Back to Intelligence

QILIN Ransomware: 26 Victims Claimed — Exploitation of Critical Cisco & Exchange Vulnerabilities

SA
Security Arsenal Team
April 23, 2026
6 min read

Threat Actor Profile — QILIN

Aliases: Agenda (formerly), Qilin. Model: Ransomware-as-a-Service (RaaS). Qilin operates as an affiliate-driven model, providing a Go-written (Rust) encryption payload known for high speed and aggressive targeting of Active Directory trusts. Ransom Demands: Typically range from $200,000 to multi-million dollars depending on victim revenue, often negotiated via a .onion portal. Initial Access: Primarily relies on exploiting external-facing services (VPN, Firewall appliances, Email servers). Recent campaigns show a heavy pivot to CVE exploitation (Cisco FMC, Exchange, SmarterMail) rather than pure phishing. They also utilize valid credentials obtained via initial access brokers (IABs). Double Extortion: Strictly adheres to double extortion. Data is exfiltrated using tools like rclone or Mega.nz prior to encryption execution. Dwell Time: Short. Qilin affiliates typically move laterally and detonate payloads within 3–7 days of initial access to minimize detection windows.

Current Campaign Analysis

Sectors Targeted: The latest postings (2026-04-21 to 2026-04-23) show a diverse but highly strategic focus:

  • Financial Services: Manulife Wealth (CA)
  • Public Sector: City of Napoleon, Ohio (US), Roman Catholic Archdiocese of St John (CA)
  • Healthcare: STERIMED (FR)
  • Manufacturing & Logistics: Industrial Carrocera Arbuciense (ES), Kolin Turkey (TR), Sea Air International Forwarders (CA), Heartland Steel Products (US)
  • Business Services: Clearview Intelligence (GB), PTS Office Systems (US)

Geographic Concentration: Primary targets are located in North America (US, CA) and Europe (GB, ES, TR, FR, DE). The group is aggressively targeting Western economies with high-value data privacy regulations (GDPR, HIPAA) to maximize extortion pressure.

Victim Profile: The victims range from mid-sized municipalities (City of Napoleon) to large enterprise financial entities (Manulife). Revenue estimates suggest a target pool of $50M - $5B annual revenue, indicating affiliates are capable of bypassing mature security controls.

Posting Frequency & Escalation: Qilin posted 4 victims on 2026-04-23 and 11 victims on 2026-04-21. This high cadence suggests multiple independent affiliates are actively operational. The speed of posting indicates a "shoot first, negotiate later" approach.

CVE Connection: The inclusion of CVE-2026-20131 (Cisco FMC) and CVE-2023-21529 (Microsoft Exchange) in the CISA KEV list aligns perfectly with the current victim profile. The compromise of financial and public sector entities often stems from unpatched perimeter management appliances or email gateways.

Detection Engineering

SIGMA Rules

YAML
title: Potential SmarterMail Web Shell Upload
id: 8a3f4d2b-1c9e-4d5f-8e7a-1b2c3d4e5f6a
description: Detects potential file upload attempts to SmarterMail endpoints indicative of CVE-2025-52691 exploitation.
status: experimental
date: 2026/04/24
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: webserver
detection:
    selection:
        cs-method|contains: 'POST'
        cs-uri-stem|contains:
            - '/Services/MailService.asmx'
            - '/Handlers/Download.ashx'
        cs-uri-query|contains: '.aspx'
    condition: selection
falsepositives:
    - Legitimate administrative management
level: high
---
title: Cisco FMC Deserialization Anomaly
id: 9b4e5e3c-2d0f-5e6f-9f8b-2c3d4e5f6a7b
description: Detects suspicious deserialization patterns or administrative access anomalies on Cisco FMC associated with CVE-2026-20131.
status: experimental
date: 2026/04/24
author: Security Arsenal
logsource:
    product: cisco
    service: fmc
detection:
    selection:
        event_id|contains: 'auth'
        request|contains: 'api/fmc_config/v1/domain'
        status|contains: 'success'
    filter_legit:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter_legit
falsepositives:
    - New administrative access from unlisted corporate subnets
level: critical
---
title: Qilin Ransomware Lateral Movement via PsExec
id: 1c2f3a4b-3e4d-5f6a-7b8c-9d0e1f2a3b4c
description: Detects the use of PsExec for lateral movement, a common TTP for Qilin affiliates to spread encryption payloads.
status: experimental
date: 2026/04/24
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'IPC$'
        RelativeTargetName|contains: 'PSEXESVC'
    condition: selection
falsepositives:
    - legitimate IT administration using PsExec
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging indicators
// Looks for WMI/Win32_Process creation and PsExec service installs
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessName in~ ("wmiprvse.exe", "psexesvc.exe", "psexec.exe")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmiapsrv.exe")
| extend CommandLine = Coalesce(CommandLine, "")
| where CommandLine contains "Invoke-CimMethod" 
   or CommandLine contains "win32_process" 
   or CommandLine contains "-accepteula"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
| extend FileHash = SHA256

