Back to Intelligence

QILIN Ransomware Gang: 18 New Victims Posted — Critical Vulnerability Exploitation & Cross-Sector Targeting

SA
Security Arsenal Team
May 12, 2026
6 min read
  • Known Aliases: Agenda, Qilin (formerly Agenda)
  • Operational Model: Ransomware-as-a-Service (RaaS). The gang operates an aggressive affiliate program, often recruiting penetration testers specializing in initial access brokering.
  • Typical Ransom Demands: Variable, generally ranging from $300,000 to $5 million USD depending on victim revenue. They are known to negotiate aggressively and follow through on leak threats if payment fails.
  • Initial Access Methods: Historically focused on phishing and valid credentials exploitation (VPN/RDP). However, recent campaigns pivot heavily to exploiting internet-facing applications, specifically Microsoft Exchange, Cisco Firewalls, and Mail Servers.
  • Double Extortion: Strict adherence to the double-extortion model. They exfiltrate tens to hundreds of gigabytes of data (financials, client PII, employee databases) before executing encryption.
  • Dwell Time: Average dwell time has decreased in 2026 to approximately 3-5 days between initial access and detonation, requiring faster-than-average detection cycles.

Current Campaign Analysis

Sectors Under Fire: The latest dump of 18 victims reveals a distinct shift toward Business Services (5 victims) and Construction (2 victims), alongside continued targeting of Technology and Consumer Services. The diversity suggests Qilin affiliates are leveraging commodity exploits (like Exchange) rather than highly targeted supply chain attacks.

Geographic Concentration: The campaign is heavily Western-focused, with the US (5 victims) and Great Britain (4 victims) taking the brunt of the attacks. Significant activity in Canada (2 victims) and emerging presence in Latin America (Argentina, Mexico) suggest a broadening of the affiliate network.

Victim Profile: The victims—ranging from "The Gravity Group" to "Advanced Laundry Systems"—fit the SMB to Upper-Mid-Market profile ($20M - $500M revenue). These organizations typically have robust internet-facing infrastructure (Exchange, Cisco FMC) but potentially slower patch cycles compared to Fortune 500s.

CVE Connection: There is a direct correlation between the victims (Business Services/Tech) and the listed CISA KEV vulnerabilities:

  • CVE-2023-21529 (Microsoft Exchange): Likely used to access AppDirect and Mediapost Spain.
  • CVE-2026-20131 (Cisco FMC): A critical vector for lateral movement or perimeter bypass in organizations like Shipping Services and Exco Technologies.
  • CVE-2025-55182 (Meta React): A high-impact vector for the Technology sector victims (e.g., CAD-IT UK), allowing unauthenticated RCE on web servers.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Microsoft Exchange Deserialization Exploit (CVE-2023-21529)
id: a9e12b34-56c7-48d1-9e2f-3a4b5c6d7e8f
description: Detects suspicious deserialization patterns or PowerShell execution often associated with Exchange exploitation attempts.
status: experimental
date: 2026/05/13
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: \'w3wp.exe\'
        CommandLine|contains:
            - \'System.Web.Configuration.MachineKeySection\'
            - \'System.Management.Automation.Serialization\'
            - \'TextFormattingRunProperties\'
    condition: selection
falsepositives:
    - Legitimate administrative management
level: high
---
title: Cisco FMC Deserialization Exploit Indicators
id: b1c22d33-44e5-59f2-0f3g-4b5c6d7e8f9a
description: Detects inbound exploitation attempts against Cisco Secure Firewall Management Center via suspicious URI patterns.
status: experimental
date: 2026/05/13
author: Security Arsenal Research
logsource:
    product: firewall
detection:
    selection:
        cisco_destination|startswith: \'/mgmt/cm/\'
        http_method|contains: \'POST\'
        sc_status: 200
    condition: selection
falsepositives:
    - Known administrative management traffic from internal IPs
level: critical
---
title: SmarterMail Authentication Bypass and File Upload
id: c2d33e44-55f6-60g3-1g4h-5c6d7e8f9a0b
description: Detects exploitation of SmarterMail vulnerabilities via suspicious file upload paths or auth bypass attempts.
status: experimental
date: 2026/05/13
author: Security Arsenal Research
logsource:
    product: webserver
detection:
    selection_upload:
        cs_uri_query|contains: \'SaveDraftAttachments\'
        cs_method: \'POST\'
    selection_bypass:
        cs_uri_query|contains: \'ResetPassword\'
        cs_uri_query|contains: \'token\'
    condition: 1 of selection_
falsepositives:
    - Legitimate email client usage
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential Qilin lateral movement and data staging
// Looks for massive file modifications and unusual SMB access typical of pre-encryption exfil
let TimeFrame = 1h;
let FileExtensions = dynamic([@".pst", @".ost", @".bak", @".sql", @".db", @".ldf", @".mdf"]);
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName has_any(FileExtensions)
| where ActionType == "FileCreated" or ActionType == "FileModified"
| summarize Count = count() by DeviceName, InitiatingProcessAccountName, FolderPath
| where Count > 50 // Threshold for mass activity
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where RemotePort == 445 // SMB traffic often used for staging
    | summarize SMBConnectionCount = count() by DeviceName, RemoteIP
) on DeviceName
| project DeviceName, InitiatingProcessAccountName, FolderPath, Count, RemoteIP, SMBConnectionCount

