Back to Intelligence

QILIN Ransomware: Global Surge Targeting Manufacturing & Healthcare — Critical CVE Detection Rules

SA
Security Arsenal Team
May 15, 2026
6 min read

Aliases & Structure: Qilin (formerly known as Agenda in some circles, though distinct in tooling) operates as a Ransomware-as-a-Service (RaaS) model. They recruit affiliates with varied skillsets, ranging from initial access brokers to sophisticated negotiators.

Ransom Demands: Qilin typically demands high ransoms, often ranging from $500,000 to several million USD, calibrated strictly to the victim's estimated revenue.

Initial Access: The group demonstrates versatility in initial access vectors. Recent intelligence indicates a heavy reliance on exploiting internet-facing applications (specifically remote management software like ConnectWise ScreenConnect) and email server vulnerabilities (Microsoft Exchange, SmarterMail). They also leverage valid credentials obtained via initial access brokers (IABs) for VPN and RDP brute-forcing.

TTPs: Qilin employs a double-extortion strategy. They utilize a Rust-based encryption strain (highly resistant to analysis) and frequently exfiltrate data using tools like Rclone or Mega prior to encryption. Their dwell time is typically short (3–7 days) once initial access is achieved, moving rapidly to lateral movement via PsExec and WMI.

Current Campaign Analysis

Sector Targeting: Data from the last 100 postings reveals a distinct pivot toward critical infrastructure and essential services. While Business Services remain a constant target, the campaign specifically underscores a surge in Manufacturing (Schulte-Lindhorst GmbH, Fab-Masters) and Healthcare (Spirit Medical Transport). This suggests affiliates are hunting for organizations with low tolerance for downtime.

Geographic Concentration: Qilin maintains a broad global footprint, but recent activity is heavily concentrated in US, DE, and CA. The cluster of victims in the US across various sectors (Construction, Law, Healthcare, Manufacturing) implies a broad, automated scanning campaign or a specific IAB selling US-based access.

Victim Profile: Victims range from mid-market law firms (e.g., John G Yphantides) to larger industrial entities (e.g., AppDirect). This indicates Qilin affiliates are not solely focused on the Fortune 500 but are aggressively targeting mid-sized enterprises ($20M - $500M revenue) likely lacking mature SOC capabilities.

Campaign Velocity: Posting frequency is aggressive, with 9 victims published on a single day (2026-05-13). This "cluster posting" often suggests a batch of successful exploitations using a common vulnerability or a specific exploit kit release.

CVE Correlation: The rapid exploitation of recently disclosed vulnerabilities is a hallmark of this campaign. The inclusion of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2025-52691 (SmarterTools SmarterMail) suggests Qilin affiliates are scanning for unpatched management and mail interfaces immediately after PoC drops. The appearance of CVE-2026-20131 (Cisco FMC) is particularly alarming, indicating attempts to breach network security management consoles to disable monitoring before encryption.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
id: c0d1b3a5-1234-5678-9101-112233445566
status: experimental
description: Detects path traversal attempts in ConnectWise ScreenConnect logs indicative of exploitation attempts.
author: Security Arsenal Research
date: 2026/05/15
logsource:
  category: webserver
detection:
  selection:
    cs-uri-query|contains:
      - '../'
      - '%2e%2e'
    cs-uri-stem|contains:
      - '/Bin/'
      - '/Services/'
  condition: selection
level: critical
tags:
  - cve.2024.1708
  - ransomware.qilin
---
title: Suspicious SmarterMail File Upload (CVE-2025-52691)
id: f4e5d6c7-8765-4321-9876-543210987654
status: experimental
description: Detects suspicious file extensions uploaded to SmarterMail endpoints, indicative of web shell upload.
author: Security Arsenal Research
date: 2026/05/15
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains: '/MRS/'
    cs-uri-query|contains:
      - '.aspx'
      - '.ashx'
  condition: selection
level: high
tags:
  - cve.2025.52691
  - initial_access
---
title: Qilin Ransomware Behavior - Mass VSS Deletion
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the deletion of Volume Shadow Copies using vssadmin or wbadmin, a common precursor to Qilin encryption.
author: Security Arsenal Research
date: 2026/05/15
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wbadmin.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'delete catalog'
  condition: selection
level: critical
tags:
  - impact
  - ransomware

