Back to Intelligence

QILIN Ransomware Gang: 14 New Victims Posted — Sector Targeting Analysis & Detection Rules

SA
Security Arsenal Team
June 1, 2026
9 min read

Qilin (also known as Agenda Ransomware) is a Ransomware-as-a-Service (RaaS) operation that emerged in July 2022. The group operates primarily through a double-extortion model, encrypting victim systems while threatening to leak stolen data if ransom demands are not met.

Key Characteristics:

  • Model: RaaS operation with affiliates receiving approximately 80-90% of ransom payments
  • Ransom Demands: Typically ranging from $300,000 to several million USD, depending on victim size and revenue
  • Initial Access Methods: Primarily through compromised VPN credentials, exploiting vulnerabilities in public-facing applications, and phishing campaigns with malicious attachments
  • Double Extortion: Data exfiltration precedes encryption, with stolen data published on their dark web leak site if payment isn't made
  • Dwell Time: Approximately 7-14 days from initial access to ransomware deployment, allowing for network reconnaissance and privilege escalation

Qilin is known for its focus on mid-to-large organizations, with particular emphasis on sectors containing sensitive data that would be valuable in extortion scenarios. Their attacks have increasingly targeted critical infrastructure and healthcare providers.

Current Campaign Analysis

Based on data from the QILIN leak site between May 27-28, 2026:

Targeted Sectors:

  1. Manufacturing (21% of victims): Sinomax USA, Carton Craft Supply, LA Woodworks
  2. Healthcare (21% of victims): Mindpath College Health, Providence Medical Group, Dillon Family Medicine
  3. Business Services (14% of victims): Gallun Snow Associates, Kennedy, McLaughlin & Associates
  4. Not Found (14% of victims): Jens Jensen, Martinez & Shanken
  5. Education (7% of victims): Alamo Heights School District
  6. Technology (7% of victims): HumanEdge
  7. Agriculture and Food Production (7% of victims): Osool Poultry
  8. Consumer Services (7% of victims): Otthon Centrum

Geographic Concentration:

  • United States: 71% of victims (10 organizations)
  • Australia: 7% of victims
  • Denmark: 7% of victims
  • Laos: 7% of victims
  • Saudi Arabia: 7% of victims
  • Hungary: 7% of victims

Victim Profile: The campaign appears to focus on small-to-mid-sized organizations (SMBs) across various sectors. Revenue estimates based on targeted sectors suggest organizations with $10M-$500M in annual revenue, making them ideal targets for ransom demands of $300K-$3M.

Posting Frequency: An unusual pattern emerged with 13 of 14 victims posted on the same day (2026-05-28), suggesting either:

  • Multiple affiliate operations culminating simultaneously
  • A coordinated effort by a single prolific affiliate
  • A release of "backlog" victims who refused to pay initial demands

Connections to CVEs: The recent activity correlates with known exploitation of CVE-2024-1708 (ConnectWise ScreenConnect), CVE-2023-21529 (Microsoft Exchange Server), and CVE-2025-52691 (SmarterTools SmarterMail), all added to the CISA KEV catalog in 2026. These vulnerabilities likely serve as initial access vectors for many of the recently posted victims, especially in the technology and business services sectors.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Qilin Ransomware Activity - Suspicious PowerShell Commands
id: 4e3a2c1f-8d4b-4a9e-9c6d-7b5a8e3f6d2c
status: experimental
description: Detects suspicious PowerShell commands potentially associated with Qilin ransomware operations, including credential dumping and lateral movement
references:
    - Internal Qilin Analysis
author: Security Arsenal Research
date: 2026/06/02
tags:
    - attack.credential_access
    - attack.lateral_movement
    - attack.execution
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4103 or 4104
    credential_keywords:
        ContextInfo|contains:
            - 'Mimikatz'
            - 'Invoke-Mimikatz'
            - 'DumpCreds'
            - 'Get-ComputerInfo'
    lateral_keywords:
        ContextInfo|contains:
            - 'New-PSDrive'
            - 'Copy-Item'
            - 'Invoke-WmiMethod'
            - 'Invoke-Command'
    condition: selection and (credential_keywords or lateral_keywords)
falsepositives:
    - Legitimate administrative activities
level: high

---
title: Potential Qilin Ransomware Activity - Unusual RDP Connections
id: 7f9e3c2a-6d5b-4e8f-9a7c-3b2d8e4f5a6c
status: experimental
description: Detects suspicious Remote Desktop Protocol connections potentially associated with Qilin ransomware lateral movement
references:
    - Internal Qilin Analysis
author: Security Arsenal Research
date: 2026/06/02
tags:
    - attack.lateral_movement
    - attack.initial_access
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        LogonType|re: '^(3|8|10)$'
    filter_admin:
        TargetUserName|re: '(admin|root|administrator)'
    filter_suspicious_source:
        IpAddress|notstartswith: '192.168.'
        IpAddress|notstartswith: '10.'
        IpAddress|notstartswith: '172.16.'
    filter_time:
        Timestamp:
    condition: selection and filter_admin and filter_suspicious_source
falsepositives:
    - Legitimate remote administration from non-corporate networks
level: high

