Back to Intelligence

QILIN Ransomware: Aggressive Campaign Leveraging Exchange & Firewall Flaws — Global Sector Analysis

SA
Security Arsenal Team
April 24, 2026
6 min read

Date: 2026-04-24
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intel Unit

Threat Actor Profile — QILIN

  • Aliases: Agenda (historically associated/affiliated), Qilin.
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program, allowing various access brokers to utilize their custom Go-based encryption payload.
  • Ransom Demands: Highly variable, typically ranging from $500k to multi-million dollar demands depending on victim revenue. They are known for aggressive negotiation tactics.
  • Initial Access Vectors: Historically reliant on phishing and compromised credentials, but recent intelligence indicates a heavy pivot toward exploiting internet-facing vulnerabilities, specifically focusing on email infrastructure (Exchange/SmarterMail) and perimeter security devices.
  • Extortion Strategy: Strict double extortion. Data is exfiltrated prior to encryption. Qilin maintains a dedicated leak site and threatens to release sensitive data if payment is not made. They often threaten to contact the victim's clients and partners to increase pressure.
  • Dwell Time: Average dwell time is approximately 3–7 days. Qilin affiliates move quickly, often staging data and detonating encryption within a week of initial access to minimize defender response windows.

Current Campaign Analysis

Based on the last 100 postings (33 recent victims identified on 2026-04-24), Qilin is executing a broad, opportunistic campaign with a slight preference for high-value manufacturing and business services.

Sector Targeting

  • Primary Targets: Manufacturing (Denso, Flipo Group, Kolin Turkey) and Business Services (Point Four EPoS, Clearview Intelligence).
  • Secondary Targets: Financial Services (Manulife Wealth), Public Sector (City of Napoleon, Ohio), and Energy (Progressive Propane).
  • Critical Infrastructure Impact: Confirmed impact on Energy and Public Sector entities suggests a willingness to target critical operational technology (OT) adjacent networks.

Geographic Concentration

The campaign is globally distributed with a heavy focus on NATO-aligned nations:

  • United States: 5 victims (Priests for Life, Progressive Propane, The FAFS, City of Napoleon, Sea Air).
  • Europe: GB, DE, ES.
  • Asia-Pacific: JP, IN.
  • North America (Non-US): CA, MX.

Victim Profile

  • Size: Mix of mid-market enterprises (e.g., Flipo Group) and major global corporations (e.g., Denso, a massive automotive supplier).
  • Revenue Estimates: Targeting suggests a revenue floor of ~$50M USD up to Fortune 500 levels.

CVE Correlation & Initial Access

The inclusion of specific CISA KEV entries in this timeframe strongly correlates with Qilin's initial access vectors:

  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. High probability of use against Business Services victims like "Point Four EPoS" and "Clearview Intelligence."
  • CVE-2026-23760 & CVE-2025-52691 (SmarterTools SmarterMail): Auth bypass and file upload. These are likely used for the smaller-to-mid-market Business Services victims who rely on this mail platform.
  • CVE-2026-20131 (Cisco Secure Firewall Management Center): A critical perimeter compromise vector. If utilized, it allows attackers to bypass firewall rules and pivot into the internal network directly.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Exploitation CVE-2023-21529 Exchange Deserialization
id: 7b1a6c8e-9f3d-4a2e-b1c8-9d3e4a2e1b0c
description: Detects potential exploitation of Microsoft Exchange Deserialization vulnerability via suspicious process spawning from w3wp.exe.
status: experimental
date: 2026/04/24
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.21529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
    filter_legit:
        User: 'NT AUTHORITY\SYSTEM'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Exchange administration scripts
level: high
---
title: SmarterMail Suspicious File Upload Pattern
id: a2b3c4d5-e6f7-8a9b-0c1d-2e3f4a5b6c7d
description: Detects suspicious file creation in SmarterMail web roots indicative of webshell upload (CVE-2025-52691).
status: experimental
date: 2026/04/24
author: Security Arsenal
tags:
    - attack.web_shell
    - attack.t1505.003
logsource:
    category: file_create
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Mail Service\WebPages\'
            - '\MRS\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: selection
falsepositives:
    - Administrative file maintenance
level: critical
---
title: Qilin Ransomware Pre-Encryption VSS Deletion
id: e1f2a3b4-c5d6-7e8f-9a0b-1c2d3e4f5a6b
description: Detects Volume Shadow Copy deletion attempts often preceding Qilin encryption events.
status: experimental
date: 2026/04/24
author: Security Arsenal
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System administrator disk maintenance
level: high

