Back to Intelligence

QILIN Ransomware: Multi-Sector Surge Targeting Healthcare & Energy — IOCs & Detection Rules

SA
Security Arsenal Team
June 6, 2026
6 min read

Release Date: 2026-06-06 Threat Level: HIGH Analyst: Security Arsenal Intel Unit

Threat Actor Profile — QILIN

Aliases: Agenda (Former), Qilin.

Operational Model: RaaS (Ransomware-as-a-Service). Qilin operates an affiliate-based model, aggressively recruiting penetration testers to leverage custom payloads and stolen credentials.

Typical Ransom Demands: $500,000 to $5,000,000 USD, often negotiated aggressively via their .onion portal.

Initial Access Vectors:

  • Exploitation: Heavy reliance on internet-facing vulnerabilities, specifically VPN appliances and remote management tools (e.g., ConnectWise ScreenConnect, Cisco FMC).
  • Phishing: Highly targeted spear-phishing with weaponized attachments.
  • Credentials: Purchasing valid RDP/VPN credentials from initial access brokers (IABs).

Tactics: Double extortion is standard. They exfiltrate sensitive data to their leak site before encryption and threaten public release. Qilin is known for using a customized Go-based ransomware variant that targets Windows and Linux ESXi servers. They often disable VSS (Volume Shadow Copies) and security tools via PowerShell.

Dwell Time: Typically 3 to 7 days between initial access and encryption detonation.

Current Campaign Analysis

Based on victim postings from 2026-06-02 to 2026-06-05, Qilin is executing a high-volume campaign with distinct targeting.

Sectors Targeted

The latest wave shows a diverse but aggressive targeting profile:

  • Healthcare: 20% of recent victims (Central Florida Cosmetic & Family Dentistry, Nova Medical Products, Clinica Maitenes).
  • Construction & Engineering: 20% (Pro-MEC, Ontario Home Builders' Association).
  • Energy & Utilities: 13% (Trican, MEISA - Sines).
  • Hospitality & Consumer Services: Jay's Catering, Swim-Mor Pools, MarketJoy.
  • Transportation/Logistics: Avcon Jet.

Geographic Concentration

  • North America: Dominant focus on US (Healthcare/Consumer Services) and CA (Construction/Energy).
  • Europe: Significant activity in Germany (Business Services), Austria (Transportation), and Portugal (Energy).
  • Global Reach: Outliers noted in South Korea (Manufacturing), Brazil (Agriculture), Chile (Healthcare), and Slovenia.

Victim Profile

Victims range from mid-market businesses (e.g., Swim-Mor Pools) to larger infrastructure entities (Trican in Energy). The targeting of regional healthcare providers and construction associations suggests a "spray and pray" approach on critical regional infrastructure rather than solely targeting Fortune 500s.

CVE Correlation

Recent activity strongly correlates with the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2025-52691 (SmarterTools SmarterMail). These vulnerabilities provide remote code execution (RCE) capabilities, allowing affiliates to bypass perimeter defenses quickly. The presence of CVE-2026-20131 (Cisco Secure Firewall) indicates an attempt to subvert the very defenses meant to stop them.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploitation
id: 2f4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d
status: experimental
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect. 
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/06
tags:
    - attack.initial_access
    - cve.2024.1708
    - qilin
logsource:
    category: web
    product: apache
detection:
    selection:
        cs-uri-query|contains:
            - '/Bin/Web.ashx'
            - 'Host='
        cs-uri-query|contains:
            - '../'
            - '%2e%2e'
    condition: selection
falsepositives:
    - Legitimate administration misconfiguration
level: critical
---
title: Suspicious SmarterMail File Upload (CVE-2025-52691)
id: 3g5h6i7j-8k9l-0m1n-2o3p-4q5r6s7t8u9v
status: experimental
description: Detects potential exploitation of SmarterMail Unrestricted Upload vulnerability.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/06
tags:
    - attack.initial_access
    - cve.2025.52691
    - qilin
logsource:
    category: web
    product: iis
detection:
    selection:
        cs-uri-stem|contains: '/Services/MailService.asmx'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate API usage
level: high
---
title: Qilin Ransomware Pattern - VSS Deletion via PowerShell
id: 4j6k7l8m-9n0o-1p2q-3r4s-5t6u7v8w9x0y
status: experimental
description: Detects commands often used by Qilin affiliates to delete Volume Shadow Copies prior to encryption.
references:
    - https://securityarsenal.com
author: Security Arsenal
date: 2026/06/06
tags:
    - attack.impact
    - qilin
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'vssadmin.exe delete shadows'
            - 'wmic shadowcopy delete'
            - 'Remove-Item -Recurse -Force'
    condition: selection
falsepositives:
    - System Administrator backup maintenance
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin lateral movement and staging
// Looks for mass file movement (common in exfil) and unusual administrative access
DeviceProcessEvents 
| where Timestamp > ago(3d)
| where (InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessFileName =~ "cmd.exe") 
| where ProcessCommandLine has "rclone" or ProcessCommandLine has "WinSCP" 
   or (ProcessCommandLine has "New-PSDrive" and ProcessCommandLine has "-PSProvider")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Rapid Response Script (PowerShell)