PowerShell

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Hardening & Rapid Response Script
.DESCRIPTION
    Checks for indicators of Qilin activity (Shadow Copy manipulation) and 
    enforces immediate hardening on vulnerable Exchange/SmarterMail services.
#>

Write-Host "[+] Starting Qilin Threat Hunt and Hardening..." -ForegroundColor Cyan

# 1. Check for recent deletion of Volume Shadow Copies (Qilin TTP)
$VssEvents = Get-WinEvent -LogName "System" -FilterXPath "*[System[(EventID=1)]] and *[EventData[Data[@Name='Operation'] and (='ShadowCopy Delete')]]" -ErrorAction SilentlyContinue
if ($VssEvents) {
    Write-Host "[!] ALERT: Shadow Copy Deletion detected!" -ForegroundColor Red
    $VssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[-] No Shadow Copy deletions found." -ForegroundColor Green
}

# 2. Hunt for suspicious scheduled tasks (Persistence)
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd.exe*"} | 
                    Where-Object {$_.State -eq "Ready"}
Write-Host "[+] Reviewing Scheduled Tasks..." -ForegroundColor Cyan
foreach ($task in $suspiciousTasks) {
    # Check for tasks created or modified in the last 7 days
    $taskInfo = Export-ScheduledTask -TaskName $task.TaskName
    $xml = [xml]$taskInfo
    $date = $xml.Task.Principals.Principal.UserId
    Write-Host "Task: $($task.TaskName) | Author: $($task.Author) | State: $($task.State)"
}

# 3. Hardening: Block known exploited ports at Firewall (If applicable)
Write-Host "[+] Hardening: Checking Windows Firewall status..."
$fwProfile = Get-NetFirewallProfile | Select-Object Name, Enabled
if ($fwProfile.Enabled -contains $false) {
    Write-Host "[!] WARNING: One or more Firewall profiles are disabled." -ForegroundColor Yellow
}

Write-Host "[+] Script Complete. If alerts triggered, initiate IR Plan immediately." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist:

  1. Exchange/IIS Logs: immediately parse logs for CVE-2023-21529 exploitation patterns (deserialization strings).
  2. Web Server Logs: Check w3wp.exe parent processes spawning PowerShell or cmd.exe.
  3. Cisco FMC Logs: Hunt for successful admin logins from non-corporate IP ranges indicating CVE-2026-20131 usage.

Critical Assets for Exfiltration: Based on the victim profile (Finance, Real Estate, Business Services), prioritize the search for exfiltration on:

  • Financial databases (SQL backups)
  • Client lists and CRM exports
  • HR/Payroll data (high leverage for extortion)

Containment Actions:

  1. Isolate: Remove Exchange Servers and Cisco FMC appliances from the network immediately if compromise is suspected.
  2. Revoke: Reset credentials for accounts with access to SmarterMail and Exchange Admin panels.
  3. Block: Block inbound traffic from known TOR exit nodes and anomalous geographic regions at the perimeter.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Exchange: Apply the security update for CVE-2023-21529 immediately. If patching is delayed, restrict OABVirtualDirectory access to internal IPs only.
  • Patch Cisco: Update Cisco Secure Firewall Management Center to address CVE-2026-20131. Disable external management interfaces if not strictly required.
  • Segmentation: Ensure mail servers and firewall management consoles are in a high-security VLAN with no direct internet access other than required ports.

Short-term (2 Weeks):

  • Application Control: Implement strict allow-listing for w3wp.exe and java.exe to prevent web shell execution.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and Web Application logins.
  • Backup Integrity: Verify offline backups are immutable and test restore procedures for Business Services and Construction sector specific file systems.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecisa-kevexchange-exploitbusiness-servicesdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action