Back to Intelligence

QILIN Ransomware: Surge in Healthcare & Energy Targeting — 15 New Victims Confirmed

SA
Security Arsenal Team
June 6, 2026
5 min read

Date: 2026-06-06 Analyst: Security Arsenal Intel Unit Source: Ransomware.live / Direct Leak Site Observation

1. Threat Actor Profile — QILIN

  • AKA: Agenda (historically associated), Qilin.Browser
  • Model: RaaS (Ransomware-as-a-Service). Aggressive affiliate marketing on dark web forums.
  • Ransom Demands: Variable, typically $400,000 to $2 million USD. Heavy reliance on double extortion tactics; leaking data within 48-72 hours if negotiation stalls.
  • Initial Access: Heavily utilizes valid credentials (phished), exploitation of public-facing VPN appliances, and—critically in this campaign—exploitation of remote management software (ScreenConnect) and unpatched Exchange servers.
  • Dwell Time: Short. Qilin affiliates typically move laterally and exfiltrate data within 3-5 days of initial access before detonating the Rust-based encryptor.

2. Current Campaign Analysis

Campaign Overview

Between June 2 and June 5, 2026, the Qilin leak site published 15 new victims, indicating a high-velocity campaign. The operation is opportunistic but shows a clear bias toward sectors holding sensitive PII (Healthcare) and operational data (Energy/Construction).

Sector Targeting

  • Healthcare (20%): High impact targeting of Dental (Central Florida Cosmetic & Family Dentistry), Medical Supplies (Nova Medical Products), and Clinical facilities (Clinica Maitenes).
  • Energy (13%): Strategic hits on Trican (CA) and MEISA - Sines (PT).
  • Professional Services & Construction: Significant targeting of Engineering (Pro-MEC, JNP ENG) and Construction (Ontario Home Builders).

Geographic Spread

  • North America (40%): US (4) and Canada (2) remain primary targets.
  • Europe (40%): Distributed attacks in Germany, Austria, Portugal, and Slovenia.
  • Outliers: Single incidents in Brazil, South Korea, and Chile suggest a global affiliate network.

Initial Access Vector Correlation

Intelligence suggests the recent victimology correlates strongly with the CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-21529 (Microsoft Exchange) vulnerabilities.

  • Evidence: Victims in "Business Services" (Pro-MEC, INTERSPA) and "Healthcare" often rely on managed IT providers utilizing ScreenConnect for remote access, providing a lateral movement springboard.

3. Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Path Traversal Exploit CVE-2024-1708
id: 9a5a8b1c-2d3e-4f5a-6b7c-8d9e0f1a2b3c
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability via web request anomalies
status: experimental
date: 2026/06/06
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/App_Extensions'
            - '/Services'
        c-uri|contains:
            - '..%2F'
            - '..\\'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Microsoft Exchange Server Deserialization exploitation attempt
id: b6c7d8e9-0f1a-2b3c-4d5e-6f7a8b9c0d1e
description: Detects suspicious deserialization activity often associated with CVE-2023-21529 on Exchange Servers
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: '..'
    condition: selection
falsepositives:
    - Legitimate administrative access
level: high
---
title: Suspicious PowerShell EncodedCommand Length
id: c7d8e9f0-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects long encoded commands in PowerShell, common in ransomware staging and obfuscation
status: experimental
date: 2026/06/06
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\\powershell.exe'
        CommandLine|contains: ' -EncodedCommand '
    filter:
        CommandLine|rexp: '^.* -EncodedCommand [A-Za-z0-9+/]{1000,}==$'
    condition: selection and filter
falsepositives:
    - System management scripts
level: medium

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging associated with Qilin
// Look for Rclone usage or massive SMB transfers
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("rclone.exe", "powershell.exe", "cmd.exe", "robocopy.exe")
| where ProcessCommandLine contains "config" 
   or ProcessCommandLine contains "sync" 
   or ProcessCommandLine contains "copy"
| extend FileDetail = parse_(ProcessCommandLine)
| summarize count(), make_set(ProcessCommandLine) by DeviceName, FileName, Timestamp
| where count_ > 5

Rapid Response Hardening Script (PowerShell)

PowerShell
# Qilin Response Check: Identify Suspicious Scheduled Tasks and Shadow Copy Deletion
# Requires Administrative Privileges

Write-Host "[+] Checking for recently created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
$CutoffDate = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $CutoffDate} | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Auditing Volume Shadow Copies for deletion events..." -ForegroundColor Cyan
# Check event log 514 (Shadow Copy Service) for deletion attempts
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=514} -MaxEvents 20 -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "[+] Checking for suspicious ScreenConnect sessions..." -ForegroundColor Cyan
# Check for specific ScreenConnect web log paths or processes
Get-Process | Where-Object {$_.ProcessName -like "*ScreenConnect*" -or $_.ProcessName -like "*ConnectWise*"} | Select-Object ProcessName, Id, Path

Write-Host "[+] Review complete. If anomalies found, isolate host immediately." -ForegroundColor Yellow


---

4. Incident Response Priorities

Based on Qilin's "hit-and-run" MO, IR teams must operate with extreme speed.

  1. T-Minus Detection Checklist:

    • Network: Look for large outbound egress traffic ( > 500MB) to non-whitelisted IPs (Data Exfil).
    • Endpoint: Hunt for PsExec or WMI execution chains originating from non-admin accounts.
    • Identity: Audit for impossible travel logins and new Service Principal creations.

  2. Critical Asset Protection:

    • Qilin specifically targets PACS/Imaging servers in Healthcare and CAD/Project files in Construction/Engineering.
    • Immediately verify backup integrity for these file shares.

  3. Containment Actions:

    • Tier 1 (Immediate): Disable all internet-facing RDP/VPN accounts not actively in use. Force-reset credentials for accounts used on ScreenConnect or Exchange.
    • Tier 2 (Urgent): Isolate identified compromised subnets. Power down VDI infrastructure if used as a jump box.

5. Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2023-21529 (Exchange) immediately. Qilin affiliates are actively scanning for these.
  • Access Control: Enforce MFA on all remote access tools. If using conditional access, block legacy authentication protocols.

Short-term (2 Weeks)

  • Network Segmentation: Ensure IoT and OT environments (especially in Energy/Construction victims) are on separate VLANs with strict firewall rules.
  • EDR Coverage: Ensure full EDR visibility on all Exchange servers and Remote Access gateways (often neglected).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcareenergyscreenconnectcve-2024-1708

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action