Back to Intelligence

QILIN Ransomware Campaign: US Manufacturing & Healthcare Under Siege — IOCs & Detection Engineering

SA
Security Arsenal Team
May 31, 2026
6 min read

Aliases: Agenda, Qilin.Browse RaaS Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate model where core developers maintain the encryption payload (often written in Rust or Go) while affiliates handle initial access and network penetration. Ransom Demands: Typically range from $300,000 to $5 million, depending on victim revenue and exfiltrated data volume. Initial Access Vectors: Historically relies on compromised credentials for VPNs (FortiGate, Pulse Secure), exposed RDP services, and recent exploitation of management software like ConnectWise ScreenConnect. Phishing campaigns with malicious macros remain a staple for lower-value targets. Double Extortion: Strictly adheres to double extortion. Victims' data is exfiltrated using tools like rclone or MegaSync prior to encryption execution. Non-payment results in data publication on their .onion site. Dwell Time: Observations from recent campaigns indicate an average dwell time of 3 to 7 days before detonation, suggesting a "smash-and-grab" philosophy to evade EDR detection.

Current Campaign Analysis

Sector Targeting: Analysis of the last 100 postings reveals a distinct pivot toward Manufacturing (e.g., Sinomax USA, Carton Craft Supply) and Healthcare (e.g., Mindpath College Health, Providence Medical Group). These sectors comprise nearly 60% of the recent victim list, likely due to lower tolerance for downtime and higher willingness to pay.

Geographic Concentration: The United States remains the primary target (60%+ of recent victims), with significant secondary activity in Australia and Europe (Denmark, Hungary). The focus on US entities suggests affiliates are leveraging time zones to maximize operational pressure.

Victim Profile: The victimology is mixed, ranging from mid-market enterprises (Sinomax) to small-to-medium businesses (Dillon Family Medicine, LA Woodworks). This indicates a "spray and pray" affiliate approach targeting vulnerabilities rather than specific revenue thresholds.

CVE Correlation: The emergence of CVE-2026-48027 (Nx Console) in the CISA KEV list coincides with Qilin's recent activity spike. We assess with high confidence that Qilin affiliates are actively weaponizing this vulnerability, alongside the long-standing exploitation of CVE-2024-1708 (ConnectWise ScreenConnect), to bypass perimeter defenses.

Detection Engineering

Sigma Rules

YAML
title: Potential Qilin Ransomware Lateral Movement via WMI
id: 482a5e6e-1b9b-4a5c-9f5e-2a3b4c5d6e7f
description: Detects lateral movement using WMI to spawn processes on remote endpoints, a common technique used by Qilin affiliates.
status: experimental
date: 2026/06/01
author: Security Arsenal
references:
    - Internal Threat Research
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\\wmiprvse.exe'
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\pwsh.exe'
    filter:
        CommandLine|contains:
            - ' -ENC '
            - ' -EncodedCommand '
            - 'DownloadString'
    condition: selection and filter
falsepositives:
    - Legitimate system administration
level: high
tags:
    - attack.execution
    - attack.lateral_movement
    - ransomware
---
title: Suspicious Shadow Copy Deletion (Qilin Prep)
id: 593b6f7f-2c0c-5b6d-0g6f-3b4c5d6e7f8g
description: Detects commands used to delete Volume Shadow Copies, often executed immediately prior to encryption.
status: experimental
date: 2026/06/01
author: Security Arsenal
logsource:
    product: windows
    category: process_creation
detection:
    selection_vssadmin:
        Image|endswith: '\\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_*
falsepositives:
    - System admin maintenance (rare)
level: critical
tags:
    - attack.impact
    - defense_evasion
---
title: Rclone Execution for Data Exfiltration
id: 6a4c7g8h-3d1d-6c7e-1h7g-4c5d6e7f8g9h
description: Detects the execution of rclone, a tool frequently used by Qilin for staging and exfiltrating data to cloud storage.
status: experimental
date: 2026/06/01
author: Security Arsenal
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\\rclone.exe'
        CommandLine|contains:
            - 'config'
            - 'copy'
            - 'sync'
            - 'mega'
    condition: selection
falsepositives:
    - Legitimate backup usage (verify user)
level: high
tags:
    - attack.exfiltration

