Back to Intelligence

QILIN Ransomware: Global Surge in Healthcare & Manufacturing — Campaign Analysis & Detection Rules

SA
Security Arsenal Team
May 19, 2026
6 min read

Aliases: Agenda, Titan

Operational Model: RaaS (Ransomware-as-a-Service) with an affiliate-driven model. Qilin operates on a profit-sharing basis, providing sophisticated GoLang-based encryptors to affiliates.

Typical Ransom Demands: Variable, generally ranging from $400,000 to several million USD depending on victim revenue. Known to negotiate aggressively.

Initial Access Vectors: Historically, Qilin affiliates rely heavily on Phishing and valid credentials obtained via info stealers. However, recent intelligence indicates a shift towards exploiting external-facing services, specifically VPN appliances and Remote Management Tools.

Double Extortion: Strict adherence to double extortion. Victims' data is exfiltrated prior to encryption. Qilin maintains a dedicated leak site (DLS) where non-paying victims' data is published in batches.

Dwell Time: Average dwell time is estimated between 3 to 7 days. The group is methodical in data staging, often using tools like Rclone or Mega for exfiltration before detonating the encryption payload.

Current Campaign Analysis

Based on intelligence harvested from Qilin's dark web leak site on 2026-05-19, the group is executing a high-volume, geographically diverse campaign.

Sector Targeting

Qilin is displaying a distinct lack of sector bias, but high-volume activity is observed in:

  • Healthcare: 3 victims (Salter HealthCare, Generation Life, CLINICA AVELLANEDA).
  • Agriculture & Food Production: 3 victims (Fruits Queralt, The Taylor Provisions, Comercial Echave Turri).
  • Construction & Manufacturing: 4 victims combined (RCR Industrial Flooring, Buckeye Paper, Monir Precision Monitoring, Turner Supply).

This indicates an "opportunistic" targeting strategy where accessible vulnerabilities (like the CVEs listed below) are prioritized over sector-specific intellectual property.

Geographic Concentration

While global, there is a cluster of activity in:

  • Oceania (AU): 3 victims (RCR, Australian College of Business Intelligence, Generation Life).
  • Europe (GB, ES, AT): 4 victims.
  • Americas (US, CA, AR, CL): 6 victims.
  • Southeast Asia (MY): 2 victims (Majlis Perbandaran, PNSB Insurance).

Victim Profile

The victims range from small-to-medium businesses (e.g., Gartengestaltung Muller eU) to larger public sector entities (Majlis Perbandaran Alor Gajah). Revenue estimates suggest targets between $5M and $500M, implying Qilin affiliates are capable of breaching both modest IT environments and enterprise-grade infrastructure.

Exploited Vulnerabilities

Current campaign activity strongly correlates with the exploitation of CISA Known Exploited Vulnerabilities (KEV):

  • CVE-2024-1708 (ConnectWise ScreenConnect): Critical path traversal allowing RCE. A primary vector for recent access.
  • CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability allowing authenticated code execution.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): File upload and auth bypass vulnerabilities.

Escalation Patterns

Posting frequency has spiked, with 4 victims published on 2026-05-17 alone. This suggests a mass-compromise event, likely via a common vulnerability (e.g., a specific exploit automation tool targeting ScreenConnect) was utilized across multiple geographies.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential exploitation of CVE-2024-1708 / CVE-2026-23760 against ConnectWise ScreenConnect via suspicious URI patterns.
status: experimental
date: 2026/05/19
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/Bin/ScreenConnect.ashx'
            - '/WebService.asmx/'
            - 'SetupWizard.aspx'
    condition: selection
falsepositives:
    - Legitimate administrative access to ScreenConnect console
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.qilin
---
title: SmarterMail SmarterTools Unrestricted File Upload
id: b2c3d4e5-6789-01ab-cdef-234567890abc
description: Detects potential exploitation of CVE-2025-52691 in SmarterMail via suspicious file extensions or paths.
status: experimental
date: 2026/05/19
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains: '/Services/Mail.asmx'
    selection_ext:
        c-uri|endswith:
            - '.aspx'
            - '.ashx'
    selection_keywords:
        cs-method|contains:
            - 'POST'
    condition: all of selection_*
falsepositives:
    - Legitimate mail client interactions
level: high
tags:
    - attack.initial_access
    - cve.2025.52691
    - ransomware.qilin
---
title: Suspicious PowerShell Encoded Command Execution
id: c3d4e5f6-7890-12ab-cdef-345678901bcd
description: Detects highly obfuscated PowerShell commands often used by Qilin affiliates for lateral movement and defense evasion.
status: experimental
date: 2026/05/19
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection_id:
        EventID: 4688
    selection_process:
        NewProcessName|endswith: '\\powershell.exe'
    selection_cmd:
        CommandLine|contains:
            - '-EncodedCommand'
            - '-Enc'
    condition: all of selection_
falsepositives:
    - System administration scripts
level: medium
tags:
    - attack.execution
    - attack.t1059.001
    - ransomware.qilin

