Back to Intelligence

QILIN Ransomware: Surge in Construction & Service Sector Attacks — Detection & Intel Brief

SA
Security Arsenal Team
May 20, 2026
6 min read

Aliases: Agenda (historical), Qilin.B

Operating Model: RaaS (Ransomware-as-a-Service). Qilin operates an affiliate-based model, providing a custom Go/Rust-based encryptor to partners. They are known for aggressive "double extortion" tactics, threatening data leaks alongside encryption.

Ransom Demands: Historically variable, ranging from $200,000 to multi-million dollars depending on victim revenue. Recent demands on mid-market Construction and Business Services targets suggest an average ask of $500k–$800k.

Initial Access Vectors: Qilin affiliates aggressively weaponize known vulnerabilities in remote access and email infrastructure. The current campaign shows a heavy reliance on:

  • Exploited Public-Facing Applications: Specifically ConnectWise ScreenConnect (CVE-2024-1708) and SmarterTools SmarterMail (CVE-2025-52691, CVE-2026-23760).
  • Valid Credentials: Phishing for VPN/RDP credentials remains a staple for persistence.

Double Extortion: Standard practice. Victims are given a short window (usually 3-7 days) to pay before data is published on their .onion site.

Dwell Time: Short. When exploiting CVEs like ScreenConnect, Qilin affiliates often move to encryption within 48–72 hours of initial access.

Current Campaign Analysis

Campaign Overview: As of 2026-05-21, Qilin has posted 27 new victims. The tempo indicates a high-volume, automated affiliate operation.

Targeted Sectors:

  • Construction & Trades (38%): Heavy targeting of engineering firms (CJ Architects), industrial flooring (RCR), and specialized trade contractors (HVAC, Drywall, Stucco).
  • Business Services (25%): Professional services and B2B support organizations.
  • Critical Infrastructure Adjacent: Agriculture (Vial Agro, Fruits Queralt) and Healthcare (Salter HealthCare).

Geographic Distribution:

  • Primary: United States (US), United Kingdom (GB).
  • Secondary: Canada (CA), Australia (AU), New Zealand (NZ), and Europe (AT, CZ, AR).

Victim Profile: The victims are predominantly mid-market enterprises (SMEs). These organizations typically have IT budgets sufficient for enterprise software (ScreenConnect, Exchange, SmarterMail) but often lag in patch management, making them ideal targets for N-day vulnerability exploitation.

Observed TTPs & CVE Correlation: There is a direct correlation between the recent spike in victims and the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and SmarterMail vulnerabilities. Qilin affiliates are scanning for exposed management interfaces and deploying webshells for immediate execution.

Detection Engineering

SIGMA Rules

YAML
title: Potential Qilin ScreenConnect Webshell Activity CVE-2024-1708
id: 9c8e2a1d-f4e5-4c88-9b12-a5c0d3f8e9a1
description: Detects potential webshell activity or suspicious authentication bypass patterns associated with CVE-2024-1708 on ConnectWise ScreenConnect servers.
status: experimental
date: 2026/05/21
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'ScreenConnect'
        RelativeTargetName|contains: 
            - 'Web.config'
            - '.aspx'
            - '.ashx'
    condition: selection
falsepositives:
    - Legitimate administrative updates
level: high

tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
    - ransomware.qilin

---

title: SmarterMail Unrestricted File Upload Exploitation Attempt
id: b7d3e4f1-2a6c-4d8b-9e0f-1a2b3c4d5e6f
description: Detects suspicious file upload patterns or authentication bypass indicators associated with SmarterMail CVE-2025-52691 exploited by Qilin affiliates.
status: experimental
date: 2026/05/21
author: Security Arsenal Research
logsource:
    product: web server
detection:
    selection_uri:
        cs-uri-query|contains: 
            - 'aspx/\.asmx'
            - 'Services/Mail.asmx'
    selection_method:
        cs-method: 'POST'
    selection_ext:
        cs-uri-query|contains: 
            - '.dll'
            - '.aspx'
            - '.ashx'
    condition: all of selection_*
falsepositives:
    - Legitimate SmarterMail API usage
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.52691
    - ransomware.qilin

---

title: Qilin Ransomware Process Execution Patterns
description: Detects suspicious process execution patterns consistent with Qilin ransomware activity, including disabling of security services and shadow copy deletion.
status: experimental
date: 2026/05/21
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection_vss:
        CommandLine|contains: 'delete shadows /all /quiet'
    selection_backup:
        Image|endswith: 
            - '\\wbadmin.exe'
            - '\\veeam.exe'
        CommandLine|contains: 'delete'
    selection_qilin_crypto:
        Image|endswith: '.exe'
        CommandLine|contains: '-m crypto' # Observed in some Qilin variants
    condition: 1 of selection_*
falsepositives:
    - Legitimate system administration
level: critical
tags:
    - attack.impact
    - attack.t1486
    - ransomware.qilin