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and process injection patterns common in Qilin incidents
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for suspicious child processes of common LOLBins or system tools
| where InitiatingProcessFileName in ("wscript.exe", "cscript.exe", "mshta.exe", "excel.exe", "winword.exe", "powershell.exe", "cmd.exe")
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe", "wmi.exe", "wbem\wmiprvse.exe")
// Filter for encoded commands or suspicious flags
| where ProcessCommandLine has any("-enc", "-encodedcommand", "-windowstyle hidden", "-nop", "downloadstring", "iex")
// Exclude known legitimate paths if necessary, but high risk context preferred
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc

Rapid Response Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Rapid Response Check for Qilin Indicators of Compromise.
.DESCRIPTION
    Checks for recent unusual scheduled tasks, RDP logon anomalies, and Shadow Copy manipulation.
#>

Write-Host "[*] Starting Qilin Rapid Response Checks..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 24 hours (Persistence)
$DateCutoff = (Get-Date).AddDays(-1)
Write-Host "[*] Checking for Scheduled Tasks created/modified since: $DateCutoff" -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { 
    $_.Date -gt $DateCutoff -or 
    (Get-ScheduledTaskInfo $_.TaskName).LastRunTime -gt $DateCutoff 
} | Select-Object TaskName, Date, State, @{Name='LastRun';Expression={(Get-ScheduledTaskInfo $_.TaskName).LastRunTime}} | Format-Table -AutoSize

# 2. Check for Shadow Copy Deletion Events (System Log Event ID 7036 or VSS provider logs)
Write-Host "[*] Checking System Event Log for VSS Service stops (often associated with shadow copy deletion) in last 24h..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2; StartTime=$DateCutoff} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -like '*VSS*' -or $_.Message -like '*Volume Shadow Copy*'} | 
Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

# 3. Check for unusual RDP logons (Event ID 4624 with Type 10)
Write-Host "[*] Checking Security Log for Network RDP Logons (Type 10) in last 24h..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$DateCutoff} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'Logon Type:\s*10'} | 
Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[5].Value}}, @{Name='IP';Expression={$_.Properties[19].Value}} | Format-Table -AutoSize

Write-Host "[*] Checks complete." -ForegroundColor Green


# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
1.  **Hunt for CVE-2026-48027:** Review logs for Nx Console activity or suspicious web shell paths associated with the vulnerability.
2.  **Identify Data Staging:** Look for massive spikes in internal network traffic to single workstations, often indicating data aggregation before exfiltration.
3.  **Process Anomalies:** Hunt for `powershell.exe` spawning `rclone.exe` or instances of `wmiprvse.exe` spawning command shells.

**Critical Assets for Exfiltration:**
Qilin prioritizes PII/PHI (Healthcare), intellectual property (Manufacturing), and financial databases (Business Services). Secure backups of these systems immediately.

**Containment Actions (Ordered by Urgency):**
1.  **Isolate:** Disconnect suspected hosts from the network immediately; do not shutdown if memory forensics are needed.
2.  **Revoke Credentials:** Force reset of domain admin and service account credentials used on affected segments.
3.  **Block C2:** Identify and block IP addresses associated with Qilin C2 infrastructure and known exfiltration endpoints (e.g., MEGA cloud storage IPs).

# Hardening Recommendations

**Immediate (24h):**
*   **Patch CVE-2026-48027:** If Nx Console is in the environment, update to the latest patched version immediately or restrict network access to the console.
*   **Disable RDP:** Ensure Internet-facing RDP is disabled. Enforce MFA for all VPN access points.
*   **Block Macro Execution:** Microsoft Office macro settings should be set to "Disable all with notification" across the enterprise.

**Short-term (2 weeks):**
*   **Network Segmentation:** Isolate critical backup systems from the main production network to prevent ransomware traversal.
*   **EDR Tuning:** Deploy specific detection rules for `wmiprvse.exe` child process anomalies and `rclone` execution.
*   **Audit External Attack Surface:** Perform a scan for exposed management interfaces (ScreenConnect, RDP, VPN) and close unnecessary ports.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturinghealthcarecve-2026-48027lateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action