---
title: Potential Qilin Ransomware Activity - Data Exfiltration Indicators
id: 2d8e4f3b-7c6a-5e9f-0a8d-4c3e9f5a6b7d
status: experimental
description: Detects signs of data exfiltration commonly seen in Qilin ransomware operations
references:
    - Internal Qilin Analysis
author: Security Arsenal Research
date: 2026/06/02
tags:
    - attack.exfiltration
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 7
    filter_suspicious_tools:
        Image|contains:
            - 'rar.exe'
            - 'winrar.exe'
            - '7z.exe'
            - 'zip.exe'
            - 'powershell.exe'
    filter_archiving_keywords:
        CommandLine|contains:
            - '-a'
            - 'archive'
            - 'compress'
    filter_exfil_keywords:
        CommandLine|contains:
            - '\\\\'
            - 'http'
            - 'ftp'
    condition: selection and filter_suspicious_tools and filter_archiving_keywords and filter_exfil_keywords
falsepositives:
    - Legitimate system administration tasks
level: high

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Qilin Ransomware - Lateral Movement and Staging Indicators
// Hunt for suspicious activities associated with Qilin operations
let TimeFrame = ago(7d);
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe"]);
let SuspiciousParentProcesses = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "mshta.exe", "regsvr32.exe"]);

// Find suspicious process execution chains
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where InitiatingProcessFileName in~ (SuspiciousParentProcesses) and FileName in~ (SuspiciousProcesses)
| extend ProcessCommandLine = tostring(ProcessCommandLine)
| where ProcessCommandLine contains any("invoke-expression", "downloadstring", "iex", "net.user", "net share", "whoami", "net localgroup")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc
| limit 100

PowerShell Response Script

PowerShell
# Qilin Ransomware - Quick Response Hardening Script
# Run this script on potentially compromised systems to gather evidence and apply immediate hardening

function Get-QilinIndicators {
    param(
        [int]$DaysToCheck = 7
    )
    
    $results = @()
    $cutoffDate = (Get-Date).AddDays(-$DaysToCheck)
    
    # Check for recently created scheduled tasks
    Write-Host "Checking for recently created scheduled tasks..." -ForegroundColor Cyan
    $scheduledTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $cutoffDate } | 
                     Select-Object TaskName, Date, Author, Description | 
                     Where-Object { $_.Author -notlike "*$env:COMPUTERNAME*" }
    
    if ($scheduledTasks) {
        $results += "Found $($scheduledTasks.Count) recently created scheduled tasks:"
        $results += $scheduledTasks | Format-Table | Out-String
    }
    
    # Check for modified Volume Shadow Copies
    Write-Host "Checking for modified Volume Shadow Copies..." -ForegroundColor Cyan
    $shadowCopies = vssadmin list shadows 2>$null | Where-Object { $_ -match "Shadow Copy Volume" }
    
    if ($shadowCopies) {
        $results += "Found Volume Shadow Copies:"
        $results += $shadowCopies
    }
    
    # Check for recently added users
    Write-Host "Checking for recently added users..." -ForegroundColor Cyan
    $newUsers = Get-LocalUser | Where-Object { $_.LastLogon -gt $cutoffDate -or $_.PasswordLastSet -gt $cutoffDate } | 
                Where-Object { $_.PrincipalSource -eq "Local" }
    
    if ($newUsers) {
        $results += "Found recently modified local users:"
        $results += $newUsers | Format-Table | Out-String
    }
    
    # Check for PowerShell event logs with suspicious commands
    Write-Host "Checking for suspicious PowerShell commands..." -ForegroundColor Cyan
    $suspiciousCommands = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; StartTime=$cutoffDate; Id=4104} -ErrorAction SilentlyContinue | 
                         Where-Object { $_.Message -match "(Invoke-Expression|DownloadString|IEX)" } |
                         Select-Object TimeCreated, Message
    
    if ($suspiciousCommands) {
        $results += "Found $($suspiciousCommands.Count) suspicious PowerShell commands:"
        $results += $suspiciousCommands | Format-List | Out-String
    }
    
    return $results
}

# Apply immediate hardening measures
function Invoke-ImmediateHardening {
    Write-Host "Applying immediate hardening measures..." -ForegroundColor Yellow
    
    # Disable RDP if not needed
    Write-Host "Checking RDP status..." -ForegroundColor Cyan
    $rdpStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server").fDenyTSConnections
    
    if ($rdpStatus -eq 0) {
        Write-Host "WARNING: RDP is enabled. Consider disabling it if not required." -ForegroundColor Red
        # Uncomment below to disable RDP
        # Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
        # Write-Host "RDP has been disabled." -ForegroundColor Green
    }
    
