Back to Intelligence

QILIN Ransomware: Surge in Manufacturing & Healthcare Targeting via Critical CVE Exploits

SA
Security Arsenal Team
May 18, 2026
6 min read

QILIN (also known as Agenda) operates as a Ransomware-as-a-Service (RaaS) model, aggressively recruiting affiliates with high profit-sharing incentives. The group is notorious for utilizing custom-written ransomware written in Rust and Go, allowing for cross-platform encryption capabilities (Windows and Linux).

Tactics & Procedures:

  • Initial Access: Heavily relies on exploiting external-facing vulnerabilities, particularly remote monitoring tools (ConnectWise ScreenConnect) and email servers (Microsoft Exchange, SmarterMail). They also utilize valid credentials obtained via infostealers or brute force on exposed RDP/VPN services.
  • Double Extortion: Consistently exfiltrates sensitive data prior to encryption. They threaten to publish data if the ransom is not paid and operate a sophisticated .onion leak site to pressure victims.
  • Dwell Time: Recent observations indicate a short dwell time (often 3–5 days) between initial access and detonation, especially when leveraging known exploits like CVE-2024-1708.
  • Ransom Demands: typically range from $300,000 to several million USD, depending on victim revenue.

Current Campaign Analysis

Sector Targeting: The latest wave of postings (15 victims) shows a distinct pivot towards Manufacturing (20%), Agriculture/Food Production (20%), and Healthcare (20%). This suggests Qilin affiliates are targeting critical supply chain and time-sensitive sectors where operational downtime pressures victims into paying.

Geographic Spread: The campaign is highly global, bypassing traditional geo-blocking. Victims span North America (US, CA), Europe (GB, ES), South America (CL, AR), and Asia-Pacific (MY, AU).

Victim Profile: Victims range from mid-sized enterprises (e.g., local museums, specialized manufacturing plants like Monir Precision Monitoring) to larger logistics entities (Menzies Group). The inclusion of public sector bodies (Majlis Perbandaran Alor Gajah) indicates a lack of political restraint.

CVE Correlation: The active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-21529 (Microsoft Exchange) is strongly correlated with this surge. These vulnerabilities provide immediate remote code execution, serving as the primary entry point for the recent Manufacturing and Healthcare victims.

Detection Engineering

The following detection logic targets the specific TTPs observed in Qilin's recent campaigns, focusing on the exploitation of remote access tools and lateral movement.

YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploitation
id: 9e70f604-4a5d-4d83-9c7a-1234567890ab
description: Detects potential exploitation of CVE-2024-1708 against ConnectWise ScreenConnect via suspicious URI patterns
status: experimental
date: 2026/05/18
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/App_Extensions'
            - '/Setup/'
    filter:
        cs-method|contains: 'POST'
    condition: selection and filter
falsepositives:
    - Legitimate administrative access
level: critical
---
title: SmarterMail Unrestricted File Upload Exploitation
id: b1f2c3d4-e5f6-4a5b-8c9d-0123456789ab
description: Detects suspicious file upload attempts on SmarterMail servers indicative of CVE-2025-52691 exploitation
status: experimental
date: 2026/05/18
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 'Mails'
        RelativeTargetName|contains:
            - '.aspx'
            - '.ashx'
    condition: selection
falsepositives:
    - Rare administrative file management
level: high
---
title: Suspicious PowerShell Encoded Command Execution via RDP
id: c2d3e4f5-a6b7-4c8d-9e0f-234567890abc
description: Detects base64 encoded PowerShell commands executed shortly after an RDP session, common in Qilin manual
date: 2026/05/18
status: experimental
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection_rdp:
        EventID: 4624
        LogonType: 10
    selection_powershell:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains: ' -enc ' or CommandLine|contains: ' -EncodedCommand '
    timeframe: 1m
    condition: selection_rdp | followed by selection_powershell
falsepositives:
    - Administrative scripts run via RDP
level: high


