Threat Actor Profile — QILIN
QILIN (also known as Agenda) is a ransomware-as-a-service (RaaS) operation that emerged in 2022. Known for their sophisticated double extortion tactics, they encrypt systems and exfiltrate sensitive data before threatening to leak it on their dark web leak site.
Ransom demands from Qilin typically range from $200,000 to several million dollars depending on the victim's size and industry. The group operates on a 70/30 revenue-sharing model with their affiliates, with 70% going to the affiliate.
Known initial access methods include:
- Exploitation of VPN vulnerabilities (FortiGate, Pulse Secure)
- Phishing campaigns with malicious attachments
- RDP brute force attacks
- Supply chain compromises
Qilin is known for an average dwell time of 3-7 days before detonating encryption, using this time to escalate privileges, move laterally through the network, and exfiltrate sensitive data. They've been observed using custom exfiltration tools and legitimate cloud storage services for data theft.
Current Campaign Analysis
Sectors Being Targeted
Based on the recent victim data, Qilin is heavily targeting:
- Healthcare (5 victims: Nova Medical Products, Clinica Maitenes, Mindpath College Health, Providence Medical Group, Dillon Family Medicine)
- Manufacturing (3 victims: Sinomax USA, Carton Craft Supply, LA Woodworks)
- Business Services (2 victims: Gallun Snow Associates, Kennedy, McLaughlin & Associates)
- Education (1 victim: Alamo Heights School District)
- Technology (1 victim: HumanEdge)
- Not Found (1 victim: Jens Jensen)
Geographic Concentration
The victims are primarily concentrated in:
- United States (9 victims)
- Chile (1 victim)
- Australia (1 victim)
- Denmark (1 victim)
- Laos (1 victim)
Victim Profile
The victims span a range of sizes:
- Small to mid-sized businesses (Carton Craft Supply, LA Woodworks)
- Medium to large organizations (Nova Medical Products, Sinomax USA)
- Healthcare providers of various scales
- Educational institutions (Alamo Heights School District)
Observed Posting Frequency
Recent posting pattern shows:
- 2 victims posted on 2026-06-02
- 11 victims posted on 2026-05-28 (indicating a batch release)
This suggests Qilin is operating with a campaign-based approach, conducting multiple compromises and then releasing victim information in batches to maximize pressure on victims.
Connection to CVEs
The recently exploited CVEs align with Qilin's known attack vectors:
- CVE-2026-48027 (Nx Console Embedded Malicious Code) could provide initial access in environments using this console
- CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal) is a common vector for remote code execution
- CVE-2023-21529 (Microsoft Exchange Server Deserialization) provides authenticated access to email systems
- CVE-2026-20131 (Cisco Secure Firewall Management Center) allows bypassing perimeter defenses
- CVE-2025-52691 (SmarterTools SmarterMail) offers email server compromise
These CVEs suggest Qilin is exploiting a variety of initial access vectors, with a focus on remote management tools and communication infrastructure.
Detection Engineering
SIGMA Rules
YAML
---
title: Qilin Ransomware - Suspicious RDP Brute Force Activity
id: c2b98f6a-3c2d-45e8-9a66-4c8e9f12a3b4
description: Detects potential Qilin ransomware precursor activity in the form of RDP brute force attacks
status: experimental
author: Security Arsenal Intelligence Team
date: 2026/06/03
references:
- https://securityarsenal.com/darkside
tags:
- attack.initial_access
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
LogonType: 10
SubStatus:
- "0xC000006A"
- "0xC0000234"
- "0xC0000072"
filter:
TargetUserName|re: '(admin|administrator|root)'
timeframe: 15m
condition: selection | count() > 20
falsepositives:
- Misconfigured applications
- Legitimate users with incorrect passwords
level: high
---
title: Qilin Ransomware - PsExec Lateral Movement
id: d3c98f6a-3c2d-45e8-9a66-4c8e9f12a3b5
description: Detects Qilin ransomware lateral movement using PsExec or similar tools
status: experimental
author: Security Arsenal Intelligence Team
date: 2026/06/03
references:
- https://securityarsenal.com/darkside
tags:
- attack.lateral_movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: 'ADMIN$'
RelativeTargetName|endswith: 'PSEXESVC.exe'
condition: selection
falsepositives:
- Legitimate administrative use of PsExec
level: high
---
title: Qilin Ransomware - Data Exfiltration via SMB
id: e4d98f6a-3c2d-45e8-9a66-4c8e9f12a3b6
description: Detects potential Qilin data exfiltration via SMB, often used before encryption
status: experimental
author: Security Arsenal Intelligence Team
date: 2026/06/03
references:
- https://securityarsenal.com/darkside
tags:
- attack.exfiltration
- attack.t1048.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
ShareName:
- 'C$'
- 'ADMIN$'
IpAddress|contains: '192.168.'
filter:
SubjectUserName|contains: 'ADMIN'
timeframe: 5m
condition: selection | count() > 10
falsepositives:
- Legitimate administrative access
- Backup operations
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Qilin ransomware precursor activity
// This query looks for lateral movement and data staging patterns common to Qilin
let TimeRange = ago(7d);
// Detect suspicious SMB access to admin shares
let AdminShareAccess = SecurityEvent
| where TimeGenerated > TimeRange
| where EventID in (5140, 5145)
| where ShareName in ("C$", "ADMIN$")
| where not(SubjectUserName contains "$")
| summarize count() by Computer, Account=SubjectUserName, ShareName, IpAddress
| where count_ > 10;
// Detect potential PowerShell-based lateral movement
let PowerShellLateral = SecurityEvent
| where TimeGenerated > TimeRange
| where EventID == 4688
| where NewProcessName contains "powershell.exe"
| where CommandLine matches regex @".*(invoke-command|enter-pssession|new-pssession).*"
| summarize count() by Computer, Account=SubjectUserName, CommandLine;
// Detect unusual scheduled task creation
let ScheduledTaskCreation = SecurityEvent
| where TimeGenerated > TimeRange
| where EventID == 4698
| where TaskContent contains @".*\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.*"
| summarize count() by Computer, Account=SubjectUserName, TaskName;
// Combine results
union AdminShareAccess, PowerShellLateral, ScheduledTaskCreation
| project TimeGenerated, ActivityType=case(
isnotnull(ShareName), "AdminShareAccess",
isnotnull(CommandLine), "PowerShellLateral",
isnotnull(TaskName), "ScheduledTaskCreation",
"Unknown"
), Computer, Account, Details=coalesce(ShareName, CommandLine, TaskName, IpAddress), count_
| order by TimeGenerated desc
PowerShell (Rapid-Response Hardening Script)
PowerShell
<#
.SYNOPSIS
Qilin Ransomware - Rapid Response Hardening Script
.DESCRIPTION
This script checks for common Qilin TTPs and applies immediate hardening measures
.NOTES
Version: 1.0
Author: Security Arsenal Intelligence Team
Date: 2026-06-03
#>
# Function to check for recent modifications to VSS
function Check-VSSModifications {
Write-Host "Checking for recent Volume Shadow Copy modifications..." -ForegroundColor Yellow
try {
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Backup/Operational'; ID=5,8,9,14,17,19,20,21,22,49,50,51,52,100,517,518,519,520,521,527,528,544,545,546,561,564,567,569,612,613} -ErrorAction SilentlyContinue |
Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-7) } |
Sort-Object TimeCreated -Descending |
Select-Object -First 20
if ($vssEvents) {
Write-Host "Recent VSS activity detected:" -ForegroundColor Red
$vssEvents | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize
} else {
Write-Host "No recent VSS modifications detected." -ForegroundColor Green
}
} catch {
Write-Host "Error checking VSS modifications: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Function to enumerate scheduled tasks added in the last 7 days
function Check-RecentScheduledTasks {
Write-Host "Checking for scheduled tasks created in the last 7 days..." -ForegroundColor Yellow
try {
$tasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($tasks) {
Write-Host "Recently created scheduled tasks:" -ForegroundColor Red
$tasks | ForEach-Object {
$taskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
[PSCustomObject]@{
TaskName = $_.TaskName
TaskPath = $_.TaskPath
Author = $_.Author
Date = $_.Date
LastRunTime = $taskInfo.LastRunTime
LastTaskResult = $taskInfo.LastTaskResult
}
} | Format-Table -AutoSize
} else {
Write-Host "No recent scheduled tasks detected." -ForegroundColor Green
}
} catch {
Write-Host "Error checking scheduled tasks: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Function to check for exposed RDP
function Check-ExposedRDP {
Write-Host "Checking for exposed RDP connections..." -ForegroundColor Yellow
try {
$rdpEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} -ErrorAction SilentlyContinue |
Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-7) -and $_.Properties[8].Value -eq 10 } |
Group-Object IpAddress |
Where-Object { $_.Count -gt 10 } |
Sort-Object Count -Descending
if ($rdpEvents) {
Write-Host "High-frequency RDP connection attempts detected:" -ForegroundColor Red
$rdpEvents | ForEach-Object {
$ip = $_.Name
$count = $_.Count
$geo = try { (Invoke-RestMethod -Uri "http://ip-api.com//$ip").country } catch { "Unknown" }
[PSCustomObject]@{
IPAddress = $ip
Country = $geo
Attempts = $count
}
} | Format-Table -AutoSize
} else {
Write-Host "No exposed RDP connections detected." -ForegroundColor Green
}
} catch {
Write-Host "Error checking RDP connections: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Function to check for suspicious processes
function Check-SuspiciousProcesses {
Write-Host "Checking for suspicious processes..." -ForegroundColor Yellow
$suspiciousProcesses = @(
"psexec.exe", "psexec64.exe", "psexecsvc.exe",
"procdump.exe", "procdump64.exe",
"mimikatz.exe", "mimilib.dll",
"ransomware.exe", "encrypt.exe", "crypt.exe",
"vssadmin.exe"
