Back to Intelligence

QILIN Ransomware Gang: 15 New Victims Posted — Multi-Sector Surge & Critical CVE Exploitation

SA
Security Arsenal Team
May 13, 2026
6 min read

Aliases: Agenda (Historical), Qilin.B

Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates a sophisticated affiliate program, providing a Go-language based encryptor that is highly customizable and difficult to detect via signature-based methods.

Typical Ransom Demands: Highly variable, ranging from $500,000 to multi-million dollar demands depending on victim revenue and stolen data volume. They frequently negotiate aggressively.

Initial Access Vectors:

  • Exploitation of Public-Facing Applications: Historically focused on VPN vulnerabilities (Fortinet, Pulse Secure), but recent intelligence indicates a shift toward exploiting mail servers (Microsoft Exchange, SmarterTools SmarterMail) and firewall management interfaces (Cisco FMC).
  • Phishing: Initial access via credential harvesting or macro-laced documents remains a staple for affiliates without exploit capabilities.

TTPs:

  • Double Extortion: Aggressive data theft followed by encryption. They are known to victimize legal and healthcare entities specifically to pressure payment via data privacy concerns.
  • Dwell Time: Short. Qilin affiliates often move laterally within 1-3 days of initial access, executing encryption payloads quickly to maximize pressure before detection.

Current Campaign Analysis

Campaign Date Range: 2026-05-11 to 2026-05-13 Total Victims Posted: 15

Targeted Sectors: Qilin is currently executing a "spray and pray" campaign targeting vulnerable internet-facing infrastructure rather than a specific vertical. However, the following sectors are disproportionately represented:

  1. Business Services (40%): Law firms (John G Yphantides), marketing (Mediapost), and logistics (LTJ Industrial).
  2. Healthcare (7%): Spirit Medical Transport (US).
  3. Technology (13%): Bluize (AU), AppDirect (CA).

Geographic Concentration:

  • Americas: US (5), CA (2)
  • EMEA: GB (3), FR (1), ES (1), IL (1)
  • APAC: AU (1), SG (1)

Victim Profile: The victim list suggests a focus on mid-market organizations ($10M - $200M revenue). However, the inclusion of AppDirect (a Unicorn tech firm) and Spirit Medical indicates affiliates are opportunistic, attacking any entity with unpatched infrastructure.

CVE Correlation: The timing of these postings aligns perfectly with the weaponization of the following CISA KEV-listed vulnerabilities:

  • CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Victims like Bluize (Tech) and AppDirect likely relied on exposed mail servers.
  • CVE-2023-21529 (Microsoft Exchange): A perennial favorite for Qilin affiliates to gain initial access via deserialization flaws.

Detection Engineering

Sigma Rules

YAML
title: SmarterMail Webshell Upload Activity
description: Detects potential webshell upload or exploitation patterns associated with CVE-2025-52691 targeting SmarterTools SmarterMail.
status: experimental
date: 2026/05/14
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Web Sites'
        RelativeTargetName|contains: 
            - '.aspx'
            - '.ashx'
            - '.asp'
    filter:
        SubjectUserName|endswith: '$' # Ignore system accounts
    condition: selection and not filter
falsepositives:
    - Legitimate administrator file management
level: critical
---
title: Microsoft Exchange Deserialization Exploit Attempt
description: Detects exploitation attempts of CVE-2023-21529 via suspicious PowerShell activity spawned by Exchange worker processes.
status: experimental
date: 2026/05/14
author: Security Arsenal Research
detection:
    selection_parent:
        ProcessName|endswith: 
            - 'w3wp.exe'
            - 'MSExchangeOWAAppPool.exe'
    selection_child:
        Image|endswith: 
            - 'powershell.exe'
            - 'cmd.exe'
        CommandLine|contains: 
            - 'deserialization'
            - 'ObjectDataProvider'
            - 'TypeInfo'
    condition: selection_parent and selection_child
falsepositives:
    - Administrative Exchange management scripts
level: high
---
title: Qilin Ransomware Payload Execution Pattern
description: Detects typical Qilin execution chains involving PowerShell base64 decoding followed by rapid file encryption.
status: experimental
date: 2026/05/14
author: Security Arsenal Research
detection:
    selection_ps:
        Image|endswith: 'powershell.exe'
        CommandLine|contains: 'FromBase64String'
    selection_process:
        Image|endswith: 
            - '.exe'
            - '.dll'
        CommandLine|contains: 
            - 'encrypt'
            - '-k' # Key parameter often used by Qilin
    timeframe: 1m
    condition: selection_ps | followed by selection_process
falsepositives:
    - Legitimate backup software or encryption utilities
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging
// Focuses on PsExec/WMI usage and high-volume file modifications
let Processes = materialize(
    DeviceProcessEvents 
    | where Timestamp > ago(7d)
    | where FileName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'powershell.exe')
    | where ProcessCommandLine has '-encoded' or ProcessCommandLine has 'Invoke-Command'
);
let FileMods = materialize(
    DeviceFileEvents
    | where Timestamp > ago(7d)
    | where ActionType =~ 'FileCreated'
    | where InitiatingProcessFileName =~ 'powershell.exe'
    | project Timestamp, DeviceName, FileName, InitiatingProcessCommandLine, SHA256
);
Processes
| join kind=inner FileMods on DeviceName, Timestamp
| where bin(Timestamp, 1m) == bin(Timestamp, 1m)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, SHA256
| extend Indication = "Potential Qilin Staging or Lateral Movement"

