QILIN Ransomware: 14 New Victims Posted — Healthcare & Manufacturing Under Siege

Threat Level: HIGH Date of Analysis: 2026-06-02 Live Source: .onion Leak Site

Threat Actor Profile — QILIN

Aliases: Agenda (formerly associated), Qilin.B

Operational Model: Qilin operates as a sophisticated Ransomware-as-a-Service (RaaS) entity. They aggressively recruit affiliates, offering a customizable Rust-based encryptor that is efficient in bypassing Endpoint Detection and Response (EDR) solutions through direct system calls and API unhooking.

Ransom Demands: Demands vary significantly based on victim revenue but typically range from $500,000 to $5 million. They are known to negotiate aggressively but will leak data immediately if deadlines are missed.

TTPs & Initial Access:

• Initial Access: Qilin affiliates heavily rely on exploiting external-facing remote access software, particularly ConnectWise ScreenConnect (CVE-2024-1708), and vulnerabilities in VPN appliances. Phishing campaigns with malicious macro-laden documents remain a staple for less mature targets.
• Lateral Movement: Utilization of Cobalt Strike beacons for C2, followed by lateral movement via RDP, PsExec, and WMI.
• Double Extortion: Strict adherence to double extortion. Data is staged and exfiltrated via tools like Rclone or Mega before encryption is triggered.
• Dwell Time: Average dwell time is approximately 3–9 days. Qilin actors are methodical, often spending time elevating privileges and disabling security backups (Shadow Copies) before detonation.

Current Campaign Analysis

Based on data scraped from their dark web leak site on 2026-06-02, Qilin has posted 14 new victims in a rapid-fire burst (13 on May 28, 1 on June 2).

Sector Targeting

The current campaign shows a distinct pivot towards critical infrastructure and services, with a heavy emphasis on the United States.

• Healthcare (36%): 5 victims (Clinica Maitenes, Mindpath College Health, Providence Medical Group, Dillon Family Medicine). This suggests a high-value targeting of PHI data.
• Manufacturing (21%): 3 victims (Sinomax USA, Carton Craft Supply, LA Woodworks).
• Business Services (14%): 2 victims (Gallun Snow Associates, Kennedy, McLaughlin & Associates).
• Other: Education, Technology, Agriculture, and "Not Found" entities.

Geographic Concentration

• United States (60%): The primary target zone, accounting for 8 of the 14 listed victims.
• Global Spread: Activity also noted in Australia (AU), Chile (CL), Denmark (DK), Laos (LA), and Saudi Arabia (SA).

Exploited Vulnerabilities & Vectors

We assess with high confidence that affiliates are leveraging the recently disclosed CVE-2024-1708 (ConnectWise ScreenConnect) for initial access, particularly against the Business Services and Technology sectors. The clustering of victims on a single date (May 28) suggests a mass-exploitation event or a single affiliate active-spamming a specific vulnerability.

Other relevant CVEs likely in use for establishing footholds include:

• CVE-2026-48027: Nx Console Embedded Malicious Code (Newly added to KEV, specific to development environments).
• CVE-2023-21529: Microsoft Exchange Server Deserialization.

Detection Engineering

Sigma Rules

---
title: Potential ConnectWise ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns often used in web shell uploads.
status: experimental
author: Security Arsenal
date: 2026/06/02
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: proxy
detection:
    selection:
        cs-uri-query|contains:
            - 'Diagnostic.ashx'
            - 'Setup.ashx'
            - 'Host='
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative configuration
level: high
---
title: Suspicious PowerShell Base64 Encoded Command Pattern
description: Detects PowerShell commands with specific encoding characteristics often used by Qilin payloads for execution and anti-AMSI techniques.
status: experimental
author: Security Arsenal
date: 2026/06/02
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX '
            - 'Hidden'
            - 'NoProfile'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative scripts
level: medium
---
title: Volume Shadow Copy Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies, a precursor activity to ransomware encryption used by Qilin to prevent recovery.
status: experimental
author: Security Arsenal
date: 2026/06/02
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'Delete Shadows'
    condition: selection
falsepositives:
    - System administration (rare)
level: critical

KQL (Microsoft Sentinel)

// Hunt for Qilin Staging and Lateral Movement Indicators
// Identifies unusual SMB access patterns and potential credential dumping
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for tools used by Qilin affiliates
| where ProcessCommandLine has_any ("psexec", "wmic", "wmi", "powershell", "cmd") 
// Filter for base64 encoded commands or suspicious flags
| where ProcessCommandLine matches regex @"(?:\-e|\-enc|\enc|\FromBase64String)"
// Join with network events to see outbound C2 or lateral movement
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp >= ago(TimeFrame)
    | where ActionType == "ConnectionSuccess" 
    | where RemotePort in (443, 80, 445, 3389) // Common C2/RDP ports
) on DeviceId
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteUrl, RemoteIP, InitiatingProcessFileName
| summarize count() by DeviceName, AccountName, ProcessCommandLine, RemoteIP
| where count_ > 5

PowerShell Response Script

<#
.SYNOPSIS
    Qilin Ransomware Triage Script
.DESCRIPTION
    Checks for indicators of compromise (IOCs) associated with Qilin activity, including VSS tampering, unusual scheduled tasks, and rogue PowerShell processes.
#>

Write-Host "[*] Starting Qilin Incident Response Triage..." -ForegroundColor Cyan

# 1. Check for VSS Shadow Copy Deletions (Common precursor)
Write-Host "[+] Checking Event Logs for VSS Deletion (Event ID 104)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=104; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message | Format-List } 
else { Write-Host "No recent VSS deletion events found." }

# 2. Hunt for Suspicious Scheduled Tasks (Persistence)
Write-Host "[+] Enumerating Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | 
    Select-Object TaskName, Date, Author, @{Name="Actions";Expression={$_.Actions.Execute}} | Format-Table -AutoSize

# 3. Check for uncommon processes running from temporary directories
Write-Host "[+] Checking for processes running from Temp folders..." -ForegroundColor Yellow
Get-Process | Where-Object { $_.Path -like "*\Temp\*" -and $_.ProcessName -notin ("explorer.exe", "chrome.exe", "msedge.exe") } | 
    Select-Object ProcessName, Path, StartTime, Id | Format-Table -AutoSize

Write-Host "[*] Triage Complete. Review output and isolate if suspicious." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

1. ScreenConnect Audit: Immediately review ConnectWise ScreenConnect logs for the period 2026-05-25 to 2026-06-02. Look for logins from unusual GeoIPs or simultaneous logins from disparate locations.
2. PowerShell Audit: Hunt for powershell.exe instances spawned by svchost.exe or wsmprovhost.exe.
3. Mass File Creation: Monitor for processes creating high volumes of encrypted files (similar extensions appended) in \ProgramData or C:\Windows\Temp.

Critical Assets for Exfiltration

Qilin actors prioritize high-leverage data:

• Healthcare: Patient Medical Records (PHI/PII), Insurance Billing Data.
• Manufacturing: CAD designs, Intellectual Property, Supply Chain Vendor Lists.
• All Sectors: Financial files (QuickBooks databases), Executive emails, HR employee data (SSNs/Tax IDs).

Containment Actions (Ordered by Urgency)

1. Disconnect External Connectivity: If a ScreenConnect compromise is suspected, sever the server's internet access immediately but keep the machine on for memory acquisition.
2. Revoke Privileged Credentials: Force reset of Domain Admin and local administrator passwords for affected segments.
3. Isolate VLANs: Segregate healthcare/production VLANs from the management network to stop lateral spread.

Hardening Recommendations

Immediate (24 Hours)

• Patch CVE-2024-1708: If ConnectWise ScreenConnect is in use, update to the latest patched version immediately. Enforce MFA on all remote access portals.
• Block RDP from Internet: Ensure TCP/3389 is blocked at the perimeter firewall. Use VPNs with MFA as the only entry point.
• Audit Exchange: Apply patches for CVE-2023-21529 if Exchange servers are present.

Short-term (2 Weeks)

• Network Segmentation: Implement strict Zero Trust controls; ensure workstations cannot communicate directly with server shares unless necessary.
• EDR Deployment: Ensure coverage on all critical servers. Qilin's Rust-based variants often evade basic AV but struggle against behavioral EDR.
• Backups Offline: Verify that recent backups are immutable and offline. Test restoration procedures for PHI and CAD file repositories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub