Back to Intelligence

QILIN Ransomware: Critical Infrastructure & Healthcare Under Siege via KEV Exploits

SA
Security Arsenal Team
June 6, 2026
6 min read

Intelligence Briefing — 2026-06-07

Excerpt

Qilin gang exploits CISA KEV vulnerabilities to target Healthcare and Energy sectors globally. Immediate patching of ScreenConnect and Cisco FMC required.

Threat Actor Profile — QILIN

  • Aliases: Agenda, Qilin.
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program, allowing diverse initial access vectors while the core team provides the encryption payload and leak site infrastructure.
  • Ransom Demands: Historically ranges from $200,000 to multi-million dollars, varying heavily based on victim revenue and sector sensitivity.
  • Initial Access Methods: Known for exploiting vulnerabilities in external-facing remote management software (e.g., ConnectWise ScreenConnect) and VPN appliances. Phishing remains a secondary vector for less mature targets.
  • Extortion Strategy: Aggressive double extortion. Data is exfiltrated prior to encryption, and pressure is applied via the "Qilin News" leak site. They have threatened to release sensitive patient data in healthcare attacks to maximize payment urgency.
  • Dwell Time: Short to moderate. Recent intelligence suggests a dwell time of 3–7 days between initial access (often via CVE exploitation) and detonation, reducing the window for detection.

Current Campaign Analysis

Sector Targeting: The latest batch of 15 victims indicates a pivot towards high-value, critical services.

  • Healthcare (20%): Central Florida Cosmetic & Family Dentistry, Nova Medical Products, Clinica Maitenes. The targeting of medical providers suggests an intent to exploit the high sensitivity of PHI.
  • Energy (13%): Trican (CA), MEISA - Sines (PT). Targeting energy firms in Portugal and Canada signals a willingness to target critical infrastructure.
  • Business Services & Construction: Significant presence indicates a "spray and pray" approach on SMBs via common vulnerabilities like ScreenConnect.

Geographic Concentration: While the US remains the primary target (30%), the campaign is distinctly global:

  • North America: US, CA, BR (Brazil).
  • Europe: DE (Germany), SI (Slovenia), AT (Austria), PT (Portugal).
  • Asia-Pacific: KR (South Korea).
  • South America: CL (Chile) noted via Clinica Maitenes.

CVE Connection & Initial Access Vectors: The victim diversity correlates strongly with the exploitation of management and remote access software listed in the CISA KEV catalog:

  • CVE-2024-1708 (ConnectWise ScreenConnect): This is the likely vector for the Business Services and Manufacturing victims (e.g., JNP ENG), providing remote code execution capabilities.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation of firewall management centers could explain the lateral movement into more secured environments, particularly the Energy and Transportation sectors (Avcon Jet).
  • CVE-2023-21529 (Microsoft Exchange): Likely used for initial access in sectors with heavy email reliance, such as Healthcare and Business Services.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 3e5b8b1c-8a4e-4f5c-9c2d-1e6f7a8b9c0d
status: experimental
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or authentication bypass patterns in ScreenConnect logs.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/07
tags:
    - attack.initial_access
    - cve.2024.1708
    - detection.emerging_threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/bin/'
            - '.aspx?'
        cs-uri-query|contains:
            - 'SessionId'
    filter:
        cs-uri-query|contains:
            - 'Logout'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative access
level: high
---
title: Ransomware Shadow Copy Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies using vssadmin, a common precursor to encryption by Qilin and other gangs.
id: 8c8e8f8a-1b1c-1d1e-1f1f-010203040506
status: experimental
author: Security Arsenal Research
date: 2026/06/07
references:
    - https://attack.mitre.org/techniques/T1490/
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration (rare)
level: critical
---
title: Suspicious PsExec Lateral Movement
description: Detects the use of PsExec for lateral movement, often utilized by Qilin affiliates to spread across the network after gaining initial access.
id: 9d9e9f9a-2b2c-2d2e-2f2f-030405060708
status: experimental
author: Security Arsenal Research
date: 2026/06/07
references:
    - https://attack.mitre.org/techniques/T1021/002/
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\psexec.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: selection
falsepositives:
    - IT administration
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and ransomware precursor activity
// Focuses on PsExec, WMI, and unexpected service installations
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe") 
         or ProcessCommandLine contains_ "Invoke-WmiMethod" 
         or ProcessCommandLine contains_ "New-Service")
         and InitiatingProcessAccountName != "SYSTEM" 
         and InitiatingProcessAccountName != "NETWORK SERVICE"
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell (Rapid Response)

PowerShell
# Check for recently modified or deleted Volume Shadow Copies
# Qilin actors often delete VSS before encryption
Write-Host "Checking for recent Shadow Copy activity..." -ForegroundColor Yellow

try {
    $shadowCopies = Get-WmiObject -Class Win32_ShadowCopy -ErrorAction Stop
    if ($shadowCopies) {
        $recentCopies = $shadowCopies | Where-Object { $_.InstallDate -gt (Get-Date).AddDays(-1) }
        if ($recentCopies) {
            Write-Host "[ALERT] Recent Shadow Copy activity detected:" -ForegroundColor Red
            $recentCopies | Format-List DeviceObject, VolumeName, InstallDate, State
        } else {
            Write-Host "No Shadow Copies created in the last 24 hours." -ForegroundColor Green
        }
    } else {
        Write-Host "[WARNING] No Shadow Copies found on system. VSS may be disabled or purged." -ForegroundColor Red
    }
} catch {
    Write-Host "Error querying WMI: $_" -ForegroundColor Red
}

# Check for scheduled tasks created in the last 7 days (persistence mechanism)
Write-Host "\nChecking for scheduled tasks created in the last 7 days..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
    Write-Host "[ALERT] Recently created scheduled tasks found:" -ForegroundColor Red
    $schTasks | Select-Object TaskName, Date, Author, TaskPath | Format-Table
} else {
    Write-Host "No recently created scheduled tasks found." -ForegroundColor Green
}


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. ScreenConnect Audit: Immediately review ConnectWise ScreenConnect logs for authentication anomalies or path traversal attempts (CVE-2024-1708) dating back to late May 2026.
  2. Cisco FMC Logs: Hunt for suspicious administrative sessions or deserialization attempts on Firewall Management Centers.
  3. Exchange IIS Logs: Look for unusual POST requests to /autodiscover or /owa endpoints indicative of CVE-2023-21529 exploitation.

Critical Assets Prioritized for Exfiltration:

  • Healthcare: Patient PHI (SSNs, medical records), insurance databases.
  • Energy: SCADA configuration files, operational schematics, employee credentials.
  • Finance: payroll data, tax documents, banking credentials.

Containment Actions (Order by Urgency):

  1. Isolate: Disconnect compromised management servers (ScreenConnect, FMC, Exchange) from the network immediately.
  2. Reset: Force reset of credentials for all admin accounts used on these platforms.
  3. Block: Block inbound/outbound traffic to known C2 IPs associated with Qilin at the perimeter firewall.

Hardening Recommendations

Immediate (24h):

  • Patch CISA KEV: Prioritize patching CVE-2024-1708 (ConnectWise) and CVE-2026-20131 (Cisco FMC) immediately. These are the most likely active vectors.
  • MFA Enforcement: Ensure multi-factor authentication is enforced on all remote access solutions and VPNs.
  • Disable ScreenConnect: If patching is not possible, terminate the ScreenConnect service until it can be updated.

Short-term (2 weeks):

  • Network Segmentation: Segregate critical infrastructure (SCADA, EHR) from general management networks to prevent lateral movement from jump hosts.
  • Least Privilege: Review and remove administrative rights from accounts that do not strictly require them, particularly for service accounts.
  • EDR Deployment: Ensure EDR agents are running on all internet-facing management servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcareenergycve-exploitationlateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action