Back to Intelligence

QILIN Ransomware: Aggressive US Healthcare & Manufacturing Campaign — KEV Exploitation

SA
Security Arsenal Team
June 1, 2026
6 min read

Aliases: Agenda, Qilin (formerly Agendac) Model: Ransomware-as-a-Service (RaaS) Ransomware Type: Rust-based payload (cross-platform capabilities)

TTPs Overview: Qilin operates a highly aggressive RaaS model. They are known for sophisticated double-extortion tactics, exfiltrating sensitive data prior to encryption to leverage pressure on victims. Recent intelligence suggests a shift towards exploiting external-facing remote management infrastructure and email servers rather than relying solely on phishing.

  • Ransom Demands: Highly variable, ranging from $500k to multi-million dollars depending on victim revenue and exfiltrated data volume.
  • Initial Access: Heavily favors exploitation of vulnerabilities in remote management tools (ConnectWise ScreenConnect) and email gateways (Exchange, SmarterMail), alongside brute-forcing exposed RDP/VPN endpoints.
  • Dwell Time: Currently averaging 3–5 days from initial compromise to detonation, indicating an acceleration in their attack lifecycle.

Current Campaign Analysis

Sectors Under Siege: Based on the 14 recent postings (2026-05-27 to 2026-05-28), Qilin is explicitly targeting critical infrastructure and high-value data holders:

  • Healthcare (21%): Mindpath College Health, Providence Medical Group, Dillon Family Medicine.
  • Manufacturing (21%): Sinomax USA, Carton Craft Supply, LA Woodworks.
  • Business Services: Gallun Snow Associates, Kennedy, McLaughlin & Associates.
  • Vertical Spread: The group has successfully breached Education (Alamo Heights School District), Technology (HumanEdge), and Agriculture (Osool Poultry).

Geographic Concentration: The campaign is heavily US-centric (64% of recent victims), with specific targeting in Australia (AU), Denmark (DK), Saudi Arabia (SA), and Hungary (HU). This suggests a focus on English-speaking regions with secondary economic targets in Europe and the Middle East.

CVE Correlation & Initial Access Vectors: The recent victim surge correlates strongly with the exploitation of CISA Known Exploited Vulnerabilities (KEVs). We assess with high confidence that the following CVEs are the primary entry points for this specific wave:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Allows remote code execution. Highly likely used for access in Business Services and Technology sectors.
  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. Probable vector for Healthcare and Education victims.
  • CVE-2025-52691 (SmarterTools SmarterMail): Unrestricted file upload. Likely used for lateral movement into email servers.
  • CVE-2026-48027 (Nx Console): A new addition to KEV (2026-05-27), suggesting active scanning for this vulnerability in Technology environments.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Qilin Access via ConnectWise ScreenConnect Exploit
description: Detects suspicious authentication patterns or web shell creation indicative of CVE-2024-1708 exploitation on ConnectWise ScreenConnect servers.
status: experimental
date: 2026/06/01
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
definition: 'Scans: ScreenConnect Logs'
detection:
    selection:
        cs-uri-query|contains:
            - 'Session.ashx'
            - 'SetupWizard.aspx'
        cs-method|contains:
            - 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative setup
level: critical
tags:
    - attack.initial_access
    - cve.2024.1708
    - qilin
---
title: Qilin Ransomware Pre-Encryption Shadow Copy Deletion
description: Detects commands used to delete Volume Shadow Copies via vssadmin or diskshadow, a common precursor to Qilin encryption.
status: experimental
date: 2026/06/01
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
defetection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_diskshadow:
        Image|endswith: '\diskshadow.exe'
        CommandLine|contains: 'delete shadows'
    condition: 1 of selection_*
falsepositives:
    - System administrator maintenance (rare)
level: high
tags:
    - attack.impact
    - qilin
    - t1490
---
title: Suspicious PowerShell Base64 Encoded Command
description: Detects PowerShell processes executing encoded commands, often used by Qilin for payload staging and obfuscation.
status: experimental
date: 2026/06/01
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
defetection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: ' -e ' or ' -enc '
    filter_legit:
        User|contains: 'SYSTEM' # Often used by legitimate management agents, investigate context
    condition: selection and not filter_legit
falsepositives:
    - Legitimate scripting using encoding
level: medium
tags:
    - attack.execution
    - attack.t1059.001
    - qilin

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging associated with Qilin's toolset (often uses Rclone or Mimikatz).

