QILIN Ransomware: Global Manufacturing & Healthcare Siege — Detection Engineering & IOCs

Aliases & Evolution: Qilin (formerly known as Agenda). The group operates a sophisticated Ransomware-as-a-Service (RaaS) model, recruiting affiliates with diverse network access capabilities. They are known for utilizing a Rust-based encryptor, which provides cross-platform capabilities and high entropy to evade signature-based detection.

Tactics & Extortion: Qilin employs a double-extortion strategy. They exfiltrate sensitive data prior to encryption and threaten to release it on their dark web leak site if the ransom is not paid. Ransom demands vary significantly based on the victim's revenue, typically ranging from $300,000 to multi-million dollars.

Initial Access & Dwell Time: Initial access is frequently gained through exposed VPN services (specifically targeting vulnerabilities like CVE-2026-50751), phishing campaigns delivering malicious macros, and compromised remote management tools (ScreenConnect). The average dwell time—between initial breach and encryption—has shortened recently to approximately 3 to 7 days as affiliates accelerate operations to deploy encryptors before detection.

Current Campaign Analysis

Sector Targeting: Qilin's latest campaign (last 100 postings) shows a distinct pivot towards critical infrastructure and high-value supply chains.

• Construction: 20% of recent victims (e.g., PJ Daly Contracting, Makel Companies).
• Healthcare: 20% of recent victims (e.g., Golfview Developmental Center, Can Healthcare Group).
• Manufacturing & Agriculture: High-value targets (e.g., Roth Industries, Skupina Don Don/Grupo Bimbo).

Geographic Spread: The operation is globally dispersed but concentrated in the US and Western Europe. Recent victims span Germany (DE), United States (US), Ireland (IE), France (FR), Chile (CL), and Turkey (TR).

Victim Profile: The group targets mid-to-large enterprises. Victims include municipal entities (Commune d'Eyguires) and telecommunications providers (Q Link Wireless), suggesting affiliates are opportunistic regarding verticals but prioritize organizations with high uptime requirements.

CVE Correlation & Initial Access Vectors: The recent victimology correlates strongly with the CISA Known Exploited Vulnerabilities (KEV) list:

• Business Services (MSPs): Victims like ATCOM Outsourcing and THL PROJECT MANAGEMENT likely suffered initial compromise via CVE-2024-1708 (ConnectWise ScreenConnect), a common vector for Managed Service Provider supply chain attacks.
• Large Enterprise: Roth Industries (Manufacturing) and Commune d'Eyguires (Public Sector) are prime candidates for exploitation via CVE-2023-21529 (Microsoft Exchange) or the newly released CVE-2026-50751 (Check Point Security Gateway), given their reliance on perimeter security appliances.

Detection Engineering

SIGMA Rules

The following rules target the specific TTPs observed in Qilin's recent campaigns, focusing on the exploitation of remote management tools and pre-encryption data staging.

title: Potential ConnectWise ScreenConnect Auth Bypass (CVE-2024-1708)
id: 8a7c9f1e-6b4d-4c8a-9e2f-1d3c4a5b6e7d
description: Detects suspicious process execution patterns associated with the exploitation of CVE-2024-1708 on ConnectWise ScreenConnect servers.
author: Security Arsenal Research
date: 2026/06/20
status: experimental
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'ScreenConnect'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '/c'
            - '-encodedcommand'
    condition: selection
falsepositives:
    - Legitimate administrative troubleshooting via ScreenConnect
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2024-1708
---
title: Microsoft Exchange Deserialization Gadget Activity (CVE-2023-21529)
id: 1b2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects potential exploitation of CVE-2023-21529 involving deserialization gadgets in Microsoft Exchange.
author: Security Arsenal Research
date: 2026/06/20
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\w3wp.exe'
            - '\Microsoft.Exchange.Directory.Service.exe'
        CommandLine|contains:
            - 'ViewStateGenerator'
            - 'ObjectStateFormatter'
    condition: selection
falsepositives:
    - High (Requires tuning for specific Exchange versions)
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve-2023-21529
---
title: Mass Deletion of Volume Shadow Copies via VssAdmin
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects attempts to delete Volume Shadow Copies, a common precursor to ransomware encryption to prevent recovery.
author: Security Arsenal Research
date: 2026/06/20
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System administrator maintenance (rare)
level: critical
tags:
    - attack.impact
    - attack.t1490
    - ransomware

KQL (Microsoft Sentinel)

Use this query to hunt for lateral movement and data staging indicative of Qilin preparation. It looks for high-volume file movements and administrative tool usage (PsExec/WMI) from non-standard workstations.

let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Focus on tools used for lateral movement
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe", "cmd.exe")
// Filter for administrative share access or remote execution flags
| where ProcessCommandLine has "\\\\" or 
   ProcessCommandLine has "-credential" or 
   ProcessCommandLine has "/node:" or
   ProcessCommandLine has "invoke-command"
// Join with network connection events to see remote destination
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp >= ago(TimeFrame)
    | where RemotePort in (445, 135, 5985, 5986) // SMB, WMI, WinRM
) on DeviceId, Timestamp
// Summarize unique targets per initiating device
| summarize Count = count(), TargetSet = make_set(RemoteDeviceName) by DeviceName, FileName
| where Count > 5 // Threshold for aggressive spreading
| order by Count desc

Rapid Response Hardening Script (PowerShell)

This script checks for the immediate creation of suspicious scheduled tasks (a common persistence mechanism for Qilin) and validates the health of Volume Shadow Copies.

# Qilin Response Script: Persistence & VSS Check
# Requires Administrator Privileges

Write-Host "[+] Checking for suspicious Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan

$DateThreshold = (Get-Date).AddDays(-7)
$SuspiciousActions = @("cmd", "powershell", "wscript", "cscript", "mshta")

Get-ScheduledTask | Where-Object {$_.Date -gt $DateThreshold} | ForEach-Object {
    $TaskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
    $Action = $_.Actions.Execute
    if ($Action -match [string]::Join("|", $SuspiciousActions)) {
        Write-Host "[!] Potential Malicious Task Found: $($_.TaskName)" -ForegroundColor Red
        Write-Host "    Action: $Action" -ForegroundColor Yellow
        Write-Host "    Last Run: $($TaskInfo.LastRunTime)" -ForegroundColor Yellow
    }
}

Write-Host "[+] Verifying Volume Shadow Copy (VSS) Health..." -ForegroundColor Cyan
try {
    $VSS = vssadmin list shadows
    if ($VSS -match "No shadows found") {
        Write-Host "[!] WARNING: No Volume Shadow Copies exist. System may be vulnerable to total data loss." -ForegroundColor Red
    } else {
        $ShadowCount = ([regex]::Matches($VSS, "Shadow Copy Volume")).Count
        Write-Host "[+] Found $ShadowCount shadow copies." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Error querying VSS: $_" -ForegroundColor Red
}

Incident Response Priorities

If Qilin activity is suspected, execute the following T-minus checklist immediately:

1. Isolate Internet-Facing Assets: Immediately disconnect any appliance running Check Point Security Gateway or ConnectWise ScreenConnect from the network until patches are verified.
2. Hunt for Web Shells: Check IIS and Exchange web directories for recently modified .aspx, .asmx, or .php files (indicators of CVE-2023-21529).
3. Audit Remote Access Logs: Review VPN logs for successful authentication using IKEv1 (Check Point CVE-2026-50751) originating from anomalous geolocations (e.g., unexpected access from SI, VN, or TR if you are a US entity).
4. Identify Critical Exfil: Qilin historically prioritizes PII/PHI (Healthcare victims), CAD drawings (Construction/Manufacturing), and Financial databases. Segregate these file shares immediately.

Hardening Recommendations

Immediate (24 Hours):

• Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-50751 (Check Point). If patching is impossible, disable the services until patched.
• Block Internet RDP: Enforce strict firewall rules to block RDP (TCP 3389) from the internet. Require VPN for all remote administrative access.
• MFA Enforcement: Ensure that all remote access solutions (VPN, ScreenConnect, OWA) have phishing-resistant MFA enforced.

Short-term (2 Weeks):

• Network Segmentation: Separate ICS/SCADA (Manufacturing) and Patient Management (Healthcare) networks from the general IT domain to limit lateral movement.
• Implement EDR Rules: Deploy the provided SIGMA rules to all endpoints to alert on vssadmin usage and ScreenConnect child processes.
• Reduce Attack Surface: Audit and decommission unused Exchange servers and retire legacy VPN concentrators in favor of modern Zero Trust Network Access (ZTNA) solutions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub