Back to Intelligence

QILIN Ransomware: Global Expansion Targeting Healthcare & Agriculture — Critical CVE Analysis

SA
Security Arsenal Team
May 19, 2026
6 min read

Aliases: Agenda, Qilin.B Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Typically $500,000 to $5 million USD, adjusted based on victim revenue and data sensitivity. Tactics: QILIN operates a ruthless double-extortion model, encrypting systems and threatening to release sensitive data. They are known for aggressive pressure tactics involving direct contact to victim clients and partners. Initial Access: The group frequently leverages valid credentials obtained via phishing info-stealers, but a significant portion of their recent access comes from exploiting vulnerabilities in external-facing remote management software (e.g., ConnectWise ScreenConnect) and email gateways. Dwell Time: Short. Recent intelligence indicates a dwell time of 1–3 days between initial access and encryption, prioritizing speed over stealth in current campaigns.

Current Campaign Analysis

Based on live data harvested from QILIN's .onion leak site on 2026-05-19:

  • Targeted Sectors: The group is currently diversifying but maintains a heavy focus on Agriculture & Food Production (3 victims: Fruits Queralt, The Taylor Provisions, Comercial Echave Turri) and Healthcare (3 victims: Salter HealthCare, Clinica Avellaneda, Generation Life). Secondary targets include Construction, Manufacturing, and Public Sector entities.
  • Geographic Spread: QILIN is executing a truly global campaign. Victims span 8 countries (AT, AU, US, CA, ES, GB, MY, CL, AR). Notable clusters exist in Australia (3 victims), North America (4 victims), and Southeast Asia (2 victims).
  • Victim Profile: The victim list suggests a shift towards mid-market organizations ($10M–$200M revenue). The inclusion of a regional council (Majlis Perbandaran Alor Gajah) and educational institutions suggests automated vulnerability scanning is playing a role in target selection.
  • Escalation Patterns: Posting frequency is high, with 15 victims published between May 15–18 (approx. 4–5 per day). This volume indicates an automated or highly efficient operational tempo.
  • CVE Correlation: The sectors targeted align with the widespread use of the specific CVEs listed below.
    • CVE-2024-1708 (ConnectWise ScreenConnect): Highly likely the primary vector for the Manufacturing and Construction victims, who rely heavily on MSPs.
    • CVE-2025-52691 / CVE-2026-23760 (SmarterMail): A probable vector for the Healthcare and Education victims, where on-premise mail servers are common.
    • CVE-2023-21529 (Exchange): Legacy Exchange vulnerabilities remain a reliable entry point for established entities.

Detection Engineering

SIGMA Rules

YAML
title: Potential ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
id: 4f0c0d6b-1a2b-3c4d-5e6f-7g8h9i0j1k2l
description: Detects potential exploitation of the ConnectWise ScreenConnect path traversal vulnerability (CVE-2024-1708) which allows remote code execution via malicious URI parameters.
status: experimental
author: Security Arsenal
date: 2026/05/19
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: apache
detection:
    selection:
        cs-uri-query|contains:
            - 'WebControl.ashx'
            - 'Setup.ashx'
        cs-uri-query|contains:
            - '..%2F'
            - '..%5c'
            - '%2F..%2F'
    condition: selection
falsepositives:
    - Legitimate administrative access (rare)
level: critical
---
title: SmarterMail Unrestricted File Upload (CVE-2025-52691)
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects potential exploitation of SmarterMail unrestricted file upload vulnerability leading to RCE via MRS proxy.
status: experimental
author: Security Arsenal
date: 2026/05/19
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: iis
detection:
    selection:
        cs-uri-stem|contains: '/MRS/'
        cs-uri-query|contains: '.aspx?'
    filter:
        cs-method|contains: 'POST'
    condition: selection and filter
falsepositives:
    - Unknown
level: high
---
title: Suspicious Shadow Copy Deletion Activity
description: Detects attempts to delete Volume Shadow Copies which is a common step in QILIN ransomware operations to prevent recovery.
status: experimental
author: Security Arsenal
date: 2026/05/19
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wbadmin:
        Image|endswith: '\wbadmin.exe'
        CommandLine|contains: 'delete catalog'
    condition: 1 of selection*
falsepositives:
    - System administrator maintenance
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin precursors: Shadow copy deletion and suspicious PowerShell
DeviceProcessEvents
| where Timestamp > ago(3d)
| where ProcessCommandLine has_any ("vssadmin", "wbadmin", "bcdedit") 
and ProcessCommandLine has_any ("delete", "recoveryenabled no")
| or ProcessCommandLine has "Invoke-ReflectivePEInjection" // Common in Qilin loaders
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Response Script