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin-related lateral movement and staging
// Looks for processes commonly abused by Qilin affiliates (PsExec, PowerShell with specific encodings)
DeviceProcessEvents
| where Timestamp >= ago(3d)
| where InitiatingProcessFileName in~ ("psexec.exe", "psexec64.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has "accepteula" or ProcessCommandLine matches regex @"(?:FromBase64String|IEX).*[-]e[nc]{0,1}\s+\w+"
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
    Qilin Ransomware - Emergency Triage Script
    Checks for signs of persistence, staging, and VSS manipulation.
#>

Write-Host "[*] Starting Qilin Triage Check..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks added in last 48h (Persistence)
Write-Host "[+] Checking for recently added Scheduled Tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-48)} | 
    Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize

# 2. Check for VSS Deletion Events (Event ID 25 from VSS)
Write-Host "[+] Checking Volume Shadow Copy Deletion Events (Last 24h)..." -ForegroundColor Yellow
$VSSEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=25; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($VSSEvents) { $VSSEvents | Select-Object TimeCreated, Message | Format-List } 
else { Write-Host "No VSS deletion events found." -ForegroundColor Green }

# 3. Check for RDP Logons with ID 10 (Remote Interactive) from unusual IPs
Write-Host "[+] Checking recent RDP Logons..." -ForegroundColor Yellow
$RDPEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -match 'Logon Type:\s*10'}
if ($RDPEvents) { $RDPEvents | Select-Object TimeCreated, Id, Message | Format-List }
else { Write-Host "No RDP logons found." -ForegroundColor Green }

Write-Host "[*] Triage Complete." -ForegroundColor Cyan


# Incident Response Priorities

**T-minus Detection Checklist:**
1.  **Web Server Logs:** Immediately scan IIS/NGINX logs for path traversal strings (`../`, `%2e%2e`) targeting `/Services/` or `/Bin/` endpoints (ConnectWise ScreenConnect).
2.  **Mail Server Logs:** Review SmarterMail and Exchange HTTP logs for POST requests to unauthorized paths or unauthorized file uploads.
3.  **Process Anomalies:** Hunt for unsigned binaries executing from `C:\Windows\Temp` or `C:\ProgramData` with names mimicking legitimate Windows updates.

**Critical Assets for Exfiltration:**
Qilin historically prioritizes:
*   **Manufacturing:** CAD drawings, Intellectual Property, client databases, ERP systems (SAP/Oracle).
*   **Healthcare:** PHI/EMR databases, insurance claims, patient financial records.

**Containment Actions (Ordered by Urgency):**
1.  **Isolate Internet-Facing Assets:** If ConnectWise ScreenConnect or SmarterMail is on-premise, disconnect it from the network immediately.
2.  **Reset Credentials:** Force reset of passwords for all service accounts (especially those with VPN/RDP access) and privileged admin accounts.
3.  **Block Outbound C2:** Block internet access from critical servers to prevent data exfiltration via tools like Rclone or Mega.

# Hardening Recommendations

**Immediate (24h):**
*   **Patch Management:** Apply patches for **CVE-2024-1708 (ScreenConnect)** and **CVE-2025-52691 (SmarterMail)** immediately. If patching is not possible, disable the service or place it behind a strict VPN with MFA.
*   **Network Segmentation:** Ensure RDP and SMB protocols are blocked from the internet. Enforce MFA on all remote access solutions.

**Short-term (2 weeks):**
*   **Vulnerability Scanning:** Conduct an external-facing scan for the KEV-listed vulnerabilities (Cisco FMC, Exchange, SmarterMail).
*   **EDR Rollout:** Ensure 100% coverage of EDR agents on servers, particularly those managing email and remote access.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturinghealthcarescreenconnectcves

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action