Back to Intelligence

QILIN Ransomware: 16 New Victims Posted — Aggressive Mail Server Exploitation & Sector Targeting Analysis

SA
Security Arsenal Team
May 13, 2026
6 min read

Aliases: Agenda, Qilin.B Model: Ransomware-as-a-Service (RaaS) with an affiliate-driven model. Affiliates manage initial access and lateral movement, while the core team develops the Rust-based encryption payload. Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million depending on victim revenue, often negotiated aggressively. Initial Access: Historically relies on valid credentials obtained via phishing campaigns or exploitation of public-facing internet infrastructure. Recent trends indicate a shift toward exploiting specific vulnerabilities in email gateways and perimeter firewalls. TTPs: Utilizes double extortion. Encrypts files using a Rust-based cryptographically strong algorithm. Often disables shadow copies via vssadmin and deletes backup files. Known to use tools like Cobalt Strike, AnyDesk, and Rclone for exfiltration. Dwell Time: Average observed dwell time is approximately 3–5 days between initial access and detonation, focusing heavily on data exfiltration prior to encryption.

Current Campaign Analysis

Sectors Targeted: The current campaign shows a distinct pivot toward Business Services (5 victims), which represents 31% of the recent postings. Significant activity also continues in Technology (AppDirect, CAD-IT UK), Consumer Services (Pangolin Editions, Keller Williams), and Public Sector (SHERIFF in Ukraine).

Geographic Concentration: Qilin is primarily targeting the "Five Eyes" and allied regions. The US remains the top target (4 victims), followed closely by the UK (4 victims) and Canada (2 victims). Secondary targets include Spain, Ukraine, Mexico, and Argentina, suggesting a broad, opportunistic but English-language focused affiliate operation.

Victim Profile: The victim list suggests a focus on mid-market to large enterprises.

  • Business Services: High-value data handlers (e.g., The Gravity Group, Mediapost Spain).
  • Technology: Software and CAD firms holding intellectual property (e.g., AppDirect, CAD-IT UK).

CVE Connection & Initial Access Vectors: The inclusion of CVE-2023-21529 (Microsoft Exchange) and CVE-2026-23760 / CVE-2025-52691 (SmarterTools SmarterMail) in the CISA KEV list alongside this surge indicates Qilin affiliates are actively exploiting unpatched mail infrastructure. The compromise of SHERIFF (Public Sector) and multiple tech firms correlates strongly with the Cisco Secure Firewall Management Center (CVE-2026-20131) vulnerability, allowing attackers to pivot through perimeter defenses.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exchange Deserialization Exploit (CVE-2023-21529)
id: 38c3a8f8-7d88-4b3d-9c5a-1d2f3g4h5i6j
description: Detects suspicious process spawns by w3wp.exe (IIS) associated with Exchange deserialization vulnerabilities.
status: experimental
date: 2026/05/13
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
    condition: selection
falsepositives:
    - Administrative management scripts
level: critical
---
title: SmarterMail Unrestricted File Upload (CVE-2025-52691)
id: 9d7e6f5e-4c2a-3b1d-0e9f-2a1b2c3d4e5f
description: Identifies suspicious web shell-like activity or file creation in SmarterMail directories.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: file_creation
    product: windows
detection:
    selection:
        TargetFilename|contains: 'SmarterMail'
        TargetFilename|contains:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: selection
falsepositives:
    - Legitimate software updates
level: high
---
title: Qilin Ransomware Data Staging Pattern
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects usage of Rclone or WinSCP often used by Qilin affiliates for data exfiltration prior to encryption.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith:
            - '\rclone.exe'
            - '\winscp.exe'
            - '\filezilla.exe'
    selection_network:
        CommandLine|contains:
            - 'sync'
            - 'copy'
            - 'sftp://'
    condition: all of selection_*
falsepositives:
    - Legitimate admin backups
level: medium

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential Qilin lateral movement and staging via PowerShell and Rclone
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "DownloadString" or ProcessCommandLine has "IEX"
| where InitiatingProcessFileName in~ ("w3wp.exe", "svchost.exe", "explorer.exe")
| join kind=leftouter (DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (443, 80, 21, 22) or InitiatingProcessFileVersion =~ "2.0.0.0" // Generic Rclone sig
| summarize ConnectionCount=count(), RemoteIPs=make_set(RemoteIP) by DeviceId, InitiatingProcessFileName) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ConnectionCount, RemoteIPs
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Rapid Response Audit
.DESCRIPTION
    Checks for Shadow Copy deletion, scheduled task persistence, and recent PowerShell script block logs.
#>

Write-Host "[*] QILIN THREAT CHECK - $(Get-Date)" -ForegroundColor Cyan

# 1. Check for Volume Shadow Copy Deletion Attempts
Write-Host "[+] Checking Event Log 5148 (Shadow Copy Deletion)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-ShadowCopy/Operational'; ID=25; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message | Format-Table -AutoSize } else { Write-Host "No VSS deletion events found." -ForegroundColor Green }

# 2. Hunt for Suspicious Scheduled Tasks (Common Qilin Persistence)
Write-Host "[+] Enumerating Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | ForEach-Object {
    $task = $_
    $action = $task.Actions.Execute
    if ($action -match 'powershell' -or $action -match 'cmd' -or $action -match 'rclone') {
        Write-Host "SUSPICIOUS TASK FOUND: $($task.TaskName)" -ForegroundColor Red
        Write-Host "Action: $action"
    }
}

# 3. Check for Recent Rclone or WinSCP Executions
Write-Host "[+] Checking for recently executed data transfer tools..." -ForegroundColor Yellow
$recentProcesses = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -match 'rclone' -or $_.Message -match 'winscp' -or $_.Message -match 'filezilla'}

if ($recentProcesses) { $recentProcesses | Select-Object TimeCreated, Message | Format-List } else { Write-Host "No suspicious transfer tools detected." -ForegroundColor Green }

Incident Response Priorities

T-Minus Detection Checklist:

  1. Exchange/Mail Server Logs: Immediately review IIS logs (w3wp.exe) for the last 7 days. Look for POST requests to /EWS/Exchange.asmx or /autodiscover resulting in 500 errors or high CPU usage, indicative of deserialization exploits (CVE-2023-21529).
  2. Cisco FMC Audits: If applicable, review authentication logs on Cisco Secure Firewall Management Centers for anomalies related to CVE-2026-20131.
  3. PowerShell Logs: Hunt for encoded commands (-enc) spawned by web server processes or user-land processes.

Critical Assets (Exfiltration Targets): Based on recent victimology (Business Services, Tech, Real Estate):

  • Customer Relationship Management (CRM) databases.
  • Financial records and tax documents.
  • CAD files and intellectual property (Tech/Manufacturing).
  • Employee PII (HR databases).

Containment Actions:

  1. Isolate Mail Servers: If Exchange or SmarterMail is suspected, disconnect from the network immediately but do not power off to preserve memory.
  2. Reset Service Account Credentials: Assume AD credentials stored in LSASS or email boxes have been compromised.
  3. Block RDP: Disable inbound RDP from the internet and enforce MFA for internal RDP access.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Critical CVEs: Apply updates for Microsoft Exchange (CVE-2023-21529), Cisco FMC (CVE-2026-20131), and SmarterMail (CVE-2025-52691 / CVE-2026-23760) immediately.
  • Disable Unauthenticated Endpoints: If patching is not possible, disable Outlook on the Web (OWA) or EWS for non-internal users temporarily.
  • Audit Mail Rules: Check for malicious Inbox Rules created by attackers to hide their activity.

Short-term (2 Weeks):

  • Implement Geo-Blocking: Restrict VPN and Remote Desktop access to known business countries given the geographic spread of this campaign (US, ES, CA, GB).
  • Network Segmentation: Ensure critical mail and file servers are in a separate VLAN from user workstations to impede lateral movement.
  • MFA Enforcement: Enforce FIDO2 or phishing-resistant MFA for all email and perimeter access points.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareexchange-rcebusiness-servicesdouble-extortioncisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action