Back to Intelligence

QILIN Ransomware: Aggressive Healthcare Campaign Leveraging CVE-2026-48027

SA
Security Arsenal Team
June 2, 2026
6 min read

Aliases: Agenda, Carbon (previously confused) Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Typically $500,000 to $5 million, negotiated based on revenue. Initial Access: Qilin operators frequently utilize valid credentials obtained via phishing, brute-forcing exposed RDP/VPN services, and exploiting vulnerabilities in remote management software (e.g., ScreenConnect). The recent campaign indicates a shift toward exploiting supply chain vulnerabilities in developer tools. Double Extortion: Yes. They exfiltrate sensitive data prior to encryption and pressure victims via leak site postings. Dwell Time: Short. Average dwell time is estimated between 3 to 5 days from initial access to encryption, requiring rapid detection.

Current Campaign Analysis

Sector Targeting

Qilin has significantly intensified operations against the Healthcare sector, which accounts for 33% of the last 15 postings (Nova Medical Products, Clinica Maitenes, Mindpath College Health, Providence Medical Group, Dillon Family Medicine). Manufacturing is the secondary target (20%), followed by Business Services.

Geographic Concentration

There is a heavy concentration on the United States (60% of recent victims). The campaign is global, however, with confirmed impacts in Chile (CL), Australia (AU), Denmark (DK), Laos (LA), and Saudi Arabia (SA).

Victim Profile

The victims range from mid-sized businesses (e.g., LA Woodworks, Carton Craft Supply) to larger entities like school districts (Alamo Heights School District) and medical groups. This suggests Qilin is deploying automated scanning tools to identify vulnerable targets regardless of size, with manual follow-up for high-value targets.

Escalation Patterns

A distinct "spike" occurred on 2026-05-28, where 10 out of the 15 victims were posted simultaneously. This correlates directly with the addition of CVE-2026-48027 (Nx Console) to the CISA KEV list on 2026-05-27. It is highly probable that Qilin exploited a malicious version of this developer tool to establish initial access across multiple environments.

Associated CVEs & Vectors

  • CVE-2026-48027 (Nx Console): Likely primary vector for the May 28th spike. Allows execution of malicious code via the development environment.
  • CVE-2024-1708 (ConnectWise ScreenConnect): Historical favorite for Qilin; used for remote code execution.
  • CVE-2023-21529 (Microsoft Exchange): Used for persistence via deserialization attacks.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 8e8b5c2d-8f4a-4b9c-9a1e-1c2d3e4f5a6b
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability leading to authentication bypass.
status: experimental
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/06/02
tags:
    - cve.2024-1708
    - attack.initial_access
    - detection.emerging-threats
logsource:
    category: web
detection:
    selection:
        c-uri|contains:
            - '/Bin/ScreenConnect.'
            - 'Host='
            - 'SessionID='
    condition: selection
falsepositives:
    - Legitimate administrative access via ScreenConnect
level: critical
---
title: Suspicious Nx Console Execution (CVE-2026-48027)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious child processes spawned by Nx Console or unexpected network connections originating from the dev environment.
status: experimental
author: Security Arsenal
date: 2026/06/02
tags:
    - cve.2026-48027
    - attack.execution
logsource:
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\nx-console.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate developer build scripts
level: high
---
title: PsExec Lateral Movement Indicator
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects the use of PsExec for lateral movement, a common Qilin TTP.
status: stable
author: Security Arsenal
date: 2026/06/02
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\\\'
    condition: selection
falsepositives:
    - Administrative IT tasks
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging activity associated with Qilin
// Looks for massive file copies (staging) and VSS shadow copy deletion
let TimeFrame = 1d;
Process
| where Timestamp >= ago(TimeFrame)
| where ProcessVersionFileOriginalName in ("robocopy.exe", "powershell.exe", "vssadmin.exe", "wmic.exe")
| extend CommandLine = tostring(CommandLine)
| where CommandLine contains "copy" 
   or CommandLine contains "shadowcopy" 
   or CommandLine contains "delete"
| project Timestamp, Computer, Account, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Emergency Triage Script
.DESCRIPTION
    Checks for signs of Qilin activity: recent scheduled tasks,
    unusual PowerShell processes, and Volume Shadow Copy manipulation.
#>

Write-Host "[+] Initiating Qilin Triage Check..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (Common persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | Select-Object TaskName, Date, Author, Action

# 2. Check Volume Shadow Copy Status (Qilin deletes these)
Write-Host "\n[*] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows /format:list
    if ($vss -match "No shadow copies found") {
        Write-Host "[!] CRITICAL: No Shadow Copies found. Possible deletion event." -ForegroundColor Red
    } else {
        Write-Host "[+] Shadow Copies detected." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Error checking VSS." -ForegroundColor Red
}

# 3. Hunt for suspicious PowerShell Encoded Commands
Write-Host "\n[*] Hunting for Encoded PowerShell in recent Event Logs..." -ForegroundColor Yellow
$Events = Get-WinEvent -LogName Security -MaxEvents 500 -FilterXPath "*[System[(EventID=4688)]]" -ErrorAction SilentlyContinue
$Suspicious = $Events | Where-Object {$_.Message -match "powershell.exe" -and $_.Message -match "-enc"}
if ($Suspicious) {
    Write-Host "[!] WARNING: Encoded PowerShell execution detected." -ForegroundColor Red
    $Suspicious | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[+] No obvious encoded commands found in recent security logs." -ForegroundColor Green
}

Write-Host "\n[+] Triage Complete." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist

  • Check for Suspicious Logins: Audit VPN and RDP logs for successful logins from unfamiliar geographies (specifically LA, SA, or DK correlating with victim list) during non-business hours.
  • Software Inventory: Immediately verify the version and signature integrity of Nx Console. If installed, treat the host as compromised.
  • Network Traffic: Hunt for large outbound SMB/Traffic volumes or unusual ICMP tunneling often used for data exfil.

Critical Assets at Risk

  • Healthcare: Patient PHI/EMR databases (PicMonic, Epic, Cerner integrations).
  • Manufacturing: CAD files, Intellectual Property, and ERP systems.
  • Business Services: Financial records and client PII.

Containment Actions (Urgency Order)

  1. Isolate: Disconnect infected hosts from the network immediately; do not shutdown (preserve memory artifacts).
  2. Block: Block all inbound/outbound traffic to known C2 infrastructure and restrict ScreenConnect/Nx Console usage at the firewall.
  3. Reset: Force password resets for all privileged accounts and enforce MFA challenges.

Hardening Recommendations

Immediate (24h)

  • Patch: Prioritize patching CVE-2026-48027 (Nx Console) and CVE-2024-1708 (ScreenConnect) globally.
  • Access Control: Disable internet-facing RDP immediately. Enforce strict allow-listing for VPN access.
  • MFA: Ensure MFA is enabled on all remote access gateways and email systems.

Short-term (2 weeks)

  • Network Segmentation: Isolate critical systems (EMR, SCADA) from general user networks to impede lateral movement.
  • EDR Rollout: Deploy/verify EDR coverage on all endpoints, specifically focusing on detection of PowerShell deserialization attacks.
  • Supply Chain Audit: Review software supply chain security; block execution of unsigned binaries from developer tools paths.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcarecve-2026-48027initial-accesslateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action