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in ("powershell.exe", "cmd.exe", "rclone.exe", "procdump.exe", "mimikatz.exe")
| where ProcessCommandLine contains "-enc" or 
   ProcessCommandLine contains "config" or 
   ProcessCommandLine contains "copy" or
   ProcessCommandLine contains "sam"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Rapid Response Script

Checks for recent scheduled tasks (common persistence for Qilin) and Shadow Copy manipulation.

PowerShell
# Qilin Persistence and Impact Check
Write-Host "Checking for Qilin Indicators of Compromise..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 48 hours (Common Qilin Persistence)
$DateCutoff = (Get-Date).AddDays(-2)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff }

if ($SuspiciousTasks) {
    Write-Host "[ALERT] Recent Scheduled Tasks Found (Potential Persistence):" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, Date, Author
} else {
    Write-Host "[OK] No suspicious recent scheduled tasks detected." -ForegroundColor Green
}

# 2. Check for recent VSSAdmin events (Event ID 822 or 1 usually implies deletion)
Write-Host "Checking VSSAdmin usage..."
$VSSLogs = Get-WinEvent -LogName 'Microsoft-Windows-VSS/Admin/Operational' -MaxEvents 50 -ErrorAction SilentlyContinue
if ($VSSLogs) {
    $SuspiciousVSS = $VSSLogs | Where-Object { $_.Message -match "delete" -or $_.Message -match "shadow copy" }
    if ($SuspiciousVSS) {
        Write-Host "[ALERT] VSS Deletion activity detected:" -ForegroundColor Red
        $SuspiciousVSS | Select-Object TimeCreated, Id, Message
    } else {
        Write-Host "[OK] No recent VSS deletion activity." -ForegroundColor Green
    }
}


---

Incident Response Priorities

T-minus Detection Checklist:

  1. RMM Anomalies: Investigate ConnectWise ScreenConnect logs for the week leading up to 2026-05-27 for SetupWizard.aspx or unusual session creations.
  2. Exchange Logs: Review IIS logs for EWS or OAB endpoints sending large volumes of data (exfiltration).
  3. User Login Behavior: Look for successful VPN/RDP logins immediately followed by mass file access events.

Critical Assets at Risk:

  • Healthcare: Electronic Health Records (EHR) databases, PHI/PII files.
  • Manufacturing: CAD files, intellectual property, supply chain databases.

Containment Actions:

  1. Isolate: Immediately disconnect impacted segments from the core network; focus on servers hosting ConnectWise and Exchange.
  2. Disable Accounts: Suspend service accounts associated with remote access tools if anomalous activity is detected.
  3. Preserve Artifacts: Capture memory dumps of Domain Controllers and Exchange servers (Qilin often dumps credentials).

Hardening Recommendations

Immediate (24h):

  • Patch CISA KEVs: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2023-21529 (Exchange), and CVE-2025-52691 (SmarterMail) immediately. If patching is not possible, disable the services or place them behind a Zero Trust Access gateway.
  • MFA Enforcement: Enforce phishing-resistant MFA on all VPN, RDP, and web-based management consoles (RMM).

Short-term (2 weeks):

  • Network Segmentation: Segregate backup repositories from the main network to prevent Qilin from encrypting backups.
  • Audit RMM Tools: Conduct an audit of all Remote Monitoring and Management tools to ensure no unauthorized instances exist.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcaremanufacturingcisa-kevinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action