Back to Intelligence

QILIN Ransomware Gang: Global Surge in Healthcare & Manufacturing — Campaign Analysis & Detection Rules

SA
Security Arsenal Team
May 16, 2026
6 min read

Aliases: Agenda, Qilin.Broker RaaS Model: Qilin operates as a Ransomware-as-a-Service (RaaS) affiliate model, aggressively recruiting skilled penetration testers to conduct initial access operations. They are known for a custom Rust-based encryptor.

Typical Ransom Demands: Demands vary significantly based on victim revenue but generally range from $500,000 to several million USD. They strictly enforce a "no-negotiation" policy until initial proof of funds is provided.

Initial Access Vectors:

  • Exploitation of Public-Facing Applications: Heavily reliant on unpatched VPNs and remote management tools.
  • Phishing: Highly targeted spear-phishing delivering malicious ISO or LNK files.
  • Valid Credentials: Purchasing access from initial access brokers (IABs).

Double Extortion: Standard practice involves exfiltrating sensitive data (PFI, client databases, IP) before encryption and threatening leak site publication.

Dwell Time: Typically 3 to 7 days. Qilin affiliates move fast, often achieving domain admin rights within 48 hours of initial access.

Current Campaign Analysis

Sector Targeting: Based on the 26 recent postings, Qilin has shifted focus heavily toward Healthcare and Manufacturing.

  • Healthcare Victims: Clinica Avellaneda (AR), Generation Life (AU), B.Care Medical Center (PH), Spirit Medical Transport (US).
  • Manufacturing/Industrial: Common Part Groupings (US), NR Engineering (TH), Schulte-Lindhorst (DE), Fab-Masters (US).

Geographic Concentration: There is a distinct "cluster" of activity in Australia (AU) (5 victims in 3 days), alongside sustained operations in the United States and Argentina. The global spread (AR, TH, PH, DE, CA) indicates a distributed affiliate network.

Observed Posting Frequency: High velocity. With 15 victims posted between May 13 and May 16, the group is operating at maximum capacity, averaging 3-5 victim disclosures per day.

CVE Correlation (Initial Access): The recent spike correlates perfectly with the addition of specific vulnerabilities to the CISA KEV list:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Highly likely used for access to Menzies Group, Bluize, and Mayer, as this tool is ubiquitous in MSP and IT management environments.
  • CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Critical vector for the Education (Australian College of Business Intelligence) and Business Services sectors where email servers are exposed.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass or Path Traversal
id: 4c1f4b24-8a1c-4a92-9b1a-0f9b2c3d4e5f
description: Detects suspicious path traversal or authentication bypass attempts on ConnectWise ScreenConnect web interface indicative of CVE-2024-1708 exploitation.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/Bin/ScreenConnect.'
            - '..\\'
            - '%2e%2e'
        sc-status:
            - 200
            - 500
    condition: selection
falsepositives:
    - Legitimate administrative misconfiguration
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.qilin

---
title: SmarterMail Suspicious File Upload Activity
id: 5d2e5c35-9b2d-5b03-0c2b-1g0c3d4e5f6g
description: Detects potential web shell upload via SmarterMail vulnerabilities (CVE-2025-52691). Monitor for unusual file extensions in web directories.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: file_creation
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - 'C\\Program Files (x86)\\SmarterTools\\SmarterMail\\MRS'
            - 'C\\inetpub\\mailroot'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asmx'
    filter:
        Image|contains:
            - 'SmarterMail'
            - 'MailService'
    condition: selection and not filter
falsepositives:
    - Legitimate system administration
level: critical
tags:
    - attack.initial_access
    - cve.2025.52691
    - attack.web_shell

---
title: Suspicious Cobalt Strike Beacon Activity (Qilin Common)
id: 6e3f6d46-0c3e-6c14-1d3c-2h1d4e5f6g7h
description: Detects process injection patterns often associated with Cobalt Strike beacons used by Qilin affiliates for lateral movement.
status: experimental
date: 2026/05/17
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\\svchost.exe'
            - '\\explorer.exe'
            - '\\wmiprvse.exe'
        Image|endswith:
            - '\\rundll32.exe'
            - '\\regsvr32.exe'
        CommandLine|contains:
            - 'javascript:'
            - 'ZwAllocateVirtualMemory'
    condition: selection
falsepositives:
    - Legitimate software installers
level: high
tags:
    - attack.lateral_movement
    - attack.t1055
    - ransomware.qilin

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging associated with Qilin, specifically looking for large data transfers to non-corporate IPs and unusual process chains involving SMB.

KQL — Microsoft Sentinel / Defender
let TimeFrame = ago(7d);
let CommonLateralTools = dynamic(["psexec", "psexec64", "wmic", "wmi", "powershell", "cmd"]);
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where FileName in~ CommonLateralTools
| where ProcessCommandLine has "\\\\" and (ProcessCommandLine has "-c" or ProcessCommandLine has "call" or ProcessCommandLine has "create")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner ( 
    DeviceNetworkEvents
    | where Timestamp >= TimeFrame
    | where RemotePort in (445, 135) and ActionType == "ConnectionSuccess" 
    | summarize ConnectionCount=count() by DeviceName, RemoteUrl, RemoteIP, Timestamp 
    | where ConnectionCount > 10 
) on DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP, RemoteUrl, ConnectionCount
| order by Timestamp desc

PowerShell Response Script

Run this on suspected compromised endpoints to identify persistence mechanisms often used by Qilin (Scheduled Tasks and unusual services).

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Persistence Check
.DESCRIPTION
    Enumerates scheduled tasks created in the last 7 days and services with unusual binary paths.
#>

$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Cyan

Get-ScheduledTask | Where-Object {
    $_.Date -ge $DateCutoff -or $_.LastRunTime -ge $DateCutoff
} | ForEach-Object {
    $Action = $_.Actions.Execute
    if ($Action -match "powershell" -or $Action -match "cmd" -or $Action -match "rundll32") {
        Write-Host "WARNING: Suspicious Task Found: $($_.TaskName)" -ForegroundColor Red
        Write-Host "  Action: $Action" -ForegroundColor Yellow
        Write-Host "  Author: $($_.Author)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Checking for Services with Unusual Paths..." -ForegroundColor Cyan

Get-WmiObject Win32_Service | Where-Object {
    $_.PathName -notmatch "C:\\Windows\\System32\\" -and 
    $_.PathName -notmatch "C:\\Program Files" -and 
    $_.State -eq "Running"
} | Select-Object Name, DisplayName, PathName, State | Format-Table -AutoSize


---

# Incident Response Priorities

**T-minus Detection Checklist (Pre-Encryption):**
1.  **ScreenConnect Logs:** Immediate audit of `Web Server` logs for the last 14 days looking for path traversal (`../`) or异常的 500 errors.
2.  **SmarterMail/Exchange Servers:** Hunt for web shells in `C:\inetpub\mailroot` or `C:\Program Files\SmarterTools`. Look for recently created `.aspx` files.
3.  **PowerShell AMSI:** Check for AMSI events related to Base64 encoded strings or `System.Management.Automation` invocations.

**Critical Assets Prioritized for Exfiltration:**
- **Healthcare:** Patient PII/PHI, insurance databases, donor lists.
- **Manufacturing:** CAD drawings, intellectual property, ERP systems (SAP/Oracle), supply chain vendor lists.

**Containment Actions (Order by Urgency):**
1.  **Isolate Internet-Facing Appliances:** Disconnect all ScreenConnect, VPN, and Mail servers from the network immediately.
2.  **Disable SMB/WinRM:** If internal propagation is suspected, disable SMBv1 and block WinRM traffic at the firewall level.
3.  **Revoke Credentials:** Force reset of privileged admin credentials (Domain Admins) if potential exposure is confirmed.

---

# Hardening Recommendations

**Immediate (24h):**
- **Patch CVE-2024-1708 (ConnectWise):** Upgrade ScreenConnect to the latest patched version immediately.
- **Patch CVE-2025-52691 & CVE-2026-23760 (SmarterMail):** Apply the vendor patches for the file upload and auth bypass vulnerabilities.
- **Patch CVE-2023-21529 (Exchange):** Ensure the latest Security Update for Exchange Server is installed.
- **MFA Enforcement:** Enforce phishing-resistant MFA on all VPN and remote access portals.

**Short-term (2 weeks):**
- **Network Segmentation:** Ensure management interfaces (like ScreenConnect) are on a dedicated VLAN, accessible only via VPN and not directly from the internet.
- **EDR Coverage Audit:** Verify that legacy systems and backup servers (often skipped) have active EDR agents.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2024-1708healthcaremanufacturingsmartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action