Back to Intelligence

QILIN Ransomware: Global Campaign Targets Agriculture & Healthcare via Critical Remote Access Exploits

SA
Security Arsenal Team
May 19, 2026
7 min read

Executive Summary

The QILIN ransomware gang (also known as Agenda) has escalated operations in mid-May 2026, posting 15 new victims between May 15 and May 18. This wave displays a distinct focus on Agriculture/Food Production, Healthcare, and Manufacturing sectors across geographies including the UK, Australia, North America, and Southeast Asia. Intelligence indicates the group is actively exploiting CVE-2024-1708 (ConnectWise ScreenConnect) and SmarterMail vulnerabilities (CVE-2026-23760, CVE-2025-52691) for initial access, bypassing traditional perimeter defenses.

Threat Actor Profile — QILIN

  • Aliases: Agenda (historical), Qilin.
  • Model: Ransomware-as-a-Service (RaaS). The gang operates an affiliate model, recruiting skilled access brokers who specialize in exploiting internet-facing appliances.
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million, largely dependent on the victim's revenue and the sensitivity of exfiltrated data.
  • Initial Access Vectors: Primary reliance on exploiting vulnerabilities in remote management software (ConnectWise ScreenConnect) and email gateways (SmarterMail). Secondary vectors include VPN exploits and valid credentials obtained via phishing.
  • Tactics: Aggressive double extortion. Victims' data is leaked on the Tor site shortly after the deadline expires.
  • Dwell Time: Short. Qilin affiliates typically move laterally and detonate encryption within 3-7 days of gaining initial access.

Current Campaign Analysis

Sector & Geographic Targeting

Based on the 15 victims posted between 2026-05-15 and 2026-05-18:

  • High-Value Sectors: Agriculture/Food Production (20% of victims), Healthcare (20%), Manufacturing (13%), Construction (13%).
  • Geographic Spread: A broad "spray and pray" approach targeting specific verticals globally. Hotspots include Australia (Construction, Education, Healthcare), Great Britain (Food, Health), North America (US/CA Manufacturing, Tourism), and Malaysia (Public Sector, Finance).

Victim Profile

The victims range from mid-market entities (e.g., Monir Precision Monitoring, Turner Supply) to public sector bodies (Majlis Perbandaran Alor Gajah). Revenue estimates generally fall between $10M and $200M, suggesting Qilin affiliates target organizations with sufficient cyber insurance coverage but potentially immature security postures regarding legacy internet-facing applications.

Observed TTPs & CVE Correlation

The campaign correlates directly with the exploitation of CISA Known Exploited Vulnerabilities (KEV):

  1. ConnectWise ScreenConnect (CVE-2024-1708): Used to establish a foothold on IT management networks, particularly in the Manufacturing and Construction sectors where remote support is common.
  2. SmarterMail (CVE-2026-23760 & CVE-2025-52691): Exploited for initial access in Healthcare and Finance sectors, leveraging authentication bypass to gain internal email server access.
  3. Cisco Secure Firewall (CVE-2026-20131): Likely used to bypass security controls or pivot into segmented networks.

Detection Engineering

The following detection rules and hunts are designed to identify Qilin activity associated with their current exploitation of ScreenConnect and SmarterMail, as well as their standard lateral movement and pre-encryption tactics.

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 92d3d5c6-1a2b-4c3d-8e5f-6a7b8c9d0e1f
description: Detects potential exploitation of CVE-2024-1708 via suspicious URI patterns in web logs.
status: experimental
date: 2026/05/20
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    category: web
detection:
    selection:
        c-uri|contains: \"/LiveEvents/\"
        cs-method: 'POST'
    filter_main:
        c-uri|contains:
            - '..%2F'
            - '%2f..%2f'
            - 'AssemblyInjection'
    condition: selection and filter_main
falsepositives:
    - Potential false positives if specific API usage patterns match; verify user-agent context.
level: critical
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.qilin
---
title: SmarterMail Suspicious File Upload or Auth Bypass
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects indicators of SmarterMail exploitation including Auth bypass patterns and unusual file uploads.
status: experimental
date: 2026/05/20
logsource:
    category: web
detection:
    selection_upload:
        c-uri|contains: \"/Services/\"
        cs-method: 'POST'
        c-uri|endswith: '.aspx'
    selection_bypass:
        c-uri|contains:
            - 'ResetPassword.aspx'
            - 'Login.aspx'
        cs-status: 200
        sc-bytes: < 500
    filter_legit:
        cs-user-agent|contains:
            - 'Mozilla'
            - 'SmarterTools'
    condition: (selection_upload and not filter_legit) or (selection_bypass and not filter_legit)
falsepositives:
    - Legacy integration tools with incomplete user-agent strings.
level: high
tags:
    - attack.initial_access
    - cve.2026.23760
    - cve.2025.52691
    - ransomware.qilin
---
title: Qilin Pre-Encryption VSS Shadow Copy Deletion
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects commands used by Qilin affiliates to delete Volume Shadow Copies prior to encryption.
status: experimental
date: 2026/05/20
references:
    - https://securityarsenal.com/darkside
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\\wbem\\WMIC.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_*
falsepositives:
    - System administrators manually managing disk space (rare in automated bulk).
level: critical
tags:
    - attack.impact
    - attack.t1490
    - ransomware.qilin

