Back to Intelligence

QILIN Ransomware: Global Surge Exploiting SmarterMail & ScreenConnect — 15 Victims in 72 Hours

SA
Security Arsenal Team
May 18, 2026
8 min read

Intelligence Briefing Date: 2026-05-19 Source: Ransomware.live Dark Web Leak Site Monitoring Threat Level: CRITICAL

Threat Actor Profile — QILIN

  • Known Aliases: Agenda (previously), Twisted Spider ( speculated affiliate connections).
  • Operating Model: Ransomware-as-a-Service (RaaS). Qilin operates an aggressive affiliate program that provides a Rust-based encryptor customizable for each victim.
  • Typical Ransom Demands: Variable, generally ranging from $300,000 to $5 million USD, depending on victim revenue and exfiltrated data volume.
  • Initial Access Vectors: Historically focused on phishing and compromised credentials. However, current intelligence indicates a heavy pivot toward exploiting external-facing services, specifically ConnectWise ScreenConnect and SmarterTools SmarterMail.
  • Tactics: Double extortion is standard. They exfiltrate sensitive data to their own leak site (Tor) before encrypting systems. Qilin is known for using "living off the land" binaries (LOLBins) and custom PowerShell scripts for lateral movement and defense evasion.
  • Dwell Time: Short. Recent telemetry suggests an average dwell time of 3–5 days between initial access and encryption detonation.

Current Campaign Analysis

Victim Overview (Data: 2026-05-15 to 2026-05-18)

Qilin has posted 15 new victims in the last 72 hours, marking a significant escalation in activity. The campaign is geographically dispersed but tactically focused on specific vulnerable internet-facing infrastructure.

  • Sectors Targeted:

    • Healthcare: Salter HealthCare (GB), CLINICA AVELLANEDA MEDICAL CENTER (AR), Generation Life (AU).
    • Manufacturing & Construction: Buckeye Paper (US), RCR Industrial Flooring (AU), Monir Precision Monitoring (CA), Turner Supply (US).
    • Agriculture & Food: Fruits Queralt (ES), The Taylor Provisions (GB), Comercial Echave Turri Limitada (CL).
    • Public Sector & Education: Majlis Perbandaran Alor Gajah (MY), Australian College of Business Intelligence (AU).

  • Geographic Concentration: Highly global. Significant clusters in North America (US, CA) and Europe (GB, ES, AT), with aggressive expansion into Asia-Pacific (AU, MY) and South America (CL, AR).

  • Victim Profile: Predominantly mid-market organizations. Targets range from municipal entities (Alor Gajah) to specialized manufacturers (Buckeye Paper). Revenue estimates suggest a focus on $10M – $200M USD entities—organizations with sufficient cyber insurance or liquidity to pay, but lacking mature security operations centers.

  • Escalation Patterns: The group is posting victims in batches (3+ per day). The rapid succession of publications suggests the affiliates are automating the encryption phase or running simultaneous operations against multiple targets using the same exploit kits.

  • CVE Correlation:

    • ConnectWise ScreenConnect (CVE-2024-1708): This vulnerability (Path Traversal) is a high-confidence vector for recent access, particularly for MSP-connected victims like Monir Precision Monitoring and PNSB Insurance Brokers.
    • SmarterMail (CVE-2025-52691 & CVE-2026-23760): The file upload and auth bypass vulnerabilities in SmarterMail are likely being used to breach the Healthcare and Education sectors, where this email solution is popular.
    • Cisco FMC (CVE-2026-20131): Exploitation of firewall management centers allows for perimeter bypass and persistent access, aligning with the network-wide encryption observed in these attacks.

Detection Engineering

The following detection logic is designed to identify the specific TTPs observed in the Qilin campaign: exploitation of web shells, remote management tools, and ransomware precursor activity.

