Back to Intelligence

QILIN Ransomware: Aggressive Surge in Manufacturing & Healthcare — Critical Vulnerabilities Exploited

SA
Security Arsenal Team
May 17, 2026
7 min read

Date: 2026-05-17
Analyst: Security Arsenal Intel Team
Source: Dark Web Leak Site Monitoring

Executive Summary

The QILIN ransomware gang has posted 31 new victims in the last 100 days, with a significant acceleration in activity over the last 72 hours. Current operations indicate a distinct pivot towards Manufacturing, Healthcare, and Agriculture sectors across the US, UK, and APAC regions. Intelligence confirms the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2025-52691 (SmarterTools SmarterMail) as primary initial access vectors. Enterprise defenders in these sectors are urged to patch immediately and hunt for signs of webshell activity.

Threat Actor Profile — QILIN

  • Aliases: Agenda, Titan (formerly).
  • Operating Model: RaaS (Ransomware-as-a-Service). Qilin operates an affiliate program that aggressively recruits penetration testers to breach networks using diverse initial access vectors.
  • Ransom Demands: Typically ranges from $400,000 to multi-million USD, largely dependent on victim revenue.
  • Initial Access Methods: Primarily exploits internet-facing vulnerabilities (recently VPNs and remote management tools like ScreenConnect and Exchange). Phishing with macro-laden documents is also observed but less prevalent in this specific campaign wave.
  • Tactics: Known for a robust double extortion model. They frequently exfiltrate tens of terabytes of data before deploying the encryption payload.
  • Dwell Time: Short. Recent incidents suggest an average dwell time of 3–5 days from initial access to encryption, indicating a "smash and grab" approach by aggressive affiliates.

Current Campaign Analysis

Sector Targeting

Qilin is casting a wide net but hitting specific verticals hard in this wave:

  • Manufacturing (20% of recent victims): High-value targets including Buckeye Paper (US), Monir Precision Monitoring (CA), and Common Part Groupings (US).
  • Healthcare (20% of recent victims): Critical care and life sciences targeted, including Salter HealthCare (GB) and Generation Life (AU).
  • Agriculture & Food Production (20%): Supply chain disruption focus (e.g., Fruits Queralt in Spain, The Taylor Provisions in GB).

Geographic Distribution

Operations are highly trans-global:

  • Americas: US, Canada (CA), Chile (CL), Argentina (AR).
  • EMEA: Great Britain (GB), Spain (ES).
  • APAC: Malaysia (MY), Australia (AU).

TTP & CVE Correlation

The victim surge correlates directly with the addition of specific CVEs to the CISA KEV list in early 2026:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Likely used to access the Manufacturing and Construction victims (Turner Supply, Common Part Groupings) where remote management software is prevalent.
  • CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Highly probable vector for the Healthcare and Financial Services victims (PNSB Insurance, Salter HealthCare), given the reliance on email gateways in these sectors.

Detection Engineering

Sigma Rules

YAML
---
title: Potential CVE-2024-1708 ConnectWise ScreenConnect Exploitation
id: 8c30a3a6-7b6c-4c3e-9e1f-5d7f1a9b0c2d
description: Detects potential exploitation of ConnectWise ScreenConnect Authentication Bypass and Path Traversal vulnerabilities via suspicious process chains or webshell creation.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - cve.2024.1708
    - detection.emerging_threats
    - ransomware.qilin
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Web Server.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_legit:
        CommandLine|contains:
            - 'ScreenConnect.ClientInstaller'
            - 'ConnectWiseControl'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts run by ScreenConnect administrators
level: high

---
title: Suspicious SmarterMail Web Shell Activity
id: 9d41b4b7-8c5d-4d0f-0f2g-6e8g2b0c1d3e
description: Detects potential webshell upload or exploitation activity targeting SmarterMail servers, indicative of CVE-2025-52691 or CVE-2026-23760 exploitation.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - cve.2025.52691
    - cve.2026.23760
    - attack.web_shell
    - ransomware.qilin
logsource:
    category: web
    product: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'asp.net\'
            - 'SetupWizard.aspx'
            - '..%2F'
    selection_method:
        cs-method: POST
    selection_ext:
        cs-uri-stem|endswith:
            - '.aspx'
            - '.ashx'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical