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging activity
// Looks for large file movements to network shares and anomalous PowerShell execution
let TimeFrame = 1d;
let SuspiciousProcesses = dynamic([\"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"cscript.exe\", \"wscript.exe\"]);
let ExfilExtensions = dynamic([\".zip\", \".rar\", \".7z\", \".tmp\", \".encrypted\"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in~ SuspiciousProcesses
| where ProcessCommandLine has any(ExfilExtensions) or ProcessCommandLine has \"Copy-Item\" or ProcessCommandLine has \"Compress-Archive\"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where FileExtension in~ ExfilExtensions
    | where FileSize > 1024 * 1024 // > 1MB
    | project Timestamp, DeviceName, FileName, FolderPath, FileSize, InitiatingProcessAccountName
) on DeviceName, Timestamp
| summarize Timestamp = max(Timestamp), FileCount = count(), TotalSizeMB = sum(FileSize/1024/1024) by DeviceName, AccountName
| order by TotalSizeMB desc

PowerShell - Rapid Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Incident Response - Check for VSS Manipulation and Suspicious Scheduled Tasks.
.DESCRIPTION
    Checks for recent deletion of Volume Shadow Copies and enumerates scheduled tasks
    created in the last 7 days, common indicators of Qilin pre-encryption staging.
#>

Write-Host \"[+] QILIN RESPONSE CHECK - $(Get-Date)\" -ForegroundColor Cyan

# Check 1: VSS Shadow Copy Status
Write-Host \"\
[*] Checking Volume Shadow Copy Status...\" -ForegroundColor Yellow
try {
    $shadows = vssadmin list shadows 2>&1
    if ($shadows -match \"No shadow copies found\" -or $shadows -match \"There are no shadow copies\") {
        Write-Host \"[!] CRITICAL: No Shadow Copies found. Possible deletion event.\" -ForegroundColor Red
    } else {
        $count = ($shadows | Select-String \"Shadow Copy Volume\").Count
        Write-Host \"[+] Found $count shadow copies.\" -ForegroundColor Green
    }
} catch {
    Write-Host \"[!] Error checking VSS: $_\" -ForegroundColor Red
}

# Check 2: Scheduled Tasks created in last 7 days
Write-Host \"\
[*] Checking for Scheduled Tasks created/modified in last 7 days...\" -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-7)
try {
    $tasks = Get-ScheduledTask | Get-ScheduledTaskInfo
    foreach ($task in $tasks) {
        if ($task.LastRunTime -gt $cutoffDate -or $task.State -eq \"Running\") {
            Write-Host \"[!] Suspicious Task: $($task.TaskName) | Last Run: $($task.LastRunTime) | Author: $((Get-ScheduledTask -TaskName $task.TaskName).Author)\" -ForegroundColor Red
        }
    }
    Write-Host \"[*] Scheduled task check complete.\" -ForegroundColor Green
} catch {
    Write-Host \"[!] Error checking Scheduled Tasks: $_\" -ForegroundColor Red
}

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption)

  1. Web Shell Hunt: Search IIS/SmarterMail logs for AssemblyInjection strings or POST requests to ResetPassword.aspx with small response sizes (< 500 bytes).
  2. Remote Access Logs: Audit ConnectWise ScreenConnect logs for logins from unfamiliar geo-locations (e.g., consecutive logins from AU and MY within minutes).
  3. PowerShell Auditing: Look for EncryptedScript command blocks or base64 encoded payloads in PowerShell logs.

Critical Assets for Exfiltration

Qilin historically prioritizes:

  • Healthcare: Patient PII, medical records, insurance databases.
  • Manufacturing: CAD designs, proprietary formulas, client supply chain data.
  • Finance: ACH files, customer transaction logs.

Containment Actions

  1. Immediate: Isolate internet-facing servers hosting ScreenConnect or SmarterMail from the internal network.
  2. Urgent: Disable all domain/local admin accounts that were logged into the exploited servers within the last 48 hours.
  3. Secondary: Block outbound RDP (TCP 3389) and SMB (TCP 445) from non-admin workstations.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Immediately patch CVE-2024-1708 (ScreenConnect) and CVE-2026-23760 / CVE-2025-52691 (SmarterMail). If patching is impossible, disable the services or move them behind a Zero Trust Network Access (ZTNA) gateway.
  • Access Control: Enforce MFA on all remote access solutions, specifically ScreenConnect and VPNs. Implement Geo-blocking for management interfaces.

Short-term (2 Weeks)

  • Network Segmentation: Ensure backup servers and critical domain controllers are on isolated VLANs with strict firewall rules (deny-all, allow-specific).
  • EDR Tuning: Deploy detection rules specifically for vssadmin.exe and wbem\\WMIC.exe invocation to catch shadow copy deletion attempts early.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2024-1708screenconnectsmartermaildarkweb-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action