SIGMA Rules

YAML
title: Potential SmarterMail Authentication Bypass Exploit
id: 9a8b7c6d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
description: Detects suspicious authentication patterns and URL structures associated with CVE-2026-23760 (SmarterMail Auth Bypass).
status: experimental
date: 2026/05/19
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: 
            - '/Services/MailBox.asmx'
            - '/Classic/Default.aspx'
        sc-status: 200
    filter:
        c-useragent|contains: 'Mozilla'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative logins
level: high
---
title: ScreenConnect Path Traversal Exploitation Attempt
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects directory traversal sequences in ScreenConnect web requests indicative of CVE-2024-1708 exploitation.
status: experimental
date: 2026/05/19
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains: 
            - '..%2f'
            - '..\'
            - '%2e%2e'
    selection_path:
        c-uri|contains: 
            - 'SetupControl'
            - 'Bin'
            - 'App_'
    condition: all of selection_*
falsepositives:
    - Low
level: critical
---
title: Qilin Ransomware Pre-Encryption Activity
id: c2d3e4f5-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects common Qilin precursor behavior including Volume Shadow Copy deletion and large file transfers via renamed Rclone or Bitsadmin.
status: experimental
date: 2026/05/19
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection_vss:
        CommandLine|contains: 'delete shadows'
        Image|endswith: '\vssadmin.exe'
    selection_rclone:
        OriginalFileName: 'rclone.exe' 
        Image|endswith:
            - '\calc.exe'
            - '\notepad.exe'
    selection_bits:
        Image|endswith: '\bitsadmin.exe'
        CommandLine|contains: 'transfer'
    condition: 1 of selection_
falsepositives:
    - Legitimate system administration (rare for vssadmin delete)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and data staging
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for typical Qilin LOLBins and tools
| where FileName in~ ("powershell.exe", "cmd.exe", "powershell_ise.exe", "wmiexec.exe", "psexec.exe", "psexec64.exe", "procdump.exe", "rclone.exe", "7z.exe")
// Filter for suspicious command lines
| where ProcessCommandLine has_any ("-enc", "DownloadString", "IEX", "Copy-Item", "shadow", "delete", "compress", "archive") 
        or ProcessCommandLine matches regex @"\s-W\s\d+"  // Hidden window creation typical in automation
| summarize count(), arg_max(Timestamp, *) by DeviceId, AccountName, FileName, ProcessCommandLine
| project Timestamp, DeviceId, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Script for Qilin Indicators of Compromise.
.DESCRIPTION
    Checks for recent Shadow Copy manipulation, suspicious scheduled tasks, 
    and common Qilin staging locations.
#>

Write-Host "[+] Starting Qilin Rapid Response Check..." -ForegroundColor Cyan

# 1. Check for recent VSSAdmin deletion events (Event ID 1 from VSSAdmin)
Write-Host "[*] Checking for Volume Shadow Copy Deletion..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSSADMIN'; ID=1; StartTime=(Get-Date).AddHours(-48)} -ErrorAction SilentlyContinue
if ($vssEvents) { 
    Write-Host "[!] CRITICAL: VSSAdmin deletion detected in last 48 hours:" -ForegroundColor Red
    $vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[-] No VSSAdmin deletion events found." -ForegroundColor Green
}

# 2. Enumerate Scheduled Tasks created in the last 7 days
Write-Host "[*] Checking for recently created Scheduled Tasks (Persistence)..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Tasks created/modified in last 7 days:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author, Actions | Format-List
} else {
    Write-Host "[-] No recent suspicious scheduled tasks found." -ForegroundColor Green
}

# 3. Check for common staging folders/temp large files
Write-Host "[*] Scanning for large archive files in C:\Windows\Temp..." -ForegroundColor Yellow
$largeFiles = Get-ChildItem -Path "C:\Windows\Temp" -Filter "*.zip" -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 50MB }
if ($largeFiles) {
    Write-Host "[!] WARNING: Large zip files found in Temp:" -ForegroundColor Red
    $largeFiles | Select-Object FullName, Length, LastWriteTime
}

Write-Host "[+] Scan Complete." -ForegroundColor Cyan


---

Incident Response Priorities

Based on the Qilin playbook observed in this campaign, execute the following IR priorities immediately:

T-Minus Detection Checklist (Before Encryption)

  1. Web Server Logs: Immediately review IIS/NGINX logs for SmarterMail (.asmx anomalous calls) and ScreenConnect (Path Traversal ../ sequences) exploitation attempts.
  2. Service Account Usage: Hunt for unusual logins from service accounts typically reserved for email or RDP management, particularly those originating from external IPs.
  3. PowerShell Logs: Check for PSRemoting or WMI event logs (Event ID 4688 with specific parent processes) indicating remote command execution.

Critical Assets for Exfiltration

Qilin prioritizes data that disrupts business continuity or carries privacy fines:

  • PII/PHI Databases: SQL Server backups and flat files (Patient records in Healthcare targets).
  • Financial Documents: A/P, A/R, and tax filings (Insurance and Financial targets).
  • CAD/Blueprint Files: Intellectual property and design schematics (Construction/Manufacturing targets).

Containment Actions (Ordered by Urgency)

  1. Isolate Internet-Facing Servers: Disconnect SmarterMail, Exchange, and ScreenConnect servers from the network immediately. Do not shut down (for RAM forensics), but isolate VLANs.
  2. Disable VPN Accounts: Revoke credentials for any user accounts that have logged in via VPN in the last 48 hours, especially if MFA was bypassed or not enforced.
  3. Suspend Active Directory Replication: If lateral movement is suspected, suspend replication to prevent the spread of malicious GPOs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and the SmarterMail CVEs (2025-52691 / 2026-23760) to external-facing servers.
  • Disable Internet-Facing RDP: Ensure RDP (TCP 3389) is not accessible from the internet. Enforce VPN + MFA for all remote access.
  • Block Port 8041: ScreenConnect default port; restrict to source IPs of managed MSPs only.

Short-Term (2 Weeks)

  • Web Application Firewall (WAF) Tuning: Implement specific rules to block path traversal attempts and anomalous POST requests to mail servers.
  • Network Segmentation: Separate backup repositories from the main production network. Ensure backups are immutable or offline (air-gapped).
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all email and remote access gateways.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaresmartermailscreenconnectcve-2024-1708healthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action