    # Check for SMBv1
    Write-Host "Checking SMBv1 status..." -ForegroundColor Cyan
    $smbv1 = Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
    
    if ($smbv1.EnableSMB1Protocol -eq $true) {
        Write-Host "WARNING: SMBv1 is enabled. Disabling..." -ForegroundColor Red
        Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
        Write-Host "SMBv1 has been disabled." -ForegroundColor Green
    }
    
    # Enable Windows Firewall if not enabled
    Write-Host "Checking Windows Firewall status..." -ForegroundColor Cyan
    $firewallProfile = Get-NetFirewallProfile | Where-Object { $_.Enabled -eq $false }
    
    if ($firewallProfile) {
        Write-Host "WARNING: Windows Firewall profiles are disabled. Enabling..." -ForegroundColor Red
        $firewallProfile | Set-NetFirewallProfile -Enabled True
        Write-Host "Windows Firewall has been enabled for all profiles." -ForegroundColor Green
    }
}

# Main execution
Write-Host "Starting Qilin Ransomware Response Script..." -ForegroundColor Green
Write-Host "Gathering indicators of compromise..." -ForegroundColor Yellow
$indicators = Get-QilinIndicators -DaysToCheck 7

Write-Host "`nIndicator Results:" -ForegroundColor Green
$indicators | ForEach-Object { Write-Host $_ -ForegroundColor White }

Write-Host "`n" -ForegroundColor White
Invoke-ImmediateHardening

Write-Host "`nScript execution completed." -ForegroundColor Green
Write-Host "Please review the results and escalate to your security team if indicators are found." -ForegroundColor Yellow

Incident Response Priorities

T-Minus Detection Checklist:

  1. Monitor for unusual RDP connections from external IPs, especially to administrative accounts
  2. Alert on mass file encryption events (sudden large number of file modifications with uncommon extensions)
  3. Watch for PowerShell commands containing base64 encoded payloads or download strings
  4. Monitor for rapid creation/deletion of scheduled tasks outside maintenance windows
  5. Detect unusual volumes of data being transferred to external IP addresses or cloud storage
  6. Watch for usage of PowerShell remoting (Enter-PSSession) between workstations
  7. Monitor for unexpected use of system administration tools (PsExec, WMI, etc.) by non-admin accounts

Critical Assets Prioritized for Exfiltration by Qilin:

  1. Personally Identifiable Information (PII) and Protected Health Information (PHI)
  2. Intellectual property and sensitive product designs
  3. Financial documents and banking information
  4. Executive communications and contracts
  5. Employee databases and HR records
  6. Customer databases and transaction histories
  7. Authentication credentials and access configurations

Containment Actions (by urgency):

  1. IMMEDIATE (Within 1 Hour):

    • Isolate affected systems from the network
    • Disable any non-essential VPN accounts
    • Suspend any suspicious user accounts
    • Block identified malicious IP addresses at the perimeter firewall

  2. URGENT (Within 4 Hours):

    • Force password resets for all privileged accounts
    • Temporarily disable RDP access globally until investigation completes
    • Review and temporarily restrict external file transfer capabilities
    • Analyze firewall logs for evidence of data exfiltration

  3. HIGH PRIORITY (Within 24 Hours):

    • Conduct forensic imaging of affected systems
    • Review logs across the entire environment for signs of lateral movement
    • Implement network segmentation to limit east-west traffic
    • Prepare communications plan for potential public disclosure

Hardening Recommendations

Immediate (24h):

  1. Patch Management: Prioritize patching of CVE-2024-1708 (ConnectWise ScreenConnect), CVE-2023-21529 (Microsoft Exchange Server), and CVE-2025-52691 (SmarterTools SmarterMail)
  2. Access Controls: Enforce Multi-Factor Authentication (MFA) for all remote access solutions, especially VPN and RDP
  3. Network Segmentation: Isolate critical servers from general network access
  4. Endpoint Protection: Ensure all endpoints have updated antivirus/EDR signatures and are actively scanning
  5. Email Security: Implement advanced email filtering and user awareness training for phishing detection
  6. Backup Verification: Confirm that recent backups exist and are recoverable

Short-term (2 weeks):

  1. Zero Trust Architecture: Begin implementation of Zero Trust principles for network access
  2. Privileged Access Management (PAM): Deploy or enhance PAM solution to monitor and control administrative access
  3. Security Awareness Training: Conduct targeted training sessions focused on ransomware recognition and response
  4. Deception Technology: Deploy honeytokens and decoy assets to detect early lateral movement
  5. Cloud Security: Review and harden cloud storage configurations that could be targeted for data exfiltration
  6. Incident Response Plan: Update and test ransomware-specific incident response procedures

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturinghealthcareransomware-as-a-servicedata-exfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action