QILIN Ransomware: Construction & Agri-Food Sector Surge — SmarterMail & ScreenConnect Exploitation

Threat Actor Profile — QILIN

Aliases & Structure: QILIN (formerly known as Agenda. in some circles due to code overlap) operates as a Ransomware-as-a-Service (RaaS) model. They aggressively recruit affiliates, offering a Rust-based encrypted payload customizable for each target.

Tactics & Economics: QILIN employs a classic double-extortion strategy: exfiltrating sensitive data (blueprints, financial records, client PII) before encrypting systems. Ransom demands vary significantly, typically ranging from $200,000 to $2 million USD depending on victim revenue and urgency.

Initial Access & Dwell Time: The group and its affiliates are opportunistic but technically proficient. Initial access is frequently gained via:

1. Exposed Remote Management Tools: Specifically exploiting vulnerabilities in remote monitoring and management (RMM) software like ConnectWise ScreenConnect.
2. Email Server Flaws: Exploiting authentication bypasses and file upload vulnerabilities in mail servers like SmarterMail.
3. Phishing: Malicious macros or links leading to credential harvesting.

Average dwell time is short, often 3-5 days from initial access to encryption, designed to outpace detection capabilities of standard SOC shifts.

Current Campaign Analysis

Campaign Date: 2026-05-21 Observed Victim Count: 15 new postings in the last 72 hours.

Sector Targeting

Analysis of the recent leak site data reveals a distinct pivot toward blue-collar and critical supply chain industries:

• Construction (26%): Victims include CJ Architects (US), Air Conditioning Florida & partners (US), and RCR Industrial Flooring (AU).
• Agriculture and Food Production (20%): Victims include Vial Agro (AR), Fruits Queralt (ES), and The Taylor Provisions (GB).
• Healthcare (6%): Salter HealthCare (GB) indicates a willingness to target critical care providers despite increased scrutiny.

Geographic Concentration

The campaign is globally dispersed but has dense clusters in:

• United Kingdom: 4 victims (Hamer Childs, Porter W Yett, Taylor Provisions, Salter HealthCare).
• United States: 4 victims (including multi-entity construction firms).
• Europe & Americas: Single confirmed hits in CZ, AR, AT, ES, CA, and AU.

CVE Correlation & Attack Vector

This campaign correlates strongly with the recent addition of specific CVEs to the CISA Known Exploited Vulnerabilities (KEV) list:

• CVE-2024-1708 (ConnectWise ScreenConnect): Highly likely used for initial access against the Business Services and Construction sectors, where RMM tools are ubiquitous for remote IT support.
• CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): The authentication bypass and unrestricted file upload vulnerabilities are probable vectors for the Agri-Food and Manufacturing victims, where on-premise mail servers remain common.

Victim Profile

The victimology suggests a focus on the upper-middle market. Companies like Buckeye Paper (Manufacturing) and Monir Precision Monitoring (Manufacturing) suggest revenue ranges between $10M - $100M USD—organizations large enough to pay a significant ransom but often lacking dedicated 24/7 security operations centers.

Detection Engineering

Sigma Rules

title: Potential QILIN Ransomware Activity - ScreenConnect Exploitation
id: 0c8f1a2b-3d4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects potential exploitation of ConnectWise ScreenConnect (CVE-2024-1708) often used by QILIN affiliates for initial access.
status: experimental
date: 2026/05/21
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/SessionManager.ashx'
            - '/Bin/*'
        c-uri-query|contains:
            - '..'
            - '%2e%2e'
    condition: selection
falsepositives:
    - Legitimate (but buggy) web client usage
level: critical
---
title: SmarterMail Authentication Bypass or File Upload Attempt
date: 2026/05/21
id: d4e5f6g7-8h9i-0j1k-2l3m-4n5o6p7q8r9s
status: experimental
description: Detects suspicious patterns associated with CVE-2025-52691 and CVE-2026-23760 on SmarterMail instances.
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection_path:
        cs-uri-stem|contains:
            - '/MVC/
            - '/Services/
    selection_method:
        cs-method:
            - 'POST'
    selection_anomaly:
        cs-uri-query|contains:
            - 'ResetPassword'
            - 'SetPassword'
            - 'Upload'
    condition: all of selection*
falsepositives:
    - Administrative password resets
level: high
---
title: Suspicious PowerShell Execution - QILIN Affiliate Pattern
date: 2026/05/21
id: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
status: experimental
description: Detects base64 encoded PowerShell commands and typical obfuscation used by QILIN affiliates for lateral movement.
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_encoded:
        CommandLine|contains:
            - ' -enc '
            - ' -encodedcommand '
            - 'FromBase64String'
    selection_suspicious:
        CommandLine|contains:
            'DownloadString'
            'IEX'
    condition: all of selection*
falsepositives:
    - System administration scripts
level: high

KQL (Microsoft Sentinel)

// Hunt for lateral movement and data staging associated with QILIN
// Looks for high volume file copies to admin shares and VSS manipulation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('robocopy.exe', 'powershell.exe', 'cmd.exe', 'powershell_ise.exe', 'cscript.exe', 'wscript.exe', 'rclone.exe')
| extend CommandLine = coalesce(CommandLine, "")
| where CommandLine has "ADMIN$" 
   or CommandLine has "C$" 
   or CommandLine has "/copy" 
   or CommandLine has "vssadmin" 
   or CommandLine has "wbadmin"
| summarize count(), make_set(FileName), make_set(CommandLine) by DeviceName, AccountName, bin(Timestamp, 1h)
| where count_ > 5
| order by count_ desc

Rapid Response Script

# QILIN Response Check: Scheduled Tasks and VSS Health
# Run as Administrator on suspected endpoints

Write-Host "[+] Checking for recently modified Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
Get-ScheduledTask | ForEach-Object {
    $taskInfo = $_ | Get-ScheduledTaskInfo
    if ($taskInfo.LastRunTime -gt (Get-Date).AddDays(-7)) {
        Write-Host "WARNING: Task '$($_.TaskName)' last ran on $($taskInfo.LastRunTime)" -ForegroundColor Red
        Write-Host "Action: $($_.Actions.Execute)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Checking Volume Shadow Copy Storage Association..." -ForegroundColor Cyan
try {
    $vss = Get-WmiObject -Class Win32_ShadowCopy
    if ($vss.Count -lt 2) {
        Write-Host "WARNING: Low number of Shadow Copies detected. Possible deletion." -ForegroundColor Red
    } else {
        Write-Host "INFO: $($vss.Count) Shadow Copies found." -ForegroundColor Green
    }
} catch {
    Write-Host "ERROR: Could not query VSS." -ForegroundColor Red
}

Write-Host "[+] Checking for common QILin ransomware extensions in user directories..." -ForegroundColor Cyan
$paths = @("C:\Users\", "D:\Users\", "C:\\")
$extensions = @(".Qilin", ".encrypted", ".locked")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $extensions -contains $_.Extension } | 
        Select-Object -First 5 FullName | 
        ForEach-Object { Write-Host "ENCRYPTED FILE FOUND: $($_.FullName)" -ForegroundColor Red }
    }
}


---

Incident Response Priorities

1. T-Minus Detection Checklist:

   • Immediate: Check web server logs for ScreenConnect SessionManager.ashx anomalies (CVE-2024-1708).
   • Urgent: Audit SmarterMail servers for the ResetPassword path abuse or unauthorized file uploads.
   • Critical: Scan for unexpected powershell.exe parent processes spawned by svchost.exe or w3wp.exe.

2. Critical Assets at Risk:

   • Financial Systems: Qilin aggressively targets QuickBooks databases and payroll files for extortion leverage.
   • CAD/Blueprint Files: In the Construction sector, .dwg, .pdf, and .rvt files are high-priority exfiltration targets.

3. Containment Actions:

   • Isolate: Disconnect compromised RMM tools and email servers from the network immediately.
   • Block: Network segmentation to prevent SMB (TCP 445, 139) lateral movement to domain controllers.
   • Preserve: Capture memory dumps of the powershell and w3wp processes before rebooting to analyze malicious payloads.

Hardening Recommendations

Immediate (24 Hours)

• Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version immediately. If patching is not possible, enforce strict IP allow-listing for the web interface.
• Patch SmarterMail: Apply patches for CVE-2025-52691 and CVE-2026-23760. Disable the ResetPassword functionality externally if not required.
• MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all VPN, RMM, and Email logins.

Short-term (2 Weeks)

• Network Segmentation: Move RMM and Email management interfaces to a dedicated management VLAN, inaccessible from the general corporate LAN.
• Egress Filtering: Block outbound traffic to known anonymizers and non-standard ports used for C2 (e.g., DNS over HTTPS anomalies).
• Audit Remote Access: Conduct a full audit of all active RDP and VPN sessions; revoke standing access in favor of Just-In-Time (JIT) privileged access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub