Back to Intelligence

QILIN Ransomware Gang: Global Surge Exploiting Critical Vulnerabilities — Defense & Detection

SA
Security Arsenal Team
May 17, 2026
7 min read

Aliases: Agenda (formerly)

Operational Model: Ransomware-as-a-Service (RaaS) with an aggressive affiliate network. Qilin distinguishes itself by utilizing a Rust-based payload which is highly customizable and evasive, allowing affiliates to tailor encryption settings per victim.

Ransom Demands: Variable, typically ranging from $500,000 to several million USD, depending on victim revenue and exfiltrated data volume.

Initial Access Vectors: Qilin affiliates heavily rely on exploiting internet-facing applications (recently ConnectWise ScreenConnect and SmarterMail), valid account credentials obtained via phishing, and brute-forcing exposed RDP/VPN services.

Double Extortion: Strict adherence to the model. Exfiltration occurs prior to encryption. Victims are given a short deadline (often 3-7 days) to pay or have data published on their .onion site.

Average Dwell Time: 3–10 days. The group moves rapidly from initial access to lateral movement and data exfiltration, often bypassing EDR using living-off-the-land (LotL) binaries before deploying the Rust payload.

Current Campaign Analysis

Campaign Date Range: 2026-05-15 to 2026-05-17

Geographic Concentration: A distinct global spread with no single region dominating. High activity in the US, UK, Canada, and Australia, but with significant inroads into Southeast Asia (MY) and Latin America (CL, AR). This suggests a broad, automated scanning phase for vulnerable targets rather than region-specific spear-phishing.

Targeted Sectors:

  • Manufacturing: 3 Victims (Buckeye Paper, Monir Precision, Common Part Groupings)
  • Agriculture & Food Production: 3 Victims (Fruits Queralt, The Taylor Provisions, Comercial Echave)
  • Healthcare: 3 Victims (Salter HealthCare, Generation Life, CLINICA AVELLANEDA)
  • Public Sector & Education: 2 Victims (Majlis Perbandaran Alor Gajah, Australian College of Business Intelligence)
  • Logistics/Finance/Construction/Tourism: 4 Victims

Victim Profile: Mid-to-large enterprise targets. The inclusion of public sector bodies (Majlis Perbandaran) and educational institutions alongside commercial entities suggests the affiliates are targeting perceived "softer" targets with potentially complex, legacy IT environments.

Observed Frequency: High velocity. 15 victims posted in 3 days indicates multiple active affiliates operating simultaneously.

CVE Connection: The list of recent victims correlates directly with the exploitation of CVEs in the Initial Access phase:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Highly likely used against manufacturing and logistics firms (Turner Supply, Menzies Group) which commonly rely on remote monitoring and management (RMM) software.
  • CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): A probable vector for the Australian and Malaysian entities, as SmarterMail is a popular business email server in these regions.

Detection Engineering

The following detection logic targets Qilin's observed initial access vectors (ScreenConnect/SmarterMail) and their typical lateral movement/exfil behaviors.

YAML
title: Potential ConnectWise ScreenConnect Auth Bypass or Exploit
id: 91a3b220-3c45-4c2a-9a5a-b8f5c1d0e9f1
description: Detects potential exploitation of CVE-2024-1708 or authentication bypass attempts on ConnectWise ScreenConnect servers based on URI patterns and suspicious process execution.
status: experimental
date: 2026/05/18
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains:
            - '/Service.ashx'
            - '/FlashServices/'
    selection_suspicious:
        c-uri|contains:
            - 'Logout'
            - 'Authorization'
    condition: selection_uri and selection_suspicious
falsepositives:
    - Legitimate administrative logins
level: high
tags:
    - attack.initial_access
    - cve-2024-1708
    - ransomware.qilin
---
title: SmarterMail Suspicious File Upload Activity
description: Detects potential exploitation of CVE-2025-52691 via suspicious file uploads to SmarterMail servers.
status: experimental
date: 2026/05/18
logsource:
    product: webserver
detection:
    selection_path:
        c-uri|contains: '/mainservice/asmx/'
    selection_method:
        c-method: 'POST'
    selection_content:
        cs-content-type|contains:
            - 'multipart/form-data'
    selection_extension:
        c-uri|contains:
            - '.aspx'
            - '.ashx'
    condition: selection_path and selection_method and selection_content and selection_extension
falsepositives:
    - Legitimate email attachments
level: critical
tags:
    - attack.initial_access
    - cve-2025-52691
    - ransomware.qilin
---
title: Qilin Ransomware Typical Pre-Encryption Process Activity
description: Detects typical Qilin behavior including stopping security services and mass file modifications using PowerShell or CommandLine tools often used by the Rust payload wrapper.
status: experimental
date: 2026/05/18
logsource:
    category: process_creation
detection:
    selection_stop:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'stop'
    selection_service_targets:
        CommandLine|contains:
            - 'SQL'
            - 'Veeam'
            - 'Backup'
            - 'Exchange'
            - 'Defender'
    selection_shadowcopy:
        CommandLine|contains:
            - 'vssadmin delete shadows'
            - 'wbadmin delete catalog'
    condition: 1 of selection*
falsepositives:
    - Legitimate system administration
level: high
tags:
    - attack.impact
    - attack.t1489
    - ransomware.qilin


**KQL (Microsoft Sentinel) — Lateral Movement & Staging Hunt**
kql
// Hunt for suspicious lateral movement and data staging common in Qilin attacks
// Looks for massive file modifications or SMB access to non-standard shares
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "powershell_ise.exe", "wmic.exe", "psexec.exe", "psexec64.exe")
| where ProcessCommandLine has "net use" or ProcessCommandLine has "copy" or ProcessCommandLine has "robocopy"
| extend TargetShare = extract(@'net use .* ([A-Z]:) .*', 1, ProcessCommandLine)
| where isnotempty(TargetShare)
| summarize count(), make_set(ProcessCommandLine) by DeviceName, InitiatingProcessAccountName, TargetShare
| where count_ > 5 // High volume of drive mappings or copies
union (
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType == "FileCreated"
    | where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
    | summarize CountOfFiles = count(), ListOfFiles = make_set(FileName) by DeviceName, FolderPath, InitiatingProcessAccountName
    | where CountOfFiles > 20
)


**PowerShell — Rapid Response Hardening Script**
powershell
# Qilin Ransomware Hardening & Diagnostic Script
# Run as Administrator

Write-Host "[*] QILIN THREAT CHECK - STARTING..." -ForegroundColor Cyan

# 1. Check for Suspicious ShadowCopy Deletions
Write-Host "[+] Checking for recent VSS modification attempts..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -LogName 'Microsoft-Windows-VSSVMProvider/Operational' -MaxEvents 50 -ErrorAction SilentlyContinue | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}
if ($vssEvents) { Write-Host "[!] CRITICAL: Recent VSS Provider Activity detected." -ForegroundColor Red }

# 2. Enumerate Scheduled Tasks created in last 7 days (Common Persistence)
Write-Host "[+] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$tasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($tasks) {
    Write-Host "[!] SUSPICIOUS TASKS FOUND:" -ForegroundColor Red
    $tasks | Select-Object TaskName, Date, Author
} else {
    Write-Host "[-] No recent suspicious tasks found." -ForegroundColor Green
}

# 3. Check for RDP Exposure (If local firewall is enabled but rules are open)
Write-Host "[+] Checking local RDP firewall rules..." -ForegroundColor Yellow
$rdpRule = Get-NetFirewallRule -Displayname "Remote Desktop - User Mode (TCP-In)" -ErrorAction SilentlyContinue
if ($rdpRule -and $rdpRule.Enabled -eq 'True') {
    Write-Host "[!] WARNING: RDP Rule is enabled in local firewall." -ForegroundColor Red
    Write-Host "[+] Attempting to disable RDP rule locally..."
    Disable-NetFirewallRule -Displayname "Remote Desktop - User Mode (TCP-In)"
}

# 4. Check for ScreenConnect Web Server Service
Write-Host "[+] Checking for ScreenConnect Services (CVE-2024-1708 Vector)..." -ForegroundColor Yellow
$scService = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($scService) {
    Write-Host "[!] WARNING: ScreenConnect Service detected. Verify patch immediately." -ForegroundColor Red
    $scService | Select-Object Name, Status, StartType
}

Write-Host "[*] THREAT CHECK COMPLETE." -ForegroundColor Cyan


# Incident Response Priorities

**T-Minus Detection Checklist (Before Encryption):**
1.  **Validate VPN/RMM Access:** Immediately audit logs for ConnectWise ScreenConnect and SmarterMail servers for successful logins from unusual IPs (especially Keypoints/OVH/Cloudflare IP ranges acting as VPN endpoints).
2.  **Hunt for Cobalt Strike:** Qilin affiliates heavily use Cobalt Strike. Scan memory for `beacon.dll` or `artifact.png` patterns using EDR or specialized tools.
3.  **Monitor for Mass Compression:** Look for processes like `7z.exe`, `winrar.exe`, or `tar.exe` running against user shares or directories containing intellectual property.

**Critical Assets at Risk:**
*   **PII & Patient Records:** High-value exfiltration targets for Healthcare victims (Salter HealthCare, Clinica Avellaneda).
*   **CAD/Proprietary Designs:** Manufacturing victims (Buckeye Paper, Monir Precision) often hold designs that are non-recoverable without backups.

**Containment Actions (Ordered by Urgency):**
1.  **Isolate Internet-Facing Servers:** Take ConnectWise, Exchange, and SmarterMail servers offline or place behind a strict WAF deny-all policy pending patch verification.
2.  **Disable Domain Admin Accounts:** If compromise is suspected, force-reset DA passwords and disable the accounts temporarily to break lateral movement.
3.  **Suspend Backup Access:** Revoke credentials for backup software (Veeam/Commvault) service accounts to prevent threat actors from deleting or encrypting backups.

# Hardening Recommendations

**Immediate (24h):**
*   **Patch CVE-2024-1708 (ConnectWise):** Upgrade to the latest version immediately. If patching is not possible, block access to the `/WebServer` path at the network edge.
*   **Patch CVE-2025-52691 (SmarterMail):** Apply the vendor-supplied hotfix. Restrict access to `/Services` directory to internal IPs only.
*   **MFA Enforcement:** Ensure that ALL VPN, RDP, and Email access requires phishing-resistant MFA (FIDO2/Certificate-based). Qilin frequently bypasses standard MFA via session hijacking or AD FS exploits.

**Short-term (2 weeks):**
*   **Network Segmentation:** Move critical backup repositories to an isolated network segment with no internet access and strict one-way replication.
*   **RaaS Auditing:** Conduct a thorough audit of all remote access tools (RMM). Remove any unused instances and enforce local firewall restrictions on RMM agents.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2024-1708smartermailhealthcaremanufacturing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action