Back to Intelligence

QILIN Ransomware: Global Surge in Manufacturing & Healthcare Targets — Critical IOCs & Detection Logic

SA
Security Arsenal Team
May 18, 2026
6 min read

Date: 2026-05-18
Source: Ransomware.live Dark Web Leak Site Monitor
Analyst: Security Arsenal Threat Intelligence Unit

Threat Actor Profile — QILIN

  • Aliases: Qilin (formerly Agenda, though often distinct; operates under the Qilin brand).
  • Operational Model: Ransomware-as-a-Service (RaaS). The core development team maintains the Rust-based encryption payload while recruiting affiliates for initial access and network penetration.
  • Ransom Demands: Variable, typically ranging from $300,000 to $5 million USD, depending on victim revenue and exfiltrated data volume.
  • Initial Access Vectors: Historically relies heavily on exploiting external-facing services (VPN vulnerabilities, RDP brute-forcing) and phishing. Recent intelligence confirms a heavy pivot toward exploiting ConnectWise ScreenConnect (CVE-2024-1708) and Microsoft Exchange (CVE-2023-21529).
  • Double Extortion: Strict adherence to double extortion. Exfiltration occurs via tools like Rclone or MegaCMD prior to encryption. The gang operates a clear "name-and-shame" leak site strategy.
  • Dwell Time: Rapid. Qilin affiliates often move from initial access to encryption in 3–7 days, minimizing the window for defenders to detect lateral movement.

Current Campaign Analysis

Recent Victim Snapshot (Last 72 Hours)

Qilin has posted 15 new victims in the last 3 days alone, with a total of 26 victims in the last 100 postings. The targeting pattern is opportunistic but displays a distinct preference for sectors with operational technology dependencies or critical time-sensitive data.

  • Top Targeted Sectors:

    • Manufacturing: Buckeye Paper (US), Monir Precision Monitoring (CA).
    • Healthcare: Salter HealthCare (GB), Generation Life (AU), CLINICA AVELLANEDA MEDICAL CENTER (AR).
    • Agriculture & Food: Fruits Queralt (ES), The Taylor Provisions (GB), Comercial Echave Turri Limitada (CL).
    • Public Sector: Majlis Perbandaran Alor Gajah (MY).

  • Geographic Concentration:
    The campaign is highly trans-continental. While US, GB, and AU remain primary targets due to higher ransom capacity, there is a notable expansion into Malaysia (MY) and Chile (CL), suggesting affiliates are testing less mature markets.

  • Victim Profile:
    Mid-market entities (revenue $10M - $200M). These organizations often have sufficient cyber insurance to pay ransoms but lack the 24/7 SOC capabilities to detect early exploitation.