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging indicative of Qilin pre-encryption
DeviceProcessEvents  
| where Timestamp >= ago(7d)  
// Look for common tools used by Qilin for lateral movement
| where FileName in~ (\"psexec.exe\", \"psexec64.exe\", \"wmic.exe\", \"powershell.exe\", \"cmd.exe\") 
// Filter for suspicious command line arguments
| where ProcessCommandLine has_any (\"-i\", \"-s\", \"-accepteula\", \"process call\", \"create\", \"Invoke-Expression\", \"IEX\") 
// Correlate with network connections to non-standard ports
| join kind=inner (DeviceNetworkEvents  
    | where Timestamp >= ago(7d)  
    | where RemotePort in (445, 135, 139, 3389, 5985, 5986)  
    | summarize Count=count() by DeviceId, RemoteIP, RemotePort  
    | where Count > 10) on DeviceId  
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemotePort, InitiatingProcessFileName

PowerShell Hardening Script

PowerShell
# Qilin Response Hardening: Audit Scheduled Tasks and Web Shells
# Run as Administrator

Write-Host \"[+] Initiating Qilin Hardening Audit...\" -ForegroundColor Cyan

# 1. Check for recently modified Scheduled Tasks (common for persistence)
Write-Host \"[*] Checking for Scheduled Tasks modified in the last 7 days...\" -ForegroundColor Yellow
$dateThreshold = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $dateThreshold } | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

# 2. Scan for suspicious ASPX/ASHX files in web roots (SmarterMail/ScreenConnect webshell indicators)
Write-Host \"[*] Scanning common web directories for recently created web shells (ASPX/ASHX)...\" -ForegroundColor Yellow
$webPaths = @(
    \"C:\\inetpub\\wwwroot\",
    \"C:\\Program Files\\ConnectWise\\ScreenConnect\",
    \"C:\\Program Files (x86)\\SmarterTools\\SmarterMail\"
)

foreach ($path in $webPaths) {
    if (Test-Path $path) {
        Write-Host \"Scanning $path...\" -ForegroundColor Gray
        Get-ChildItem -Path $path -Recurse -Include *.aspx, *.ashx, *.asmx -ErrorAction SilentlyContinue |
        Where-Object { $_.LastWriteTime -gt $dateThreshold -and $_.Length -lt 50kb } |
        Select-Object FullName, LastWriteTime, Length
    }
}

Write-Host \"[+] Audit Complete.\" -ForegroundColor Green


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. Remote Access Logs: Immediately review ConnectWise ScreenConnect logs for the "Login" event with suspicious UserAgents or empty UserAgents (indicator of CVE-2024-1708 exploitation).
  2. Web Server Logs: Check IIS/SmarterMail logs for POST requests to Services/Mail.asmx or abnormal asp.net requests leading to 200 OK statuses.
  3. Volume Shadow Copies: Monitor for rapid deletion of VSS copies using vssadmin or wmic.

Critical Assets for Exfil: Based on the current Construction and Agriculture victims, Qilin targets:

  • CAD/Project Files: AutoCAD drawings, blueprints, and project specifications.
  • HR & Payroll: Employee SSNs and banking details.
  • Client Databases: CRM systems containing PII of end-customers.

Containment Actions (Ordered by Urgency):

  1. Isolate: Disconnect internet access from all ScreenConnect and VPN jump servers immediately.
  2. Suspend: Suspend service accounts associated with SmarterMail and Exchange until patches are verified.
  3. Credential Reset: Force reset of all local administrator and domain admin credentials (assume they are cached or stolen).

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately or restrict access to the management interface via VPN/IP allow-listing.
  • Patch SmarterMail: Update SmarterMail to the latest secure version to address CVE-2025-52691 and CVE-2026-23760.
  • MFA Enforcement: Ensure all remote access (VPN, RDP, ScreenConnect) is protected by FIDO2 or hardware token MFA.

Short-term (2 Weeks):

  • Network Segmentation: Move management interfaces (ScreenConnect, RDP) to a dedicated management VLAN that is inaccessible from the general corporate network.
  • EDR Tuning: Update EDR rules to specifically flag processes spawned from ScreenConnect.Service or SmarterMail.Service binaries that are not the standard application executables.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareconstruction-sectorcve-2024-1708smartermailthreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action