PowerShell
# Qilin Ransomware T-Minus Check: Shadow Copies & Persistence
Write-Host "[+] Checking for QILIN Ransomware Indicators of Compromise..." -ForegroundColor Cyan

# 1. Check for recently deleted Shadow Copies (Event ID 1 from VSS)
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=1; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) {
    Write-Host "[ALERT] Recent Volume Shadow Copy deletion events detected!" -ForegroundColor Red
    $vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[INFO] No immediate VSS deletion events found." -ForegroundColor Green
}

# 2. Enumerate Scheduled Tasks created in last 24h (Persistence)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($suspiciousTasks) {
    Write-Host "[ALERT] Suspicious scheduled tasks created in the last 24 hours:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author, Actions
} else {
    Write-Host "[INFO] No new suspicious scheduled tasks." -ForegroundColor Green
}

# 3. Check for common Qilin Ransomware Extensions (if encryption already started)
$drives = Get-PSDrive -PSProvider FileSystem
$foundFiles = @()
foreach ($drive in $drives) {
    $foundFiles += Get-ChildItem -Path $drive.Root -Filter "*.qilin" -Recurse -ErrorAction SilentlyContinue -Depth 2
}
if ($foundFiles) { Write-Host "[CRITICAL] Encrypted files found!" -ForegroundColor Red }


---

# Incident Response Priorities

**T-Minus Detection Checklist:**
*   **Remote Access Logs:** Immediate forensic review of ConnectWise ScreenConnect logs for the specific path traversal patterns (URI containing `..%2F`).
*   **Web Shell Hunt:** Scan web roots (`C:\inetpub\wwwroot`, `C:\Program Files\SmarterTools`) for recently created `.aspx` or `.config` files.
*   **MFA Failures:** Look for spikes in failed MFA attempts on VPN or Remote Desktop protocols, indicating credential stuffing attempts prior to exploitation.

**Critical Assets Targeted for Exfiltration:**
*   **Agriculture:** Supply chain manifests, distributor contracts, and quality assurance data.
*   **Healthcare:** Patient PHI (Protected Health Information), insurance billing records, and research databases.
*   **Manufacturing:** Proprietary CAD designs, client IP, and ERP financial modules.

**Containment Actions (Order by Urgency):**
1.  **Disconnect:** Immediately disconnect internet-facing mail servers (SmarterMail/Exchange) and remote access tools (ScreenConnect) from the network. Do not reboot systems yet to preserve memory artifacts.
2.  **Isolate:** Segment VLANs containing critical production servers and backup repositories.
3.  **Suspend:** Suspend all user accounts with privileged access (Domain Admins) until reset is verified.

---

# Hardening Recommendations

**Immediate (24h):**
*   **Patch CVE-2024-1708:** If ConnectWise ScreenConnect is in use, apply the patch immediately or restrict access to trusted IP ranges via firewall.
*   **Patch CVE-2025-52691:** Update SmarterTools SmarterMail to the latest patched version immediately.
*   **MFA Enforcement:** Ensure that *all* remote access portals, not just VPNs, have enforced MFA (Phishing-resistant FIDO2 preferred).

**Short-term (2 weeks):**
*   **Network Segmentation:** Architect a "DMZ" strictly for external-facing management tools (ScreenConnect, RMM agents) that does not have direct lateral access to the core data network.
*   **Vulnerability Management:** Implement an automated scanning solution specifically for the CISA KEV catalog to alert on new exploitable vulnerabilities targeting your specific software stack.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarescreenconnectsmartermailcve-2024-1708healthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action