Back to Intelligence

QILIN Ransomware: 16 New Victims Posted — Global Surge in Professional Services & Construction Sector Attacks

SA
Security Arsenal Team
May 11, 2026
7 min read

Date: 2026-05-11
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intel Unit

Threat Actor Profile — QILIN

  • Aliases: Agenda, Twisted Spider
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate model, recruiting skilled penetration testers to conduct initial access and operations while the core team maintains the encrypted payload and leak site infrastructure.
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million, depending on victim revenue and exfiltrated data volume. They have been known to accept discounts for swift payment.
  • Initial Access Vectors: Qilin affiliates are aggressive in exploiting public-facing vulnerabilities (particularly VPNs and email servers) and utilize phishing campaigns with macro-laced documents. Valid credentials obtained via initial access brokers (IABs) for RDP and VPN are also prevalent.
  • Extortion Strategy: Strict double extortion. Victims' data is published on their TOR site if negotiations fail or deadlines are missed. They frequently threaten to contact clients and partners of the victim to increase pressure.
  • Dwell Time: The average dwell time observed in recent campaigns is 3 to 7 days, indicating a rapid "smash-and-grab" approach once initial access is secured.

Current Campaign Analysis

Sector Targeting

Qilin has demonstrated a distinct pivot toward Professional Services and Construction in this week's postings. Out of the 16 recent victims:

  • Business Services: 25% (International Customer Care Services, Imex International)
  • Consumer Services: 19% (Keller Williams, Pangolin Editions)
  • Construction: 19% (CCD Interiors, DL Cohen Construction, Ruiz Barbarin)
  • Financial Services & Manufacturing: 13% each

Geographic Concentration

The campaign shows a heavy emphasis on the Five Eyes nations and Western allies, likely due to higher ransom payment capabilities:

  • United Kingdom (GB): 33% (5 victims) — Notably high density in Construction and Business Services.
  • United States (US): 31% (5 victims) — Spread across Real Estate, Financial, and Construction.
  • Rest of World: Canada, Mexico, Argentina, Spain, Chile, Germany.

Victim Profile

The victims range from mid-market enterprises ($50M - $500M revenue) to smaller localized entities (e.g., specific Keller Williams franchises). This suggests Qilin affiliates are casting a wide net, potentially exploiting supply chain relationships or common software stacks used by these specific verticals (e.g., construction management software).

Posting Frequency & Escalation

Qilin has escalated operations significantly in May 2026, with a cluster of 9 postings on 2026-05-08 alone, followed by another burst on 2026-05-11. This high velocity indicates multiple active affiliates conducting simultaneous operations.

CVE Connection

The recent victims, particularly in the Technology (CAD-IT UK) and Financial Services (Lindabury, Fogel Capital) sectors, strongly correlate with the active exploitation of the following CISA KEVs:

  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability allowing authenticated RCE. Likely used to pivot from on-prem email servers to domain admin.
  • CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): File upload and auth bypass. A probable initial access vector for the Business Services victims.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Microsoft Exchange Deserialization Exploit (CVE-2023-21529)
id: a1b2c3d4-e5f6-4789-8012-34567890abcd
status: experimental
description: Detects suspicious deserialization activity or PowerShell execution patterns associated with CVE-2023-21529 exploitation on Microsoft Exchange Servers.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.initial_access
    - attack.execution
    - cve.2023.21529
logsource:
    product: windows
    service: security
    definition: 'Requirements: Microsoft Exchange Server logs forwarded to SIEM'
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
    filter_legit:
        SubjectUserName|contains:
            - 'MSExchange'
            - 'SYSTEM'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate admin access
level: high
---
title: SmarterMail SmarterMail Unrestricted File Upload (CVE-2025-52691)
id: b2c3d4e5-f6a7-4890-9123-45678901bcde
status: experimental
description: Detects suspicious file extensions uploaded to SmarterMail web roots, indicative of web shell upload.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.initial_access
    - attack.webshell
    - cve.2025.52691
logsource:
    product: webserver
    service: iis
detection:
    selection_uri:
        cs-uri-stem|contains:
            - '/Services/MailHelper.asmx'
            - '/MailingList'
    selection_ext:
        cs-uri-query|contains:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative interface usage
level: critical
---
title: Qilin Ransomware Pattern - High Volume File Deletion (VSSAdmin)
id: c3d4e5f6-a7b8-4901-0234-56789012cdef
status: experimental
description: Detects the execution of vssadmin.exe to delete shadow copies, a common precursor to Qilin encryption.
references:
    - https://securityarsenal.com
author: Security Arsenal
date: 2026/05/11
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\vssadmin.exe'
        - OriginalFileName: 'vssadmin.exe'
    selection_cli:
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: all of selection_*
falsepositives:
    - System administration tasks (rare)
level: critical

KQL (Microsoft Sentinel)

Hunt for lateral movement indicators often associated with Qilin affiliates (WMI and SMB).