PowerShell Response Script

PowerShell
# Rapid Response: Check for Qilin Indicators (Shadow Copy Deletion & Suspicious Scheduled Tasks)
# Run as Administrator on critical endpoints/servers

Write-Host "[+] Checking for recently modified Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
    Select-Object TaskName, Date, Author, State | Format-Table -AutoSize

Write-Host "[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
try {
    $vss = vssadmin list shadows
    if ($vss -like "No shadow copies found") {
        Write-Host "[!] WARNING: No Shadow Copies exist. Possible pre-encryption deletion." -ForegroundColor Red
    } else {
        Write-Host $vss
    }
} catch {
    Write-Host "[!] Error checking VSS: $_" -ForegroundColor Yellow
}

Write-Host "[+] Checking for common Qilin/Ransomware processes..." -ForegroundColor Cyan
$proc = @("qilin", "locker", "encryptor", "payload", "malware")
Get-Process | Where-Object {$proc -like "*$($_.ProcessName)*"} | 
    Select-Object ProcessName, Id, CPU, StartTime | Format-Table -AutoSize

Incident Response Priorities

T-Minus Detection Checklist:

  1. Web Shell Hunt: Scan Exchange and SmarterMail servers for recently modified .aspx files in web directories.
  2. Perimeter Logs: Immediately review Cisco FMC logs for unauthorized API access or deserialization errors (CVE-2026-20131).
  3. MFA Fatigue: Check identity provider logs for burst of denied MFA requests targeting VPN or email accounts.

Critical Assets for Exfiltration: Qilin historically prioritizes:

  • Active Directory databases (ntds.dit)
  • HR/Payroll databases (PII)
  • Financial systems (Bank account info, transaction logs)
  • Executives' My Documents and email archives (PSTs)

Containment Actions:

  1. Isolate: Immediately disconnect Exchange and Cisco FMC appliances from the network if patch status is unknown.
  2. Disable Accounts: Suspend service accounts associated with the identified CVEs (e.g., Exchange Trusted Subsystem, FMC Admin API accounts).
  3. Block Outbound: Block egress traffic to known DGA domains and file-sharing sites (Mega, Dropbox) at the firewall.

Hardening Recommendations

Immediate (24 Hours):

  • Patch: Apply patches for CVE-2026-20131 (Cisco FMC), CVE-2023-21529 (Exchange), and SmarterMail CVEs immediately. These are active exploitation paths.
  • Access Controls: Enforce strict IP allow-listing on management interfaces for Firewalls and Email servers. Block internet access to these management ports.
  • Audit: Conduct an immediate audit of all privileged accounts on email and firewall infrastructure.

Short-Term (2 Weeks):

  • Network Segmentation: Move management interfaces of critical infrastructure (FMC, Exchange) to a dedicated OOB (Out-of-Band) management VLAN.
  • EDR Deployment: Ensure EDR sensors are running on all Exchange servers and perimeter appliances (Linux/Windows) where possible.
  • Phishing Resilience: Deploy conditional access policies requiring compliant devices and trusted locations for email admin access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2026-20131financial-servicesinitial-accesslateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action