kql
// KQL Hunt for Lateral Movement and Staging
// Hunt for large file transfers to non-standard shares and SMB execution
let TimeFrame = 1h;
SecurityEvent
| where TimeGenerated > ago(TimeFrame)
| where EventID in (5140, 5145) // File Share Access
| where SubjectUserName != "*$" // Filter out computer accounts mostly
| where RelativeTargetName !contains ".tmp" 
| where FileLength > 10485760 // Greater than 10MB
| project TimeGenerated, Computer, SubjectUserName, ShareName, RelativeTargetName, FileLength, SourceIpAddress
| join kind=inner (
    SecurityEvent 
    | where EventID == 4624 and LogonType == 3 or LogonType == 10
    | project TimeGenerated, TargetUserName, IpAddress
) on $left.SourceIpAddress == $right.IpAddress, $left.TimeGenerated between ($right.TimeGenerated-5m .. $right.TimeGenerated+5m)
| distinct TimeGenerated, Computer, SubjectUserName, ShareName, RelativeTargetName, IpAddress


powershell
# Qilin Response Script: Check for Persistence and Shadow Copy Deletion
# Run with elevated privileges

Write-Host "Checking for Qilin Indicators of Persistence..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 24 hours (Common Qilin persistence)
$schTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-1)}
if ($schTasks) {
    Write-Host "[ALERT] Suspicious Scheduled Tasks found created in last 24h:" -ForegroundColor Red
    $schTasks | Select-Object TaskName, Author, Date, Action
} else {
    Write-Host "[OK] No recent scheduled tasks found." -ForegroundColor Green
}

# 2. Check for Volume Shadow Copy Depletion attempts (Vssadmin)
$events = Get-WinEvent -LogName Application -FilterXPath "*[System[(EventID=123)]]" -ErrorAction SilentlyContinue
if ($events) {
    $recentVssErrors = $events | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-2)}
    if ($recentVssErrors) {
        Write-Host "[ALERT] Recent VSS Admin errors (Shadow Copy deletion attempts) detected." -ForegroundColor Red
    }
}

# 3. Check for unusual processes named common Qilin ransomware names
$suspiciousProcs = @("encryptor", "locker", "qilin", "agenda")
$procs = Get-Process | Where-Object {$suspiciousProcs -like $_.ProcessName}
if ($procs) {
    Write-Host "[CRITICAL] Suspicious encryption process running:" -ForegroundColor Red
    $procs | Select-Object ProcessName, Id, Path
}

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption):

  1. Proxy/VPN Logs: Hunt for successful logins to ScreenConnect/ConnectWise from anomalous IPs (check for CVE-2024-1708 exploitation).
  2. Exchange IIS Logs: Review POST requests to /owa/ or /ecp/ containing serialized data (CVE-2023-21529).
  3. PowerShell Logs: Alert on FromBase64String usage in combination with Invoke-WebRequest or Invoke-RestMethod.

Critical Assets for Exfiltration: Qilin historically targets:

  • Employee Databases: PII, SSNs, Medical records (for Healthcare victims).
  • Intellectual Property: CAD drawings, proprietary formulas (Manufacturing).
  • Financials: Banking details, audit reports, upcoming M&A data.

Containment Actions:

  1. Isolate: Immediately disconnect victims showing signs of ScreenConnect or Exchange exploitation from the network.
  2. Disable: Suspend external access to VPN/RDP and ScreenConnect instances immediately; require MFA for re-enablement.
  3. Credential Reset: Force reset of all privileged admin accounts, specifically those used for Exchange/ScreenConnect administration.

Hardening Recommendations

Immediate (24 Hours):

  • Patch ConnectWise ScreenConnect: Ensure all instances are patched against CVE-2024-1708.
  • Patch Microsoft Exchange: Apply security updates for CVE-2023-21529.
  • Block Public Access: If not strictly necessary, block internet access to ScreenConnect and Exchange management ports at the firewall edge.

Short-term (2 Weeks):

  • Network Segmentation: Isolate critical backup servers and Domain Controllers from general user VLANs to prevent lateral movement.
  • Implement MFA Enforcement: Enforce FIDO2 or hardware token MFA for all remote access solutions (VPN, RDP, SaaS management consoles).
  • Geo-Blocking: Restrict inbound RDP and management console traffic to known corporate IP ranges or countries where operations exist.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareconnectwise-screenconnectcve-2024-1708manufacturinghealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action