Back to Intelligence

QILIN Ransomware: 15 New Victims Identified — Cross-Sector Surge & Critical CVE Exploitation

SA
Security Arsenal Team
June 7, 2026
6 min read
  • Aliases: Agenda, Qilin.Bloody
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate model, aggressively recruiting penetration testers to gain initial access.
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD depending on victim revenue and urgency. They are known for aggressive negotiation tactics.
  • Initial Access Vectors: Qilin affiliates heavily exploit internet-facing vulnerabilities in remote access software (ConnectWise ScreenConnect), VPNs, and perimeter firewalls (Cisco FMC). Phishing with macro-laden documents is also a secondary vector.
  • TTPs:
    • Double Extortion: Standard exfiltration followed by encryption. They utilize their own dark web leak site to pressure victims.
    • Dwell Time: Short. Historical analysis suggests a dwell time of 3–5 days before detonation to evade detection.
    • Tooling: Known to use Cobalt Strike beacons for C2, Rclone for large-scale data exfiltration, and custom PowerShell scripts for lateral movement and disabling security defenses.

Current Campaign Analysis

Based on victim postings between 2026-06-02 and 2026-06-05, Qilin is operating at high velocity.

  • Targeted Sectors: The group is casting a wide net but shows a distinct preference for Healthcare (3 victims), Business Services (3 victims), Construction, and Energy. This suggests affiliates are exploiting supply chain relationships common in these verticals.
  • Geographic Concentration: Predominantly North America (US, CA), but with significant global spread including Central Europe (DE, AT, SI), South America (BR), and Asia Pacific (KR).
  • Victim Profile: A mix of SMBs (e.g., Jay's Catering, Swim-Mor Pools) and mid-market enterprises (e.g., Trican, Avcon Jet). The targeting of dental practices indicates a shift toward smaller healthcare entities with potentially weaker security postures.
  • Posting Frequency: High intensity. 15 victims posted in 4 days (~3.75/day) indicates a mature automation process for victim data processing and site updates.
  • CVE Correlation: The campaign coincides with the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2025-52691 (SmarterTools SmarterMail). Given the Business Services and Transportation victims, it is highly probable initial access was gained via unpatched remote access gateways.

Detection Engineering

SIGMA Rules

YAML
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 4a8b9c3d-1e2f-4a5b-8c7d-1e2f3a4b5c6d
description: Detects potential exploitation of CVE-2024-1708 involving suspicious paths or query patterns in ConnectWise ScreenConnect web logs.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - 'Authenticate'
            - 'Host'
        cs-uri-stem|contains: '/Services/'
    filter:
        cs-uri-query|contains:
            - '.aspx'
            - 'SessionId'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative access
level: critical
---
title: Suspicious PowerShell Encoded Command Length
id: 5b9c0d4e-2f3g-5b6c-9d8e-2f3g4b5c6d7e
description: Detects long encoded commands in PowerShell, often used by Qilin for payload execution and obfuscation.
status: experimental
date: 2026/06/07
author: Security Arsenal
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4103
        Payload|contains|all:
            - ' -Encoded '
    condition: selection | length(Payload) > 1000
falsepositives:
    - Legitimate admin scripts
level: high
---
title: Ransomware Pattern - Volume Shadow Copy Deletion
id: 6c0d1e5f-3g4h-6c7d-0e9f-3g4h5c6d7e8f
description: Detects attempts to delete Volume Shadow Copies using vssadmin or diskshadow, a common precursor to Qilin encryption.
status: experimental
date: 2026/06/07
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains:
            - 'vssadmin.exe'
            - 'diskshadow.exe'
            - 'wmic.exe'
    cmdline:
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
    condition: selection and cmdline
falsepositives:
    - Legitimate system maintenance
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging indicators
// Looks for Rclone usage (common exfil tool) and unusual SMB access
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("rclone", "webclient", "downloadstring", "iex")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| union (
    DeviceFileEvents
    | where Timestamp >= ago(TimeFrame)
    | where FileName in~ ("rclone.exe", "7za.exe", "winrar.exe")
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath
)
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Rapid Triage Script
.DESCRIPTION
    Checks for common Qilin persistence mechanisms and precursor activities.
#>

Write-Host "[!] Starting Qilin Ransomware Triage..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (Persistence)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -ge (Get-Date).AddDays(-1) }
if ($suspiciousTasks) {
    Write-Host "[ALERT] Found scheduled tasks created/modified in the last 24 hours:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
    Write-Host "[OK] No suspicious recent scheduled tasks." -ForegroundColor Green
}

# 2. Check for Rclone or other archiving tools (Exfil Staging)
$paths = @("C:\Windows\Temp\", "C:\Users\Public\", $env:TEMP)
$maliciousFiles = @("rclone.exe", "7za.exe", "mimikatz.exe", "procdump.exe")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "[*] Scanning $path for staging tools..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $maliciousFiles -contains $_.Name } | 
        ForEach-Object { Write-Host "[FOUND] $($_.FullName)" -ForegroundColor Red }
    }
}

# 3. Check for Disabled Shadow Copies
try {
    $shadowCopies = Get-WmiObject -Class Win32_ShadowCopy | Measure-Object
    if ($shadowCopies.Count -eq 0) {
        Write-Host "[ALERT] No Volume Shadow Copies found. Potential deletion event." -ForegroundColor Red
    } else {
        Write-Host "[OK] $($shadowCopies.Count) Shadow Copies exist." -ForegroundColor Green
    }
} catch {
    Write-Host "[ERROR] Could not query Shadow Copies." -ForegroundColor DarkYellow
}

Write-Host "[!] Triage Complete." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist

  • Network Telemetry: Hunt for successful RDP/VPN logins originating from anomalous geolocations (e.g., unexpected logins from SI or BR correlating with victim list).
  • Web Server Logs: Audit IIS and application logs for ConnectWise ScreenConnect (path traversal) and SmarterMail (file upload) IOCs.
  • Endpoint: Immediately scan for unsigned binaries in %APPDATA% or %TEMP%.

Critical Assets for Exfiltration

Based on the current victimology, prioritize the protection of:

  • Healthcare: Patient PHI (EMR databases), insurance records.
  • Construction/Energy: Engineering schematics (CAD files), project financial data, contractual agreements.
  • Business Services: Client databases, HR records with SSNs/Tax IDs.

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect suspected VPN concentrators and internet-facing ConnectWise instances from the network.
  2. Disable Accounts: Suspend service accounts associated with the exploited applications (e.g., IIS app pool accounts, ConnectWise service account).
  3. Block C2: Update firewall rules to block known Qilin C2 IPs and domains (refer to current threat intel feeds).

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Immediately patch CVE-2024-1708 (ConnectWise) and CVE-2025-52691 (SmarterMail). If patching is not possible, disable external access to these services immediately.
  • MFA Enforcement: Ensure all remote access (VPN, RDP, SaaS) enforces FIDO2 or App-based MFA. Reject SMS/Voice codes where possible.
  • Password Reset: Force a password reset for all privileged accounts and users of the affected remote access tools.

Short-term (2 Weeks)

  • Network Segmentation: Restrict lateral movement by enforcing strict segmentation between IT/OT and business units. Ensure jump servers are required for administrative access.
  • EDR Tuning: Configure EDR solutions to alert on unsigned binaries running from user-writable directories and suspicious PowerShell activity (script block logging).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecisa-kevconnectwisehealthcarethreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action