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Hunting for WMI used for lateral movement
| where ProcessCommandLine contains "wmic" and (ProcessCommandLine contains "process call create" or ProcessCommandLine contains "node:")
// Hunting for PsExec or similar admin tools
or (FileName in~ ("psexec.exe", "psexec64.exe", "psexesvc.exe"))
// Hunting for SC (Service Control) creating new services for payloads
or (ProcessCommandLine contains "sc.exe" and ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell - Rapid Response Hardening

Run this script on critical servers to identify signs of pre-encryption staging (Shadow Copy manipulation) and recent scheduled tasks (persistence).

PowerShell
# Qilin Staging & Persistence Check
Write-Host "[*] Checking for Shadow Copy Manipulation..." -ForegroundColor Cyan
try {
    $vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
    if ($vssEvents) {
        Write-Host "[!] Recent VSS Admin Activity Detected:" -ForegroundColor Red
        $vssEvents | Select-Object TimeCreated, Message | Format-List
    } else {
        Write-Host "[+] No suspicious VSS activity in last 24h." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Error reading VSS logs." -ForegroundColor Yellow
}

Write-Host "`n[*] Enumerating Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
    Write-Host "[!] Recent Scheduled Tasks Found (Investigate):" -ForegroundColor Red
    $schTasks | Select-Object TaskName, Date, Author, Action | Format-Table
} else {
    Write-Host "[+] No recent scheduled tasks found." -ForegroundColor Green
}

Write-Host "`n[*] Checking for exposed RDP Sessions (Non-System Users)..." -ForegroundColor Cyan
$query = "SELECT * FROM Win32_LogonSession WHERE LogonType = 10"
$rdpSessions = Get-CimInstance -Query $query
if ($rdpSessions) {
    Write-Host "[!] Active RDP Sessions found. Review users manually." -ForegroundColor Yellow
} else {
    Write-Host "[+] No RDP sessions detected via WMI." -ForegroundColor Green
}


---

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption)

  1. PowerShell Logs: Hunt for Base64 encoded strings or -Enc commands in Security Event ID 4104.
  2. Exchange/IIS Logs: Look for spikes in POST requests to /owa/ or /ecp/ originating from unusual GeoIPs (non-US/UK).
  3. LSASS Access: Monitor for procmon or rundll32 accessing lsass.exe memory (credential dumping).

Critical Assets Targeted for Exfiltration

  • Client Databases: CRM exports and PII (highest priority for Qilin).
  • Financial Records: A/P, A/R, and tax documents.
  • Executive Email: .pst files belonging to CEOs/CFOs.

Containment Actions (Ordered by Urgency)

  1. Isolate Exchange Servers: Disconnect from the network immediately if suspicious IIS worker processes are detected.
  2. Reset Service Accounts: Force password changes for accounts used by SmarterMail and VPNs.
  3. Block SMB: Inbound SMB (TCP 445) from non-management subnets to critical file servers.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Immediately apply patches for CVE-2023-21529 (Exchange) and CVE-2025-52691 (SmarterMail). These are confirmed active vectors.
  • Disable External RDP: Ensure RDP is not accessible from the internet via VPN concentrators or Direct Access. Enforce MFA for all remote access.
  • Audit Email Rules: Check for malicious Inbox Rules in Outlook/Exchange designed to hide breach notifications.

Short-term (2 Weeks)

  • Network Segmentation: Move Email and Web servers to a DMZ with strict egress rules. Prevent lateral movement from the DMZ to the internal domain controller.
  • EDR Deployment: Ensure EDR agents are running on all Exchange and SmarterMail servers with behavior-based protection for "Untrusted Deserialization".

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangqilinransomware-as-a-serviceprofessional-servicescve-2023-21529double-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action