KQL (Microsoft Sentinel)

Hunt for suspicious processes spawned by IIS worker processes (w3wp.exe), which is a common indicator of successful web shell exploitation (relevant to the Exchange and SmarterMail CVEs).

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName == "w3wp.exe"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "whoami.exe", "net.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Hardening Script

Rapid response script to identify potential Qilin persistence mechanisms and abnormal shadow copy activity.

PowerShell
# Qilin Persistence and Shadow Copy Check
Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -ge (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Actions

Write-Host "[+] Checking for recently modified Volume Shadow Copies (Staging/Deletion)..." -ForegroundColor Cyan
$vss = vssadmin list shadows /for=c:
if ($vss -match "No shadow copies") {
    Write-Host "    [!] No Shadow Copies found on C:. This may indicate deletion." -ForegroundColor Yellow
} else {
    Write-Host "    Shadow Copy data:"
    $vss
}

Write-Host "[+] Checking for RDP logs with failure patterns..." -ForegroundColor Cyan
$rdpEvents = Get-WinEvent -LogName Microsoft-Windows-TerminalServices-LocalSessionManager/Operational -MaxEvents 100 -ErrorAction SilentlyContinue | Where-Object {$_.TimeCreated -ge (Get-Date).AddHours(-24)}
if ($rdpEvents) { $rdpEvents | Select-Object TimeCreated, Id, Message }


---

# Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  • Web Server Logs: Immediate grep for ConnectWise or ScreenConnect strings in proxy/WAF logs looking for the setup wizard requests.
  • Exchange Logs: Audit IIS logs for POST requests to /EWS/Exchange.asmx or /OWA containing serialized data patterns.
  • Process Anomalies: Hunt for w3wp.exe spawning cmd.exe or powershell.exe.

Critical Assets Prioritized for Exfiltration

Qilin historically targets:

  1. PII/PHI: Patient records (Healthcare sector victims), Customer databases.
  2. Financial Data: Banking details, Tax documents, Insurance policies.
  3. Intellectual Property: CAD drawings (Construction/Manufacturing), Proprietary formulas (Ag/Food).

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect identified vulnerable appliances (ScreenConnect servers, Exchange CAS servers) from the network immediately.
  2. Reset: Force reset of credentials for all accounts that have logged into ScreenConnect or OWA in the last 30 days.
  3. Suspend: Suspend active RDP sessions and enforce MFA for all remote access.

Hardening Recommendations

Immediate (24 Hours)

  • Patch: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2025-52691 (SmarterMail) immediately. If patching is not possible, disable the services or place them behind a strict Zero Trust Access proxy.
  • Block: Block inbound internet access to ScreenConnect/ScreenConnect web interfaces from untrusted IPs at the firewall.
  • Audit: Run a user access review to identify dormant accounts with permissions to email systems or remote management tools.

Short-term (2 Weeks)

  • Network Segmentation: Ensure management planes (ScreenConnect, Exchange, vCenter) are in a separate VLAN with strict egress filtering.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all web-based management interfaces.
  • EDR Tuning: Configure EDR to alert on any unsigned code execution or script-based launches from web server processes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcaremanufacturingscreenconnectcve-2024-1708

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action