Back to Intelligence

QILIN Ransomware Gang: 21 New Victims Posted — Construction & Manufacturing Sector Alert

SA
Security Arsenal Team
May 22, 2026
9 min read

Known Aliases: Agenda (initial name), Qilin

Business Model: Ransomware-as-a-Service (RaaS) operation with affiliate-driven campaigns. Qilin recruits affiliates through dark web forums and shares profits while providing encryption tools.

Typical Ransom Demands: $500,000 to $5 million, varying based on victim revenue and industry. Higher demands typically for manufacturing and construction companies with critical operational data.

Initial Access Methods:

  • Exploitation of public-facing vulnerabilities (VPN, RDP, web applications)
  • Phishing campaigns with malicious attachments
  • Compromised credentials via credential stuffing
  • Supply chain attacks through managed service providers

Double Extortion Approach: Qilin exfiltrates sensitive data before encryption and threatens to publish it on their dark web leak site if ransom isn't paid. They maintain a sophisticated leak site with countdown timers and sample data releases.

Average Dwell Time: 4-14 days between initial access and encryption, allowing time for lateral movement, privilege escalation, and data exfiltration.

CURRENT CAMPAIGN ANALYSIS

Targeted Sectors:

  • Construction (27% of recent victims) - Including ROTO Immobilien, CJ Architects, RCR Industrial Flooring
  • Manufacturing (13%) - Including Snyder Packaging, Buckeye Paper
  • Business Services (13%) - Including Porter W Yett, WNS Lowery
  • Consumer Services (13%) - Including Cz Collections, Gartengestaltung Muller eU
  • Agriculture and Food Production (9%) - Including Vial Agro, Fruits Queralt
  • Healthcare (5%)
  • Hospitality and Tourism (5%)
  • Not Found/Unknown (15%)

Geographic Concentration:

  • United States: 40% of victims (highest concentration)
  • Great Britain: 20%
  • Austria: 13%
  • Other countries (CZ, AR, AU, CA, ES): 27%

Victim Profile:

  • Primarily mid-market organizations with $50M-$500M annual revenue
  • Companies with operational technology and proprietary business processes
  • Organizations with limited cybersecurity resources but significant data assets
  • Industries with high time sensitivity for resuming operations

Posting Frequency:

  • Consistent activity with 3-4 new victims posted daily
  • Peak posting times: Monday-Wednesday
  • Some victims listed with consolidated business names (e.g., "Air Conditioning Florida & Mrdsllc & RTE Stucco & MR Drywall Services") suggesting affiliate may have penetrated multiple related entities

CVE Connection to Initial Access Vectors: Based on CISA KEV data and Qilin's tradecraft, the following CVEs are likely initial access vectors in current campaigns:

  • CVE-2024-1708 (ConnectWise ScreenConnect): High probability of use given recent addition to KEV and common use by ransomware groups for remote access
  • CVE-2023-21529 (Microsoft Exchange Server): Historical correlation with Qilin campaigns targeting business services and manufacturing
  • CVE-2026-20131 (Cisco Secure Firewall Management Center): Potential for bypassing perimeter security controls
  • CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Combined exploitation of authentication bypass and file upload vulnerabilities could provide initial access to email infrastructure

DETECTION ENGINEERING

YAML
---
title: Potential ConnectWise ScreenConnect Exploitation
id: 5504498f-cb8f-4274-93c6-3d46b878b6e9
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect
author: Security Arsenal Research
status: stable
date: 2026/05/22
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: nginx
detection:
    selection:
        c-uri|contains: '/LiveEvents/_.aspx'
        c-uri-query|contains:
            - 'WebService.asmx'
            - 'SessionManager.ashx'
    condition: selection
falsepositives:
    - Legitimate administrative access to ScreenConnect
level: high
---
title: Microsoft Exchange Server Deserialization Exploitation
id: 8f3b4972-0d8e-42f5-8825-ba7d57b18b2f
description: Detects potential exploitation of CVE-2023-21529 in Microsoft Exchange Server
author: Security Arsenal Research
status: stable
date: 2026/05/22
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 'Exchange'
        SubjectUserName|contains:
            - 'IUSR'
            - 'SYSTEM'
        RelativeTargetName|contains:
            - '.dll'
            - '.config'
    condition: selection
falsepositives:
    - Legitimate Exchange administration activities
level: high
---
title: SmarterMail Authentication Bypass and File Upload
id: b4932f82-7c91-4b5e-b6ea-9d0fe21f5c58
description: Detects potential exploitation of CVE-2025-52691 and CVE-2026-23760 in SmarterTools SmarterMail
author: Security Arsenal Research
status: stable
date: 2026/05/22
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: iis
detection:
    selection:
        c-uri|contains:
            - '/Services/Mail.asmx'
            - '/Services/MailService.asmx'
        cs-method: 'POST'
        cs-uri-query|contains:
            - 'FileUpload'
            - 'DownloadAttachment'
    condition: selection
falsepositives:
    - Legitimate SmarterMail usage patterns
level: high


kql
// Hunt for lateral movement indicators associated with Qilin ransomware
//适用于Microsoft Sentinel查询
let TimeFrame = 7d;
let ProcessCreation = union isfuzzy=true 
    SecurityEvent 
    | where EventID == 4688
    | where TimeGenerated >= ago(TimeFrame),
    DeviceProcessEvents 
    | where TimeGenerated >= ago(TimeFrame);
let SuspiciousProcesses = ProcessCreation
    | where ProcessName has_any ("powershell.exe", "cmd.exe", "wmi.exe", "psexec.exe", "wmic.exe")
    | where CommandLine has_any ("New-Item", "Copy-Item", "Invoke-Command", "schtasks", "net user", "net group", "vssadmin", "wbadmin", "bcdedit")
    | project TimeGenerated, Computer, Account, ProcessName, CommandLine, ParentProcessName;
let NetworkConnections = union isfuzzy=true
    DeviceNetworkEvents
    | where TimeGenerated >= ago(TimeFrame),
    SecurityEvent 
    | where EventID in (5156, 5158)
    | where TimeGenerated >= ago(TimeFrame)
    | where RemotePort in (445, 135, 3389, 5985, 5986);
let FileStaging = union isfuzzy=true
    DeviceFileEvents
    | where TimeGenerated >= ago(TimeFrame)
    | where FileName has_any (".rar", ".zip", ".7z", "temp", "stage")
    | where InitiatingProcess has_any ("powershell.exe", "cmd.exe", "winrar.exe", "7z.exe");
SuspiciousProcesses
| join kind=inner (NetworkConnections) on Computer
| distinct TimeGenerated, Computer, Account, ProcessName, CommandLine, RemoteIP, RemotePort
| sort by TimeGenerated desc


powershell
# Qilin Ransomware Response Script
# Run as Administrator on potentially compromised systems
param(
    [int]$DaysToCheck = 7,
    [string]$OutputPath = "$env:TEMP\QilinCheck_$(Get-Date -Format 'yyyyMMdd').csv"
)

# Check for recently created scheduled tasks (common persistence mechanism)
Write-Host "Checking for recently created scheduled tasks..." -ForegroundColor Yellow
$RecentTasks = Get-ScheduledTask | Where-Object {
    $_.Date -ge (Get-Date).AddDays(-$DaysToCheck)
} | Select-Object TaskName, Date, Author, Actions

# Check for unusual Volume Shadow Copy manipulation (common pre-encryption step)
Write-Host "Checking for Volume Shadow Copy manipulation..." -ForegroundColor Yellow
try {
    $VSSEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddDays(-$DaysToCheck)} -ErrorAction SilentlyContinue
    $SuspiciousVSSEvents = $VSSEvents | Where-Object { $_.Message -match "delete|shadow|copy|snapshot" } | Select-Object TimeCreated, Id, Message
} catch {
    $SuspiciousVSSEvents = "No VSS events found"
}

# Check for unusual network connections to common ransomware C2 ports
Write-Host "Checking for suspicious network connections..." -ForegroundColor Yellow
try {
    $NetworkConnections = Get-NetTCPConnection -State Established | Where-Object {
        $_.LocalPort -in @(445, 135, 3389, 5985, 5986) -or 
        $_.RemotePort -ge 1024 -and $_.RemotePort -le 65535
    } | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
} catch {
    $NetworkConnections = "Unable to retrieve network connections"
}

# Check for recently modified files in common data directories
Write-Host "Checking for recently modified files..." -ForegroundColor Yellow
$DataDirs = @("C:\Users", "C:\ProgramData", "C:\Shares")
$RecentlyModified = foreach ($dir in $DataDirs) {
    if (Test-Path $dir) {
        Get-ChildItem -Path $dir -Recurse -File -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -ge (Get-Date).AddDays(-$DaysToCheck) } |
        Select-Object FullName, LastWriteTime, Length
    }
}

# Compile results
$Results = [PSCustomObject]@{
    ScheduledTasks = $RecentTasks | ConvertTo-Json
    VSSEvents = $SuspiciousVSSEvents | ConvertTo-Json
    NetworkConnections = $NetworkConnections | ConvertTo-Json
    RecentlyModifiedFiles = $RecentlyModified | Select-Object -First 20 | ConvertTo-Json
}