)
try {
$processes = Get-Process | Where-Object { $suspiciousProcesses -contains $_.ProcessName.ToLower() }
if ($processes) {
Write-Host "Suspicious processes detected:" -ForegroundColor Red
$processes | Format-Table Id, ProcessName, Path, StartTime -AutoSize
} else {
Write-Host "No suspicious processes detected." -ForegroundColor Green
}
} catch {
Write-Host "Error checking processes: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Function to apply immediate hardening measures
function Apply-ImmediateHardening {
Write-Host "`nApplying immediate hardening measures..." -ForegroundColor Yellow
try {
# Disable RDP if not needed
$rdpStatus = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections).fDenyTSConnections
if ($rdpStatus -eq 0) {
Write-Host "RDP is currently enabled. Disabling now..." -ForegroundColor Yellow
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 1
Write-Host "RDP has been disabled." -ForegroundColor Green
} else {
Write-Host "RDP is already disabled." -ForegroundColor Green
}
# Enable PowerShell Script Block Logging
$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name EnableScriptBlockLogging -Value 1 -Force
Write-Host "PowerShell Script Block Logging has been enabled." -ForegroundColor Green
# Enable Module Logging
$modulePath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging'
if (-not (Test-Path $modulePath)) {
New-Item -Path $modulePath -Force | Out-Null
}
Set-ItemProperty -Path $modulePath -Name EnableModuleLogging -Value 1 -Force
Write-Host "PowerShell Module Logging has been enabled." -ForegroundColor Green
} catch {
Write-Host "Error applying hardening measures: $($_.Exception.Message)" -ForegroundColor Red
}
}
# Main execution
Write-Host "=== QILIN RANSOMWARE - RAPID RESPONSE HARDENING ===" -ForegroundColor Cyan
Write-Host "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Cyan
Check-VSSModifications
Check-RecentScheduledTasks
Check-ExposedRDP
Check-SuspiciousProcesses
Write-Host "`n=== RECOMMENDATION ===" -ForegroundColor Cyan
$response = Read-Host "Would you like to apply immediate hardening measures? (Y/N)"
if ($response -eq 'Y' -or $response -eq 'y') {
Apply-ImmediateHardening
}
Write-Host "`n=== SCAN COMPLETE ===" -ForegroundColor Cyan
Write-Host "For additional assistance, contact Security Arsenal Incident Response." -ForegroundColor Cyan
Incident Response Priorities
T-minus Detection Checklist
Before encryption fires, look for:
- Suspicious RDP connections from foreign IP addresses
- Unusual PowerShell execution patterns
- Scheduled tasks created outside of normal maintenance windows
- Large data transfers to unusual endpoints
- Unauthorized attempts to access or modify Volume Shadow Copies
- Execution of administrative tools like PsExec, ProcDump, or Mimikatz
Critical Assets Historically Prioritized for Exfiltration
Qilin has historically prioritized exfiltration of:
- Patient Health Information (PHI) and electronic medical records (EMR)
- Financial data including tax documents, payroll information, and banking credentials
- Intellectual property and proprietary business information
- Customer databases and personally identifiable information (PII)
- Corporate email archives
- Human resources records containing sensitive employee information
Containment Actions (Ordered by Urgency)
-
Immediate (within 1 hour):
- Disconnect all systems from the network exhibiting signs of compromise
- Disable all non-essential VPN accounts
- Change credentials for all privileged accounts
- Isolate affected network segments
-
Urgent (within 4 hours):
- Block all known malicious IP addresses at the perimeter firewall
- Disable file-sharing protocols (SMB) on non-critical systems
- Revoke and reissue all VPN certificates
- Implement network segmentation for critical systems
-
High Priority (within 24 hours):
- Conduct forensic imaging of affected systems
- Implement additional monitoring on remaining systems
- Review and restrict administrative access rights
- Deploy updated detection signatures for Qilin ransomware
Hardening Recommendations
Immediate (24 hours)
- Apply security patches for CVE-2026-48027, CVE-2024-1708, CVE-2023-21529, CVE-2026-20131, and CVE-2025-52691
- Disable RDP access from the internet and enforce MFA for internal RDP
- Implement network segmentation between critical systems and general network
- Enable PowerShell script block logging and module logging
- Review and restrict administrative privileges
Short-term (2 weeks)
- Implement Zero Trust Network Architecture principles
- Deploy EDR solution with ransomware-specific detection capabilities
- Implement comprehensive backup solution with immutable backups
- Conduct phishing awareness training focused on healthcare sector threats
- Review and enhance VPN security configurations
- Implement data loss prevention (DLP) controls for sensitive data
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangqilinqilin-ransomwarehealthcare-targetcve-exploitationdouble-extortionraas-operation
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.