QILIN Ransomware: Construction & Manufacturing Under Siege — ConnectWise & Exchange Exploitation Surge

Date: 2026-05-22
Analyst: Security Arsenal Threat Intelligence Unit
Source: Ransomware.live / Dark Web Leak Sites

1. Executive Summary

The QILIN ransomware gang (aka Agenda) has accelerated its posting cadence, adding 23 victims in the last 100 days with a distinct focus on the Construction, Manufacturing, and Agriculture sectors. Current intelligence indicates a shift toward exploiting remote management infrastructure, specifically ConnectWise ScreenConnect and Microsoft Exchange Server, as primary initial access vectors. The campaign is heavily geographically concentrated in the US, UK, and Austria.

2. Threat Actor Profile — QILIN

• Aliases: Agenda, Titan
• Affiliation Model: Ransomware-as-a-Service (RaaS)
• Ransom Demands: Variable, typically ranging from $500k to $5M USD, depending on victim revenue.
• Operational Tactics:
  • Double Extortion: Aggressive data theft followed by encryption; leak site pressure is high.
  • Initial Access: Heavily relies on unpatched internet-facing appliances (RMM tools, Email gateways) and valid credentials obtained via infostealing malware or phishing.
  • Dwell Time: Short to moderate (3–7 days). Qilin operators move quickly to lateral movement once inside the network.
• Tooling: Custom Go-based encryption payloads, Cobalt Strike beacons for C2, and RDP tunneling for lateral movement.

3. Current Campaign Analysis

Sector Targeting

Based on victims posted between 2026-05-17 and 2026-05-21, Qilin is disproportionately targeting:

1. Construction (35%): ROTO Immobilien, CJ Architects, Air Conditioning Florida, RCR Industrial Flooring.
2. Manufacturing (15%): Snyder Packaging, Buckeye Paper.
3. Agriculture & Food (15%): Vial Agro, Fruits Queralt.

Geographic Concentration

• Primary: United States (US), United Kingdom (GB)
• Secondary: Austria (AT), Spain (ES), Canada (CA)

Victim Profile

The victim list suggests a focus on Mid-Market Enterprises (MME). Companies like Snyder Packaging and CJ Architects likely possess revenue in the $10M–$200M range—large enough to pay significant ransoms but often lacking dedicated 24/7 SOC monitoring compared to enterprise giants.

CVE Exploitation & Correlation

The inclusion of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-21529 (Microsoft Exchange) in the CISA KEV list correlates directly with the victimology. Construction and Manufacturing firms frequently rely on Managed Service Providers (MSPs) utilizing ScreenConnect for remote support, making them prime targets for this specific vulnerability.

4. Detection Engineering

The following detection logic is derived from Qilin's observed TTPs (Remote Access Exploitation -> Lateral Movement -> Data Staging).

SIGMA Rules

---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 482c0c16-7c4f-4f9e-bc4d-123456789012
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass or path traversal (CVE-2024-1708) based on URI patterns and user agent anomalies.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/LiveEvents/'
            - '/Setup/
            - '/Guest'
    filter:
        cs-user-agent|contains: 'ScreenConnect'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative access (verify user context)
level: high
---
title: Suspicious PowerShell Base64 Encoded Command Line
id: 9a3b1d4e-5f6a-4b7c-8d9e-012345678901
description: Detects PowerShell commands with high entropy base64 encoded strings, often used by Qilin payloads for execution and obfuscation.
status: experimental
date: 2026/05/22
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: ' -e '
        CommandLine|re: '^.*[A-Za-z0-9+/]{50,}={0,2}$'
    condition: selection
falsepositives:
    - System administration scripts
level: medium
---
title: Lateral Movement via PsExec and WMI
id: b4c5d6e7-8f9a-0b1c-2d3e-456789012345
description: Detects the use of PsExec or WMI for lateral movement, a common technique in Qilin operations before encryption.
status: experimental
date: 2026/05/22
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains: '\\'
    selection_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'process call create'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative tasks
level: high

KQL (Microsoft Sentinel)

// Hunt for Qilin pre-encryption staging and lateral movement
// Focuses on unusual service installations and RDP usage
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName in~ ("psexec.exe", "wmic.exe", "powershell.exe") or ProcessCommandLine has_any ("-enc", "-e", "downloadstring", "iex"))
| where InitiatingProcessAccountName != "SYSTEM" 
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, AccountName, FileName, ProcessCommandLine
| where count_ > 2
| order by count_ desc

Rapid Response Script (PowerShell)

<#
.SYNOPSIS
    Qilin Ransomware Hardening & Indicator Check
.DESCRIPTION
    Checks for suspicious scheduled tasks, recent RDP logins, and vulnerable ScreenConnect paths.
#>

Write-Host "[+] Checking for Scheduled Tasks created in last 48 hours..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date.LastRunTime -gt (Get-Date).AddDays(-2)} | Select-Object TaskName, LastRunTime, Author

Write-Host "[+] Auditing recent Network Logons (Type 3 or 10) for potential lateral movement..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'Logon Type:\s*(3|10)'} | 
Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='Source IP';e={$_.Properties[19].Value}} | Format-Table -AutoSize

Write-Host "[+] Checking for ScreenConnect Web Server Logs (IIS) - Manual review required for path traversal strings." -ForegroundColor Yellow
# Note: Automating log parsing requires path specification. This is a placeholder for path verification.
Test-Path "C:\Program Files (x86)\ScreenConnect\"


---

5. Incident Response Priorities

If Qilin activity is suspected, execute the following T-minus checklist immediately:

1. Isolate Remote Access: Immediately disconnect internet-facing RMM tools (ScreenConnect, Splashtop, AnyDesk) from the internal network. Block inbound traffic to these tools at the firewall.
2. Audit Exchange Servers: Check for suspicious IIS logs on Microsoft Exchange servers (connection to /ecp/ or /owa/ from unusual geo-locations).
3. Hunt for Cobalt Strike: Scan memory for beacon patterns (e.g., powerview.ps1 execution or rundll32.exe spawning from non-standard directories).
4. Credential Reset: Force reset of Domain Admin credentials and service account credentials used by the targeted RMM tools.

Critical Assets at Risk

• Project Blueprints & IP: (Construction/Manufacturing) - High exfiltration value.
• ERP Databases: Financial data and client lists are primary leverage for double extortion.

6. Hardening Recommendations

Immediate (24 Hours)

• Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect security update immediately. If patching is impossible, enforce strict IP allow-listing for the web interface.
• Disable ECP/Owa: If Exchange is not externally required, disable /ecp and /owa directories from the internet temporarily.
• MFA Enforcement: Ensure all RMM and VPN accounts have FIDO2 hardware-backed MFA enforced; reject SMS/TOTP if possible.

Short-term (2 Weeks)

• Network Segmentation: Separate operational technology (OT) and administrative networks from the corporate IT network to prevent ransomware spread to manufacturing floors.
• EDR Coverage: Ensure EDR agents are deployed and reporting on all servers, particularly those hosting remote access tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub