Aliases: Agenda, Qilin.B Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Variable, typically ranging from $500k to several million, dependent on victim revenue. TTPs Summary: Qilin (formerly Agenda) operates a highly aggressive RaaS model known for rapid encryption and tailored extortion. They utilize a Rust-based cryptor capable of targeting both Windows and Linux/ESXi environments. Initial access is frequently gained via exposed VPN credentials, valid accounts obtained via phishing, or exploitation of public-facing applications. They employ a double-extortion strategy, exfiltrating sensitive data prior to encryption using tools like Rclone or Mega.io. Average dwell time has shortened significantly in this campaign, averaging 3–4 days from initial access to detonation.
Current Campaign Analysis
Campaign Timeline: 2026-05-27 to 2026-05-31 Activity Level: Critical (15 victims posted in a 48-hour window)
Targeted Sectors:
- Healthcare (26%): Mindpath College Health, Providence Medical Group, Dillon Family Medicine.
- Manufacturing (20%): Sinomax USA, Carton Craft Supply, LA Woodworks.
- Business Services (20%): Gallun Snow Associates, Kennedy McLaughlin & Associates, Mainstreet Organization of REALTORS.
- Other: Education, Technology, Agriculture, Consumer Services.
Geographic Concentration:
- United States (66%): The primary target for this wave. 10 out of 15 listed victims are US-based.
- Global Spread: Australia, Denmark, Hungary, Saudi Arabia, and Great Britain.
Victim Profile: Analysis of the victims indicates a focus on mid-market organizations. Targets range from school districts and family medicine clinics (small-to-mid business) to large manufacturing entities like Sinomax USA. This suggests Qilin affiliates are automating vulnerability scans to find unpatched services regardless of org size, or specifically targeting sectors with high operational downtime tolerance.
Observed Posting Frequency: The group posted a high volume of victims on 2026-05-28 (11 victims) and 2026-05-27 (4 victims), indicating a mass-exploitation event rather than selective, manual operations.
CVE Connection: The surge correlates directly with the addition of CVE-2026-48027 (Nx Console) to the CISA KEV catalog on 2026-05-27. The proximity of this CVE entry to the posting dates suggests Qilin affiliates are actively exploiting this new "embedded malicious code" vulnerability. Additionally, CVE-2024-1708 (ConnectWise ScreenConnect) remains a persistent vector, likely used for initial access in Technology and Business Services sectors relying on remote management tools.
Detection Engineering
Sigma Rules
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: a0b1c2d3-e4f5-6789-0123-456789abcdef
status: experimental
description: Detects suspicious authentication attempts and path traversal indicators associated with ConnectWise ScreenConnect vulnerabilities exploited by Qilin.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/31
tags:
- cve.2024.1708
- attack.initial_access
- detection.emerging-threats
logsource:
category: web
detection:
selection:
c-uri|contains:
- '/Bin/ScreenConnect.ashx'
- '/Host.ashx'
filter:
cs-method|contains:
- 'POST'
sc-status:
- 200
- 500
condition: selection and filter
falsepositives:
- Legitimate administrative access
level: high
---
title: Rclone Data Exfiltration Tool Execution
id: b1c2d3e4-f5a6-7890-1234-567890abcdef
status: experimental
description: Detects execution of rclone, a tool frequently used by Qilin affiliates for data exfiltration to cloud storage prior to encryption.
author: Security Arsenal Research
date: 2026/05/31
tags:
- attack.exfiltration
- qilin
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\rclone.exe'
- '/rclone'
CommandLine|contains:
- 'copy'
- 'sync'
- 'mega'
- 'pcloud'
condition: selection
falsepositives:
- Legitimate backup tasks using rclone
level: high
---
title: VSSAdmin Shadow Copy Deletion
id: c2d3e4f5-a6b7-8901-2345-678901abcdef
status: experimental
description: Detects commands used to delete Volume Shadow Copies, a common step for Qilin to prevent recovery.
author: Security Arsenal Research
date: 2026/05/31
tags:
- attack.impact
- qilin
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
CommandLine|contains:
- 'delete shadows'
- 'resize shadowstorage'
condition: selection
falsepositives:
- System administration tasks (rare)
level: critical
KQL (Microsoft Sentinel)
// Hunt for lateral movement and staging activity common in Qilin operations
// Looks for massive file creation in AppData (staging) and unusual SMB access
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where (ProcessCommandLine contains "copy" and ProcessCommandLine contains "\\\\*")
or (FileName in~ ("powershell.exe", "cmd.exe") and ProcessCommandLine contains "New-PSDrive")
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, AccountName, ProcessCommandLine
| where count_ > 5
PowerShell Response Script
<#
.SYNOPSIS
Qilin Ransomware Triage Script
.DESCRIPTION
Checks for signs of Qilin activity: Scheduled task persistence, VSS shadow deletion, and Rclone usage.
#>
Write-Host "[+] Checking for recent suspicious Scheduled Tasks (Last 24h)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)} | Select-Object TaskName, TaskPath, Date
Write-Host "[+] Checking Security Event Log for VSSAdmin deletion attempts (Event ID 4688)..." -ForegroundColor Cyan
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
$Events | Where-Object {$_.Message -match 'vssadmin.exe' -and $_.Message -match 'delete shadows'} | Select-Object TimeCreated, Message
} else {
Write-Host "No VSSAdmin events found or log access denied." -ForegroundColor Yellow
}
Write-Host "[+] Scanning for Rclone processes..." -ForegroundColor Cyan
$Rclone = Get-Process -Name "rclone" -ErrorAction SilentlyContinue
if ($Rclone) { Write-Host "ALERT: Rclone process detected! PID: $($Rclone.Id)" -ForegroundColor Red }
else { Write-Host "No Rclone processes detected." -ForegroundColor Green }
---
# Incident Response Priorities
1. **T-Minus Detection Checklist:**
* Check VPN and remote access logs (specifically ScreenConnect) for successful logins from unfamiliar GeoIPs or impossible travel intervals.
* Hunt for `vssadmin.exe` execution or `wbadmin.exe` usage to delete system state backups.
* Look for massive file write operations (GBs of data) to folders like `C:\Windows\Temp` or `AppData\Local\Temp` (data staging).
2. **Critical Assets (Prioritize for Exfil Review):**
* **Healthcare:** Patient PHI (EMR databases), billing records.
* **Manufacturing:** CAD designs, intellectual property, supply chain manifests.
* **Business Services:** Client financial data, HR records, tax documents.
3. **Containment Actions (Ordered by Urgency):**
* **Immediate:** Isolate systems showing signs of Rclone or ScreenConnect exploitation. Disconnect VPN concentrators if infection is suspected.
* **High:** Force-reset passwords for all service accounts used by remote management software (ScreenConnect, NinjaOne, etc.).
* **Medium:** Suspend domain admin accounts and review Kerberos ticket granting events (Golden Ticket checks).
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch CVE-2024-1708:** Apply the ConnectWise ScreenConnect patch immediately or block external access to the web interface at the perimeter firewall.
* **Patch CVE-2026-48027:** Update Nx Console to the latest patched version. Verify software integrity as this CVE involves embedded malicious code.
* **Disable RDP:** Ensure RDP is blocked from the internet and strictly enforced with MFA for internal access.
**Short-term (2 Weeks):**
* **Network Segmentation:** Separate IT and OT networks (specifically for Manufacturing victims) to prevent lateral movement from the corporate domain to production lines.
* **Implement CASB:** Monitor cloud storage uploads to detect unauthorized exfiltration to services like MEGA or pCloud.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.