# Export results
$Results | Export-Csv -Path $OutputPath -NoTypeInformation
Write-Host "Results exported to $OutputPath" -ForegroundColor Green

# Quick summary display
Write-Host "\nQuick Summary:" -ForegroundColor Cyan
Write-Host "Recent Scheduled Tasks: $(if($RecentTasks) {$RecentTasks.Count} else {0})" -ForegroundColor White
Write-Host "Suspicious VSS Events: $(if($SuspiciousVSSEvents -is [array]) {$SuspiciousVSSEvents.Count} elseif($SuspiciousVSSEvents -ne "No VSS events found") {1} else {0})" -ForegroundColor White
Write-Host "Suspicious Network Connections: $(if($NetworkConnections -is [array]) {$NetworkConnections.Count} elseif($NetworkConnections -ne "Unable to retrieve network connections") {1} else {0})" -ForegroundColor White
Write-Host "Recently Modified Files: $(if($RecentlyModified) {$RecentlyModified.Count} else {0}) (showing first 20 in export)" -ForegroundColor White


# INCIDENT RESPONSE PRIORITIES

**T-Minus Detection Checklist** (Look for these BEFORE encryption fires):
- Unusual authentication patterns on VPN/RDP endpoints (multiple failures followed by success)
- Newly created accounts with administrative privileges
- Sudden increase in file encryption activities (specific file extensions modified)
- Large volume outbound data transfers to unknown IP addresses
- Unusual process execution patterns involving PowerShell, WMI, or PsExec
- Scheduled task creation with obscure names or referencing remote scripts
- Security log clearing or manipulation attempts

**Critical Assets Historically Targeted for Exfiltration**:
- CAD/Blueprint files (construction sector)
- Manufacturing formulas and proprietary processes
- Customer databases with PII/PHI
- Financial records and upcoming transaction data
- Email archives containing sensitive communications
- Intellectual property and trade secrets
- HR records with employee sensitive data

**Containment Actions (by urgency)**:
1. **IMMEDIATE (0-2 hours)**:
   - Isolate infected systems from network (disconnect network cable)
   - Disable all VPN and RDP access temporarily
   - Revoke all recently created credentials with admin rights
   - Preserve volatile memory from suspected systems for forensic analysis
   - Change all privileged account credentials from clean systems

2. **URGENT (2-24 hours)**:
   - Block outbound connections to known C2 infrastructure
   - Disable non-essential services (especially file sharing and remote access)
   - Implement network segmentation to isolate critical systems
   - Collect and preserve system logs for analysis
   - Begin forensic imaging of affected systems

3. **HIGH PRIORITY (24-48 hours)**:
   - Complete thorough credential reset across the organization
   - Verify integrity of backup systems and data
   - Assess potential third-party and supply chain impacts
   - Implement additional monitoring for persistence mechanisms
   - Begin restoration of critical systems from clean backups

# HARDENING RECOMMENDATIONS

**Immediate (24h)**:
1. **Patch Critical Vulnerabilities**:
   - Apply patches for CVE-2024-1708 (ConnectWise ScreenConnect)
   - Apply patches for CVE-2023-21529 (Microsoft Exchange Server)
   - Apply patches for CVE-2026-20131 (Cisco Secure Firewall Management Center)
   - Apply patches for CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail)

2. **Strengthen Remote Access**:
   - Implement MFA for all VPN and RDP access
   - Restrict remote access to specific IP ranges
   - Enforce session timeouts and limit concurrent sessions

3. **Enhance Monitoring**:
   - Deploy additional logging on critical systems
   - Implement alerting for suspicious file operations
   - Enable PowerShell transcription and script block logging

**Short-term (2 weeks)**:
1. **Network Architecture**:
   - Implement zero trust principles for network access
   - Create strict network segmentation between business units
   - Deploy inline network security controls (NGFW, IDS/IPS)

2. **Endpoint Security**:
   - Deploy EDR solution with anti-ransomware capabilities
   - Implement application allowlisting for critical systems
   - Regular vulnerability scanning and patch management

3. **Identity and Access Management**:
   - Implement least privilege access model
   - Review and reduce privileged account usage
   - Enforce strong password policies and regular rotation

4. **Data Protection**:
   - Implement immutable backups with offline storage
   - Deploy data loss prevention (DLP) for sensitive data
   - Encrypt critical data at rest and in transit

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinqilin-ransomwareconstruction-manufacturingcve-exploitationdouble-extortionscreenconnect

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action