---
title: Ransomware Pre-Encryption Activity - Qilin Patterns
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects patterns often observed prior to Qilin encryption, including Shadow Copy deletion and service stopping via PowerShell or WMIC.
status: experimental
date: 2026/05/17
author: Security Arsenal
tags:
    - attack.impact
    - ransomware.qilin
logsource:
    category: process_creation
    product: windows
detection:
    selection_vss:
        CommandLine|contains:
            - 'vssadmin delete shadows'
            - 'wbadmin delete catalog'
    selection_wmic:
        CommandLine|contains:
            - 'shadowcopy delete'
    selection_stop:
        CommandLine|contains:
            - 'Stop-Service'
            - 'net stop'
    filter_exclude:
        Image|endswith:
            - '\backup_exec.exe'
            - '\veeam.exe'
    condition: 1 of selection_* and not filter_exclude
falsepositives:
    - Legitimate system backup operations
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging
// Looks for PsExec/WMI usage and large file transfers common in their playbook
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has any(@("-accepteula", "process call create", "Invoke-Command", "New-Object System.Net.WebClient"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where RemotePort in (443, 445, 3389) or ActionType == "ConnectionSuccess"
    | summarize SentBytes=sum(TotalBytesSent), ReceivedBytes=sum(TotalBytesReceived) by DeviceName, Timestamp
    | where SentBytes > 50000000 // > 50MB sent indicates potential exfil
) on DeviceName, Timestamp
| distinct Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SentBytes
| sort by Timestamp desc

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Response Hardening & Hunt Script
.DESCRIPTION
    Checks for recent Shadow Copy deletions, unusual scheduled tasks, 
    and enumerates exposed RDP/ScreenConnect services.
#>

Write-Host "[*] Starting Qilin Response Checks..." -ForegroundColor Cyan

# 1. Check for recent Shadow Copy deletion events (Event ID 4663 with VSS access)
Write-Host "[+] Checking for Shadow Copy Deletion (Last 24h)..." -ForegroundColor Yellow
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
              Where-Object {$_.Message -match "vssadmin" -or $_.Message -match "Shadow Copy"};
if ($VssEvents) { $VssEvents | Select-Object TimeCreated, Message | Format-Table -AutoSize } 
else { Write-Host "No Shadow Copy deletion events found." -ForegroundColor Green }

# 2. Hunt for recently created Scheduled Tasks (Persistence mechanism)
Write-Host "[+] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$RecentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) };
if ($RecentTasks) { $RecentTasks | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize }
else { Write-Host "No recent suspicious tasks found." -ForegroundColor Green }

# 3. Check for ScreenConnect Service Status (CVE-2024-1708)
Write-Host "[+] Checking for ConnectWise ScreenConnect Services..." -ForegroundColor Yellow
$ScreenConnect = Get-Service | Where-Object { $_.DisplayName -like "*ScreenConnect*" -or $_.DisplayName -like "*Control*" };
if ($ScreenConnect) {
    Write-Host "WARNING: ScreenConnect service detected. Verify patch levels immediately for CVE-2024-1708." -ForegroundColor Red
    $ScreenConnect | Select-Object Name, DisplayName, Status, StartType
}

Write-Host "[*] Check complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist

If you suspect compromise, look for these signs before encryption triggers:

  1. Web Shell Artifacts: Check IIS/Apache logs for requests to SetupWizard.aspx or large POST requests to unusual paths.
  2. Service Disruption: Sudden stopping of backup services (Veeam, SQLBackup) or security agents (CrowdStrike, SentinelOne).
  3. PowerShell Obfuscation: Monitor for EncodedCommand usage spawning from non-standard parent processes.

Critical Assets for Exfil

Qilin affiliates prioritize:

  • Manufacturing: CAD designs, Intellectual Property, MRP/ERP databases.
  • Healthcare: PII/PHI databases, insurance claims, patient imaging archives.
  • Financial: Client lists, transaction logs, sensitive audit reports.

Containment Actions (Ordered by Urgency)

  1. Isolate: Segment critical networks from the corporate LAN immediately.
  2. Disable VPNs: Block all incoming VPN traffic and force a password reset/MFA challenge for all remote users.
  3. Block Public Access: Firewall off internet access for management interfaces (ScreenConnect, RDP, OWA) from untrusted IPs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately. If patching is impossible, enforce strict network isolation (VPN + Zero Trust) to the management console.
  • Patch SmarterMail: Update SmarterMail instances to the latest secure build to mitigate CVE-2025-52691 and CVE-2026-23760.
  • MFA Enforcement: Ensure all remote access (VPN, RDP, SSH) is protected by hardware-token or FIDO2-based MFA.

Short-Term (2 Weeks)

  • Network Segmentation: Implement micro-segmentation for manufacturing floor OT systems and clinical environments to prevent lateral movement from the IT network.
  • Web Application Firewall (WAF): Deploy WAF rules to block known CVE-2024-1708 and SmarterMail exploitation paths at the edge.
  • Endpoint Detection: Roll out EDR sensors to all legacy systems previously unsupported, focusing on file integrity monitoring for web roots.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturinghealthcarecve-2024-1708initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action