KQL (Microsoft Sentinel)

Hunt for lateral movement patterns consistent with Qilin affiliates utilizing Cobalt Strike or custom tools moving from Exchange servers.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for processes spawned by IIS worker process or SmarterMail service
| where InitiatingProcessFileName in ("w3wp.exe", "MailService.exe") 
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
// Filter for network connections often established by beacons
| join kind=leftouter (
    DeviceNetworkEvents 
    | where Timestamp >= ago(TimeFrame)
    | summarize count() by DeviceId, InitiatingProcessId, RemoteUrl, RemoteIP
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc

Rapid Response Hardening Script

PowerShell script to enumerate suspicious scheduled tasks often used for persistence by ransomware actors.

PowerShell
<#
.SYNOPSIS
    Hunt for suspicious scheduled tasks created in the last 7 days.
    Used to detect Qilin persistence mechanisms.
#>

$DateThreshold = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
    $_.Date -ge $DateThreshold -and 
    $_.Author -notmatch 'Microsoft|NT AUTHORITY|SYSTEM'
}

if ($SuspiciousTasks) {
    Write-Host "[!] Potential Persistence Detected:" -ForegroundColor Red
    $SuspiciousTasks | Format-List TaskName, Author, Date, Action
} else {
    Write-Host "[+] No suspicious tasks found in last 7 days." -ForegroundColor Green
}


---

Incident Response Priorities

T-Minus Detection Checklist

  1. Exchange Server Forensics: Immediately scan IIS logs for POST requests to /EWS/ or /OAB/ containing serialized data patterns or suspicious user-agents.
  2. External Firewall Logs: Review logs for Cisco Secure Firewall Management Center access anomalies or administrative logins from unusual geolocations (Targeting CVE-2026-20131).
  3. SmarterMail Servers: Audit the Mail Service directory for recent .aspx or .config file modifications.

Critical Assets at Risk

  • Active Directory: Qilin affiliates dump NTDS.dit for credential harvesting.
  • HR & Financial Data: Prioritized for exfiltration to facilitate double extortion.
  • Backups: Qilin actively seeks out and destroys shadow copies and backup repositories.

Containment Actions (Ordered by Urgency)

  1. Isolate Exchange Servers: Disconnect from the network immediately if compromise is suspected.
  2. Reset Service Account Credentials: Specifically accounts used by Exchange, Cisco FMC, and SmarterMail.
  3. Block Outbound C2: Identify and block IPs associated with recent Cobalt Strike beacons.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2023-21529 (Exchange) and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, follow vendor mitigations (e.g., disabling vulnerable services or restricting access via ACLs).
  • Disable External RDP: Ensure RDP is not exposed to the internet and enforce MFA for all remote access.
  • Audit Email Gateways: Temporarily block attachments containing macros and restrict internet access from mail servers.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict Zero Trust controls between the DMZ (where Exchange/Firewalls live) and the internal LAN.
  • Implement MFA for All Admins: Enforce phishing-resistant MFA (FIDO2) for all administrator accounts, specifically cloud and firewall admins.
  • EDR Coverage: Ensure full EDR coverage is active on all internet-facing servers and VIP workstations.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2023-21529exchange-serversmartermailcisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action