PowerShell Response Script

PowerShell
# QILIN Ransomware Hardening & Hunt Script
# Run as Administrator

Write-Host "[+] Checking for recent suspicious Scheduled Tasks (Persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
    Select-Object TaskName, TaskPath, Date, Author, Actions | Format-Table -AutoSize

Write-Host "[+] Checking Volume Shadow Copies (VSS) for deletion..." -ForegroundColor Yellow
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
    Write-Host "[!] WARNING: No Shadow Copies found. Potential VSS wipe." -ForegroundColor Red
} else {
    Write-Host "[+] Shadow Copies present." -ForegroundColor Green
}

Write-Host "[+] Enumerating exposed RDP sessions (Check for unauthorized access)..." -ForegroundColor Cyan
$query = "SELECT * FROM Win32_LogonSession WHERE LogonType = 10"
Get-CimInstance -Query $query | ForEach-Object {
    $logonId = $_.LogonId
    $q = "ASSOCIATORS OF {Win32_LogonSession.LogonId='$logonId'} WHERE AssocClass=Win32_LoggedOnUser"
    $user = Get-CimInstance -Query $q
    Write-Host "User: $($user.Name) | Domain: $($user.Domain) | LogonID: $logonId"
}

Write-Host "[+] Checking SmarterMail/Exchange IIS Logs for recent 500 errors (Exploit Indicators)..." -ForegroundColor Cyan
# Note: Adjust log path as necessary for your environment
$logPaths = @("C:\inetpub\logs\LogFiles\*", "C:\Program Files\SmarterTools\SmarterMail\Logs")
foreach ($path in $logPaths) {
    if (Test-Path $path) {
        Write-Host "Checking $path..."
        Get-ChildItem $path -Recurse -File -ErrorAction SilentlyContinue | 
        Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} | 
        Select-String -Pattern "500", "HttpException", "InvalidViewState" | 
        Select-Object Path, Line | Select-Object -First 10
    }
}


---

# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
1.  **Mail Server Logs:** Immediate grep of Exchange and SmarterMail IIS logs for `2026-05-11` to `2026-05-14` for HTTP 500 errors or unusual POST requests to `autodiscover` or `Service.asmx`.
2.  **PowerShell Logs:** Hunt for `ScriptBlockLogging` events (Event ID 4104) containing base64 strings or calls to `System.Management.Automation.AMSIUtils`.
3.  **Network Egress:** Check for large data transfers (exfiltration) occurring 12-48 hours before victim posting dates.

**Critical Assets at Risk:**
- **Legal/Professional Services:** Client databases and case files (Historical Qilin priority).
- **Healthcare:** PHI/Patient transport records.
- **Source Code:** IP theft from technology victims (e.g., AppDirect).

**Containment Actions (Ordered by Urgency):**
1.  **Isolate:** Disconnect Mail Servers and VPN concentrators from the network immediately if patch status is unknown.
2.  **Reset:** Force reset of credentials for all privileged accounts (Domain Admin, Exchange Admin).
3.  **Block:** WAF rules to block access to `/autodiscover` and `/ecp`/`/owa` from external IPs not in allow-lists.

---

# Hardening Recommendations

**Immediate (24 Hours):**
- **Patch Management:** Patch **CVE-2023-21529** (Exchange), **CVE-2025-52691**/**CVE-2026-23760** (SmarterMail), and **CVE-2026-20131** (Cisco FMC). These are confirmed active exploitation vectors.
- **Access Control:** Enforce MFA on all mail server management interfaces and disable HTTP/HTTPS for management if not strictly required.

**Short-Term (2 Weeks):**
- **Network Segmentation:** Move mail servers and firewall management interfaces to a dedicated VLAN with strict egress rules.
- **EDR Coverage:** Ensure EDR sensors are deployed and alerting on IIS worker processes (`w3wp.exe`) spawning PowerShell or CMD shells.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcaretechnologysmartermailcve-2023-21529

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action