G1050: Water Galura

Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.[1][2]

EnterpriseG1050GroupObject v1.0 Modified Oct 23, 2025, 21:52 UTC (UTC+00:00)

Water Galura is identified by ATT&CK as the operator group behind the Qilin ransomware-as-a-service model, including payload generation, ransom negotiation, and publication of stolen data. The business significance is not just malware execution; it is the combination of availability disruption, data-leak extortion, and affiliate-driven operations that can turn one intrusion into legal, operational, customer, and continuity decisions.

Executive priority

Prioritize this as a ransomware and extortion readiness issue. Leaders should ask whether the organization can sustain operations if encryption affects critical systems, whether backup and recovery evidence is current, whether incident response can handle both decryption and data-publication pressure, and whether third-party or MSP access paths are governed strongly enough to limit downstream exposure. Because ATT&CK provides no group-specific detection guidance, control validation should focus on ransomware impact resilience, identity/access review, and evidence needed for audit, legal, and crisis decisions.

Technical view

ATT&CK lists Water Galura as using Qilin, Tor, Data Encrypted for Impact, Social Media Accounts, and Financial Theft. SOC and IR teams should validate telemetry and playbooks around ransomware execution, encryption-at-scale indicators, exfiltration/extortion decision points, Tor-related network visibility where policy allows, and pre-incident signals tied to social-media-enabled targeting. Relationship context for Qilin includes Windows, Linux, and VMware ESXi, so defenders should confirm whether those environments have logging, EDR, backup integrity checks, and recovery procedures, without assuming Water Galura activity in the local environment without evidence.

Likely telemetry

Endpoint and server process, file, and command execution telemetry relevant to ransomware behavior
File modification/encryption-rate signals on endpoints, servers, network shares, and virtualization infrastructure
Backup job, backup deletion, backup access, and restore-test evidence
Network telemetry for Tor or anonymizing proxy use where collected and legally/policy appropriate
Identity and remote access logs, especially privileged, MSP, or administrative access paths

Detection direction

Do not rely on a single Water Galura signature; ATT&CK supplies no official detection text for this group.
Validate detections mapped to the related behaviors: Data Encrypted for Impact, Qilin ransomware activity, Tor use, and financially motivated extortion patterns.
Tune ransomware detections for high-volume file renames, rapid file rewrites, suspicious encryption activity, and abnormal access to shared or virtualized storage, while accounting for legitimate backup, archival, or administrative encryption workflows.
Review visibility gaps on ESXi, Linux, and unmanaged servers, since ransomware impact can occur where endpoint coverage is weaker.
Correlate identity events with ransomware-impact telemetry: new or unusual privileged sessions, remote administration, service-account use, and access from third-party administration paths.

Mitigation priorities

Confirm tested, segregated, and recoverable backups for critical business services before focusing on group-specific indicators.
Reduce ransomware blast radius through least privilege, privileged-access governance, segmentation, and tighter control of administrative and third-party access.
Ensure Windows, Linux, and ESXi recovery procedures are documented and exercised where those platforms support critical operations.
Prepare an extortion playbook covering legal, communications, insurance, regulator, customer-notification, and data-leak assessment workflows.
Limit unnecessary Tor/anonymizing proxy use by policy and monitor exceptions where feasible.

Analyst notes and limits

This take is based on ATT&CK group G1050, its official description, external references, and listed relationships. The most decision-relevant point is the RaaS operating model: affiliates may vary in intrusion methods, while the operator role described by ATT&CK centers on payload generation, negotiations, and stolen-data publication. That makes preparedness, recovery evidence, and incident governance as important as malware detection.

ATT&CK does not provide official detection text, group-specific platforms, or tactics for Water Galura in the supplied object. Platform references come only from related software and techniques, especially Qilin and Data Encrypted for Impact. Local exposure, active targeting, compromise, and detection coverage cannot be inferred from this object alone.

Official MITRE ATT&CK definition

Water Galura

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1585.001	Social Media Accounts Sub-technique	Water Galura operates a news channel on Telegram to make announcements for the Qilin RaaS.CitationBushidoToken Qilin RaaS JUN 2024
Enterprise	T1486	Data Encrypted for Impact	Water Galura has encrypted files on victim networks through the generation of Qilin ransomware payloads.CitationBushidoToken Qilin RaaS JUN 2024
Enterprise	T1657	Financial Theft	Water Galura has extorted victims for ransomware decryption keys and to prevent publication of data exfiltrated to their Tor data leak site.CitationBushidoToken Qilin RaaS JUN 2024CitationHC3 Qilin Threat Profile JUN 2024

Associated objects

Groups, software, and campaigns

S1242: Qilin

Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]

ESXiWindowsLinux

S0183: Tor

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]

LinuxWindowsmacOS

Relationship explorer

All related ATT&CK context

uses · Technique T1585.001: Social Media Accounts Enterprise uses · Malware S1242: Qilin Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Tool S0183: Tor Enterprise uses · Technique T1657: Financial Theft Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Sep 29, 2025, 20:01 UTC (UTC+00:00)
Modified: Oct 23, 2025, 21:52 UTC (UTC+00:00)
Raw hash: 6a2e6d384c7b81be...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 23, 2025, 21:52 UTC (UTC+00:00)	Current bundle	`6a2e6d384c7b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
BushidoToken Qilin RaaS JUN 2024

Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
Open source URL
[2]
Sophos Qilin MSP APR 2025

Bradshaw, A. et al. (2025, April 1). Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream. Retrieved September 26, 2025.
Open source URL
[3]
GOLD FEATHER

(Citation: BushidoToken Qilin RaaS JUN 2024)
[4]
mitre-attack G1050
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use