PowerShell
# QILIN Response Check: Identify recent VSS deletion or Scheduled Task obfuscation
# Run as Administrator on suspected endpoints

Write-Host "[+] Checking for recent VSS Shadow Copy Deletion attempts..." -ForegroundColor Cyan
$VSSLogs = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -ErrorAction SilentlyContinue | 
           Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) } |
           Where-Object { $_.Message -match "vssadmin.exe" -and $_.Message -match "delete" }

if ($VSSLogs) { 
    Write-Host "[!] CRITICAL: VSS Deletion Activity Detected in last 24h:" -ForegroundColor Red 
    $VSSLogs | Format-List TimeCreated, Message 
} else { 
    Write-Host "[*] No recent VSS deletion activity found." -ForegroundColor Green 
}

Write-Host "[+] Checking for Scheduled Tasks created in last 48h (Persistence)...
" -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-48) } | 
    Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  1. ScreenConnect Logs: Immediate review of ScreenConnect_[YYYYMMDD].log for path traversal strings (/../../..) or Web.ashx anomalies.
  2. Exchange Audit: Check for cmdlet invocation New-MailboxExportRequest or Search-Mailbox by non-admin accounts (common exfil method).
  3. Network Traffic: Look for large outbound file transfers (exfil) to non-corporate IP addresses, specifically ports 80/443 using non-browser User-Agents (e.g., rclone, curl).

Critical Assets for Exfiltration

Based on the current victim pool (Healthcare & Energy):

  • PHI/PII: Patient databases (EHR/EMR).
  • Proprietary Data: CAD drawings (Construction), Geophysical data (Energy), Flight manifests (Logistics).
  • Financials: Executive email archives and billing systems.

Containment Actions (Order of Urgency)

  1. Isolate: Disconnect internet-facing RDP/VPN interfaces immediately if patches for CVE-2024-1708 or CVE-2026-20131 are missing.
  2. Credential Reset: Force reset of credentials for all service accounts associated with ConnectWise and Exchange.
  3. Segmentation: Sever VLAN connections between management networks and critical OT/IT infrastructure (especially for Energy/Construction victims).

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2024-1708 (ConnectWise), CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC). These are confirmed active exploitation paths.
  • Disable MFA Bypass: Enforce strict MFA on all remote access solutions; disable legacy authentication protocols.
  • Block RDP from Internet: If not required, block TCP/3389 at the perimeter firewall.

Short-Term (2 Weeks)

  • Micro-Segmentation: Implement Zero Trust segmentation to prevent lateral movement from the DMZ to the internal network.
  • EDR Rollout: Ensure Endpoint Detection and Response (EDR) coverage is 100% on critical servers, specifically those hosting email and file services.
  • Backup Verification: Validate that offline backups are immutable and cannot be accessed via the administrative tools Qilin targets (e.g., vshadow commands).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcareenergycisa-kevscreenconnect

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action