerging trends in extortion and post-exploitation. Its typical intrusion chain includes:

  • Initial Access:
    Exploitation of public-facing applications (T1190), phishing campaigns (T1566.001), and use of credentials obtained from initial access brokers (T1078).
  • Lateral Movement:
    Deployment of tools such as Cobalt Strike, Mimikatz, PsExec, and RDP to escalate privileges and move across the network (T1055, T1021).
  • Data Exfiltration:
    Use of Rclone, WinSCP, and custom PowerShell scripts to extract data to external storage (T1041).
  • Encryption:
    The ransomware payload supports multi-threaded encryption, targets mapped network shares and backup services, and often uses AES + RSA combinations to lock files.
  • Persistence & Evasion:
    Oilin employs LOLBins, registry tampering (T1112), and anti-forensic techniques such as shadow copy deletion (T1490) and service termination to evade detection and impede recovery.

4. Targeting Profile

Oilin demonstrates opportunistic but selective targeting, typically focusing on organisations with:

  • Exposed or outdated infrastructure
  • High-value data such as PII, legal documents, or medical records
  • Limited cyber maturity or under-resourced IT departments

Industries targeted include:

  • Legal and professional services
  • Healthcare and private medical clinics
  • Education (especially universities and research institutes)
  • Financial services and insurance firms

UK-based firms, especially those in the legal and healthcare sectors, are advised to consider Oilin a credible and relevant threat actor.

5. Notable Campaigns and Victims

While Oilin maintains operational silence regarding victims, intelligence from incident response engagements and underground forums indicates:

  • A targeted attack on a UK-based medical services provider, resulting in the leak of sensitive patient records
  • The compromise of a Central European law firm, where exfiltrated contracts and legal correspondence were leaked
  • An intrusion into a North American financial consultancy, with over 1TB of data reportedly stolen

These incidents are typically not announced in media releases, aligning with Oilin’s quiet coercion strategy.

6. Ransomware and Leak Site Behaviour

Oilin operates a dark web leak portal, listing victims who fail to comply with ransom demands. Its double extortion approach involves:

  1. Silent intrusion and internal reconnaissance
  2. Data exfiltration using secure outbound channels
  3. Deployment of ransomware at an off-peak time
  4. Delivery of ransom notes with TOR-based contact links
  5. Gradual publication of victim data in staged leaks if negotiations fail

The group maintains a professional tone during negotiations, with ransom demands generally ranging from £100,000 to £2 million, scaled to organisation size and data sensitivity.

7. Technical Indicators

While indicators vary by campaign, common traits include:

  • Use of .oil or .oilin file extensions in encrypted files
  • Deployment of rclone.exe and winscp.exe from temporary directories
  • Obfuscated PowerShell and batch scripts for data harvesting
  • Registry changes that disable recovery and logging
  • Network connections to bulletproof hosting in Eastern Europe and Asia

UK Cyber Defence Ltd maintains a regularly updated IOC and YARA ruleset for Oilin-related activity.

8. Defensive Measures and Recommendations

To defend against Oilin ransomware, organisations should adopt the following controls:

  • Enforce multi-factor authentication (MFA) across all remote services and administrative accounts
  • Patch VPNs, web apps, and email gateways promptly
  • Monitor for PowerShell execution, shadow copy deletion, and lateral movement artefacts
  • Limit privilege escalation paths and regularly audit admin accounts
  • Maintain immutable, offline backups, with verified restoration procedures
  • Conduct phishing resilience training for staff

9. Attribution and Alliances

Oilin does not claim affiliation with a known ransomware collective. However, based on infrastructure patterns, binary design, and campaign style, analysts suspect links to ex-Hive or Ragnar Locker operators. There is no evidence of nation-state involvement. The group’s focus is strictly financial extortion, with a preference for discretion over publicity.

10. Conclusion

Oilin is a capable and increasingly dangerous ransomware group that combines technical skill, operational maturity, and a stealth-first approach. Its selective targeting of high-value organisations in sensitive sectors, particularly in the UK, marks it as a threat that must be monitored closely. A combination of proactive threat detection, tight access control, and strategic data protection is essential to mitigate the risk posed by this emerging adversary.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 30 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence