QILIN Ransomware: 26 New Victims — Critical Infrastructure Surge & Web-Exploitation Campaign

Aliases: Agenda (historical) Affiliation: RaaS (Ransomware-as-a-Service)

Qilin operates a sophisticated RaaS model, recruiting affiliates with strong penetration testing skills. Recent campaigns indicate a shift toward targeting high-value verticals like Financial Services and Critical Manufacturing. The group is notorious for double extortion, encrypting systems while exfiltrating sensitive data to their leak site.

• Ransom Demands: Variable, ranging from $500k to multi-million dollars depending on victim revenue.
• Initial Access: Heavy reliance on internet-facing vulnerabilities. Recent intelligence confirms exploitation of Microsoft Exchange and Cisco Secure Firewall vulnerabilities. Phishing remains a secondary vector.
• Dwell Time: Typically 3–7 days. Qilin affiliates move aggressively laterally once they establish a foothold on an Exchange server or domain controller.

Current Campaign Analysis

Sectors Targeted: The latest victim dump (26 postings) reveals a broad but calculated attack surface:

• Manufacturing (30%): Heavy focus on steel, automotive, and industrial components (e.g., Heartland Steel, Kolin Turkey).
• Business Services & Finance (25%): Targeting B2B data holders and wealth management (e.g., Manulife Wealth, Clearview Intelligence).
• Public Sector & Healthcare (20%): Significant impact on municipal governments and medical providers (e.g., City of Napoleon, STERIMED).

Geographic Concentration: Primary targets are North America (US, CA) and Europe (GB, ES, TR, FR). The targeting of Roman Catholic Archdiocese of St John (CA) and City of Napoleon (US) suggests a deliberate focus on regional government entities with potentially older IT infrastructure.

CVE Correlation & Initial Access Vectors: The recent spike in victims correlates directly with the exploitation of CISA Known Exploited Vulnerabilities (KEVs):

• CVE-2023-21529 (Exchange): Used for initial access and credential harvesting.
• CVE-2026-20131 (Cisco FMC): Exploited to bypass perimeter defenses, disable logging, or pivot into the internal network.
• CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Indicates a specific focus on compromising email communication channels for data exfiltration.

Detection Engineering

SIGMA Rules

---
title: Potential Qilin Web Shell Activity via Exchange IIS
id: 4a8f3c1d-9b6e-4a1f-8c2d-3e4f5a6b7c8d
description: Detects suspicious processes spawned by w3wp.exe (IIS) often associated with web shell activity related to CVE-2023-21529 exploitation observed in Qilin campaigns.
status: experimental
date: 2026/04/24
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrative management via IIS
level: high
---
title: Suspicious Lateral Movement via PsExec
id: 5b9g4d2e-0c7f-5b2g-9d3e-4f5g6a7b8c9d
description: Detects the use of PsExec for lateral movement, a common TTP for Qilin affiliates to spread ransomware after initial network access.
status: experimental
date: 2026/04/24
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\psexec.exe'
        CommandLine|contains:
            - '\\'
            - '-accepteula'
    condition: selection
falsepositives:
    - System administration tasks
level: high
---
title: Volume Shadow Copy Deletion via VssAdmin
id: 6c0h5f3f-1d8g-6c3h-0e4f-5g6h7a8b9c0e
description: Detects commands attempting to delete Volume Shadow Copies, a precursor to encryption frequently used by Qilin to prevent recovery.
status: experimental
date: 2026/04/24
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - Rare system maintenance
level: critical

KQL (Microsoft Sentinel)

// Hunt for mass file encryption or staging patterns associated with Qilin
// Looks for rapid modification of files with specific extensions and high volume of writes
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where FileName endswith ".qilin" or FileName endswith ".encrypted"
| summarize count() by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 5m)
| where count_ > 50 // Threshold for mass encryption activity
| sort by count_ desc

Rapid Response Hardening Script

# Qilin Response Script: Check for Web Shells and Suspicious Scheduled Tasks
# Run as Administrator on Exchange and Edge Servers

Write-Host "[+] Checking for recently modified ASPX/ASP files (Potential Web Shells)..."
$Path = "C:\inetpub\wwwroot"
$Date = (Get-Date).AddDays(-2)
Get-ChildItem -Path $Path -Recurse -Include *.aspx,*.asp,*.ashx | Where-Object {$_.LastWriteTime -gt $Date} | Select-Object FullName, LastWriteTime

Write-Host "[+] Checking for Scheduled Tasks created in the last 24 hours (Persistence)..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)} | Select-Object TaskName, TaskPath, Author

Write-Host "[+] Checking for unusual RDP sessions..."
query user

Incident Response Priorities

1. T-Minus Detection Checklist:

   • Check IIS logs on Exchange servers for POST requests to anomalous URLs containing encoded payloads (related to CVE-2023-21529).
   • Monitor for massive file renames (extension changes to .qilin or similar) on file shares.
   • Investigate sudden spikes in CPU usage on domain controllers (possible credential dumping).

2. Critical Assets at Risk:

   • Microsoft Exchange Servers: Primary entry point.
   • File Servers: High value for exfiltration and encryption.
   • HR & Finance Databases: Targeted for leverage in extortion.

3. Containment Actions:

   • Immediate: Isolate Exchange servers from the network if compromise is suspected. Disable the IIS service temporarily if exploitation is confirmed.
   • Urgent: Revoke all VPN credentials and force password resets for privileged accounts (Domain Admins).
   • Secondary: Block outbound SMB (TCP 445) and RDP (TCP 3389) traffic at the firewall.

Hardening Recommendations

Immediate (24 Hours):

• Patch Critical CVEs: Apply updates for Microsoft Exchange (CVE-2023-21529) and Cisco FMC (CVE-2026-20131) immediately. If patching is delayed, implement WAF rules or disable vulnerable components.
• Disable Unused Services: Ensure PowerShell remoting and WMI are restricted to known management stations only.
• MFA Enforcement: Enforce phishing-resistant MFA for all remote access (VPN) and webmail interfaces.

Short-Term (2 Weeks):

• Network Segmentation: Move Exchange and Web servers to a strictly isolated DMZ zone. Ensure the internal network cannot initiate connections to the DMZ without explicit approval.
• EDR Deployment: Ensure Endpoint Detection and Response (EDR) is active on all servers, not just workstations, to catch memory-resident web shells.
• Backup Verification: Validate that offline backups are immutable and cannot be accessed via standard network protocols (SMB/NFS).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub