Back to Intelligence

QILIN Ransomware: Cross-Sector Surge & Critical Infrastructure Targeting — Detection Engineering Brief

SA
Security Arsenal Team
May 20, 2026
6 min read

Aliases: Agenda, Qilin.B Model: Ransomware-as-a-Service (RaaS) Ransomware Type: Rust/Go-based encryptor

Qilin is a sophisticated RaaS operation known for its aggressive double-extortion tactics. Unlike brief extortion-only groups, Qilin exfiltrates sensitive data (PII, financial records, intellectual property) and threatens leaks before encrypting systems. They typically recruit access via Initial Access Brokers (IABs) who sell VPN credentials, compromised RDP sessions, or valid accounts obtained through phishing. Once inside, the gang moves laterally using Cobalt Strike beacons and custom tools, often maintaining a dwell time of 3–7 days before detonation to maximize data theft.

Current Campaign Analysis

Campaign Dates: 2026-05-15 to 2026-05-18 Victim Count: 15 confirmed postings

Sectors Targeted

Qilin has pivoted significantly from purely opportunistic attacks to targeting critical verticals. The current campaign shows a high density of attacks against:

  • Healthcare: 3 victims (Salter HealthCare, Generation Life, CLINICA AVELLANEDA).
  • Manufacturing & Industrial: 3 victims (Buckeye Paper, Monir Precision, RCR Industrial Flooring).
  • Agriculture & Food: 3 victims (Fruits Queralt, The Taylor Provisions, Comercial Echave Turri).

Geographic Concentration

While Qilin maintains a global footprint, this wave shows distinct clustering in the APAC (Australia, Malaysia) and ANGLOSHERE (US, UK, Canada) regions.

Initial Access Vectors & CVE Correlation

Based on the CISA KEV list associated with this gang's recent infrastructure, the following vulnerabilities are highly suspected as primary entry points for the recent victims:

  • CVE-2024-1708 (ConnectWise ScreenConnect): A path traversal vulnerability allowing remote code execution. This is a prevalent vector for managed service providers (MSPs) managing the targeted manufacturing and healthcare victims.
  • CVE-2023-21529 (Microsoft Exchange Server): Deserialization vulnerability allowing authenticated attackers to run code. Likely used against the public sector and education targets (e.g., Australian College of Business Intelligence).
  • SmarterMail Vulnerabilities (CVE-2025-52691 / CVE-2026-23760): Recent additions to the KEV list suggest active exploitation of email gateways for initial access.

Detection Engineering

Sigma Rules

YAML
title: Potential ConnectWise ScreenConnect CVE-2024-1708 Exploitation
id: 5a4b32c7-8d3e-4b1a-9c1f-3d9e5a6b7c8d
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability via suspicious web session creation paths.
status: experimental
date: 2026/05/20
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/Bin/ScreenConnect.ashx'
            - '/Host.ashx'
        c-uri-query|contains:
            - '..%2F'
            - '..\\'
    condition: selection
falsepositives:
    - Unknown
level: critical

tags:
    - attack.initial_access
    - cve.2024.1708
    - detection.emerging_threats
---
title: Cobalt Strike Beacon Process Injection
id: b2c44d1e-9e5f-4a2b-8c3d-1e0f5a6b7c8d
description: Detects suspicious process injection patterns often used by Qilin operators leveraging Cobalt Strike beacons (cross-process allocation).
status: experimental
date: 2026/05/20
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'crossproc'
            - 'fork&run'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\rundll32.exe'
    filter:
        ParentImage|contains:
            - '\Program Files'
            - '\Windows System32'
    condition: selection and not filter
falsepositives:
    - Legitimate administration tools
level: high
tags:
    - attack.execution
    - attack.t1055
---
title: Qilin Ransomware Pre-Encryption Shadow Copy Deletion
id: c1d33e0f-8d4e-4b1a-9c1f-3d9e5a6b7c8d
description: Detects commands used to delete Volume Shadow Copies via vssadmin or diskshadow, a common precursor to Qilin encryption.
status: experimental
date: 2026/05/20
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\diskshadow.exe'
            - '\wbadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'delete all'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administrator maintenance
level: critical
tags:
    - attack.impact
    - attack.t1490

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential Qilin lateral movement and staging
// Focuses on named pipes common in Cobalt Strike and SMB lateral movement
DeviceProcessEvents 
| where Timestamp >= ago(7d)
| where (FileName in ("powershell.exe", "cmd.exe", "rundll32.exe") or InitiatingProcessFileName in ("powershell.exe", "cmd.exe"))
| extend ProcessCmdLine = tostring(ProcessCommandLine)
| where ProcessCmdLine contains "\\.\pipe\" or 
       ProcessCmdLine contains "Invoke-WebRequest" or 
       ProcessCmdLine contains "DownloadString" or
       ProcessCmdLine contains "-enc " 
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Rapid Response Script
.DESCRIPTION
    Checks for indicators of Qilin pre-encryption activity: VSS tampering, suspicious scheduled tasks, and anomalous SMB connections.
#>

Write-Host "[*] Starting Qilin Ransomware Response Checks..." -ForegroundColor Cyan

# 1. Check for recent Volume Shadow Copy deletions
Write-Host "[+] Checking Event Logs for VSS Deletion (Event ID 25)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=25; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message | Format-List } 
else { Write-Host "    No VSS deletion events found in last 24h." -ForegroundColor Green }

# 2. Hunt for Suspicious Scheduled Tasks created in last 48 hours
Write-Host "[+] Enumerating Scheduled Tasks created/modified in last 48h..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-48) }
if ($suspiciousTasks) { $suspiciousTasks | Select-Object TaskName, Date, Author, Actions | Format-Table } 
else { Write-Host "    No recent tasks found." -ForegroundColor Green }

# 3. Check for Hidden Users (Common persistence mechanism)
Write-Host "[+] Checking for hidden users (ending with $)..." -ForegroundColor Yellow
$hiddenUsers = Get-WmiObject -Class Win32_UserAccount | Where-Object { $_.Name -match '\$$' }
if ($hiddenUsers) { Write-Host "    WARNING: Hidden users detected:" -ForegroundColor Red; $hiddenUsers | Select-Object Name, SID } 
else { Write-Host "    No hidden users found." -ForegroundColor Green }

Write-Host "[*] Scan complete." -ForegroundColor Cyan

Incident Response Priorities

  1. T-Minus Detection Checklist:

    • Verify if ConnectWise ScreenConnect servers are exposed to the internet. Check logs for exploitation attempts on /Bin/ScreenConnect.ashx.
    • Hunt for Cobalt Strike beacons (often named update.exe, mstsc.exe, or dllhost.exe) in %TEMP% or C:\ProgramData.
    • Review active RDP sessions for anomalies, specifically connections originating from unusual geographic IPs matching the Qilin target list (AU, MY, ES).

  2. Critical Assets:

    • EHR/EMR Systems: Qilin specifically targets healthcare (Salter HealthCare, Generation Life). Prioritize isolation of database servers storing PHI.
    • Financial Systems: Given the targeting of PNSB Insurance Brokers, finance file shares are high-value exfiltration targets.

  3. Containment Actions:

    • Immediate: Isolate victims from the network; do not reboot (to keep volatile memory artifacts for analysis of the encryption key).
    • Credential Reset: Assume domain admin compromise if Exchange or VPN was exploited. Force reset all privileged credentials.
    • Block IPs: Block inbound traffic from known anomalous regions if not business-appropriate.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2024-1708: Apply the ScreenConnect patch immediately or restrict access to ScreenConnect interfaces via VPN/Allow-lists.
  • Patch Exchange: Ensure the Cumulative Update addressing CVE-2023-21529 is applied.
  • Disable MFA bypass: Enforce strict MFA on all remote access gateways; Qilin frequently leverages fatigued users or stolen sessions.

Short-term (2 Weeks):

  • Network Segmentation: Segregate IT management tools (ScreenConnect, RMM) from the general corporate network. These tools are high-value targets for Qilin to pivot.
  • EDR Configuration: Tune EDR alerts to look for PsExec and WMI usage from non-admin workstations, as these are primary lateral movement tools for this group.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomware-as-a-servicehealthcarecve-2024-1708initial-accesscobalt-strike

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action