  • TTP Alignment with CVEs:
    The spike in activity correlates directly with the weaponization of CVE-2024-1708 (ConnectWise ScreenConnect). Given the presence of SmarterMail and Cisco FMC vulnerabilities in their exploit cache, affiliates are likely scanning for unpatched management interfaces as a primary entry vector.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass / Path Traversal (CVE-2024-1708)
id: 4a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects potential exploitation attempts of ConnectWise ScreenConnect path traversal vulnerability observed in Qilin campaigns.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/bin/'
            - '..%2f'
            - '..\'
        cs-method|contains:
            - 'GET'
            - 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative access (rare with these patterns)
level: critical
---
title: Suspicious PowerShell Child Process of Web Server
id: b1c2d3e4-f5a6-b7c8-d9e0-f1a2b3c4d5e6
description: Detects PowerShell spawned by web server processes, often indicative of web shell activity leading to ransomware deployment.
status: experimental
date: 2026/05/18
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\w3wp.exe'
            - '\httpd.exe'
            - '\tomcat.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate server administration scripts
level: high
---
title: Rapid Volume Shadow Copy Deletion
id: c2d3e4f5-a6b7-c8d9-e0f1-a2b3c4d5e6f7
description: Detects rapid deletion of Volume Shadow Copies via vssadmin or diskshadow, a common precursor to Qilin encryption.
status: experimental
date: 2026/05/18
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_keywords:
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    selection_images:
        Image|endswith:
            - '\vssadmin.exe'
            - '\diskshadow.exe'
    condition: all of selection_*
falsepositives:
    - System maintenance (rare)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin-related lateral movement and staging
// Focuses on common tools used by affiliates: PsExec, WMI, and Rclone
let Timeframe = 1d;
DeviceProcessEvents
| where Timestamp >= ago(Timeframe)
// Filter for common lateral movement tools
| where FileName in~ ('psexec.exe', 'psexec64.exe', 'psexecsvc.exe', 'wmic.exe', 'wmi.exe', 'rclone.exe')
// Filter for suspicious command lines typical of Qilin ops
| where ProcessCommandLine has_any (
    '-accepteula', 
    'copy ', 
    'move ', 
    'config ', 
    'sync ',
    'process call create'
    )
// Correlate with network connections often used for exfil (Mega, Dropbox, etc.)
| join kind=inner ( 
    DeviceNetworkEvents 
    | where Timestamp >= ago(Timeframe) 
    | where RemoteUrl has_any ('mega.nz', 'dropbox.com', 'transfer.sh', 'anonfiles') 
    | project DeviceId, RemoteUrl, RemoteIP 
) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, RemoteUrl, RemoteIP
| order by Timestamp desc

PowerShell (Rapid Response)

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Response - Check for Persistence and Staging
.DESCRIPTION
    Checks for recently created scheduled tasks (common Qilin persistence) 
    and identifies unusual large file transfers in the last 24 hours.
#>

Write-Host "[!] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[!] Checking for unusual file modifications (Potential Staging)..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem
$TimeThreshold = (Get-Date).AddHours(-24)

foreach ($Drive in $Drives) {
    if (Test-Path $Drive.Root) {
        Write-Host "Scanning drive $($Drive.Root)..." -ForegroundColor Cyan
        Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue -Force |
        Where-Object { $_.LastWriteTime -gt $TimeThreshold -and $_.Length -gt 10MB } |
        Select-Object FullName, @{Name="Size(MB)";Expression={[math]::Round($_.Length/1MB,2)}}, LastWriteTime |
        Format-Table -AutoSize
    }
}

Write-Host "[!] Checking for exposed RDP sessions..." -ForegroundColor Yellow
query user


---

Incident Response Priorities

  1. T-minus Detection Checklist:

    • Web Logs: Immediate grep for CVE-2024-1708 patterns (path traversal %2f) in ConnectWise ScreenConnect logs.
    • Identity: Check Active Directory logs for anomalies on service accounts associated with Exchange or VPN endpoints.
    • Process Tree: Hunt for powershell.exe spawning directly from w3wp.exe or svchost.exe without user context.

  2. Critical Asset Prioritization:

    • Qilin aggressively targets Active Directory databases (NTDS.dit) and HR/Payroll databases for maximum leverage. Secure these systems first.

  3. Containment Actions (Order of Urgency):

    • Isolate: Disconnect internet-facing VPN concentrators and management interfaces (ScreenConnect, Cisco FMC) from the internal network.
    • Credential Reset: Force reset of privileged credentials for all admin accounts, specifically those used for Exchange and ScreenConnect management.
    • Block: Implement firewall rules to block outbound connections to known exfil IPs and anonymizers (Tor, VPN gateways) immediately.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical Vulnerabilities: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2023-21529 (Exchange) immediately. If patching is not possible, disable the service or move it behind a zero-trust VPN with MFA.
  • Disable Public RDP: Ensure no RDP (TCP 3389) or SMB (TCP 445) ports are exposed to the internet.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all remote access and management interfaces.

Short-term (2 Weeks)

  • Network Segmentation: Restrict lateral movement by segmenting operational technology (OT) and backup networks from the main corporate network.
  • EDR Deployment: Ensure endpoint detection and response coverage is 100% on servers holding critical data, specifically focusing on backup servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2024-1708manufacturinghealthcaredefense-evasion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action