Back to Intelligence

QILIN Ransomware: Surge in US Healthcare & Manufacturing Attacks — Detection Engineering Brief

SA
Security Arsenal Team
May 31, 2026
6 min read

Threat Actor Profile — QILIN

Aliases: Agenda, Qilin.

Operation Model: Ransomware-as-a-Service (RaaS). Qilin operates on an aggressive affiliate model, utilizing a Rust-based payload optimized for cross-platform capability and encryption speed.

Typical Ransom Demands: Variable, generally ranging from $300,000 to upwards of $5 million, strictly correlated with victim revenue and the sensitivity of exfiltrated data.

Initial Access Methods:

  • External Remote Services: Heavy reliance on exploiting vulnerabilities in VPNs and remote management tools (e.g., ConnectWise ScreenConnect).
  • Phishing: Spear-phishing campaigns targeting specific sectors to deploy loaders.
  • Valid Accounts: Brute-forcing RDP and exposed services.

Tactics: Double extortion. Qilin exfiltrates large volumes of data prior to encryption and threatens release on their Tor leak site. They are known to use custom exfiltration tools and frequently manipulate or delete Volume Shadow Copies to prevent recovery.

Average Dwell Time: 4–12 days. Recent campaign data suggests a compression of the timeline, with affiliates moving from initial access to encryption in under a week.

Current Campaign Analysis

Sector Targeting: Analysis of the 15 recent victims posted 2026-05-27 to 2026-05-28 reveals a distinct targeting of critical services:

  • Healthcare (27%): Mindpath College Health, Providence Medical Group, Dillon Family Medicine.
  • Manufacturing (20%): Sinomax USA, Carton Craft Supply, LA Woodworks.
  • Business Services (20%): Gallun Snow Associates, Kennedy, McLaughlin & Associates, Mainstreet Organization of REALTORS.
  • Education: Alamo Heights School District.
  • Other: Technology, Agriculture, Consumer Services.

Geographic Concentration: The campaign is predominantly US-focused (66% of victims), with significant secondary activity in Australia (AU), Denmark (DK), Saudi Arabia (SA), Hungary (HU), and Latin America (LA). This suggests English-speaking affiliates and automated vulnerability scanning across western IP ranges.

Victim Profile: The victim list spans from SMBs (e.g., local woodworks, family medicine) to larger entities (e.g., Sinomax USA, school districts). This indicates a "shotgun" approach where affiliates exploit internet-facing vulnerabilities indiscriminately rather than purely manual targeting.

Observed Frequency: High volume of postings (15 victims in 48 hours) indicates multiple active affiliates or a highly automated operation within the Qilin RaaS network.

CVE Connections: The overlap of sectors with the CISA Known Exploited Vulnerabilities (KEV) catalog suggests specific vectors:

  • CVE-2024-1708 (ConnectWise ScreenConnect): A primary driver for the Business Services and Technology victims, given the ubiquity of ScreenConnect in these environments.
  • CVE-2025-52691 (SmarterTools SmarterMail): Likely initial access vector for the healthcare and education victims utilizing on-premise mail servers.
  • CVE-2026-48027 (Nx Console): Newly added to KEV (2026-05-27); Qilin affiliates are fast adopters, suggesting this may be the entry point for the manufacturing victim "HumanEdge" or similar tech-focused entities.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Qilin Initial Access - ScreenConnect Authentication Anomaly
id: a1b2c3d4-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects suspicious authentication patterns on ConnectWise ScreenConnect associated with CVE-2024-1708 exploitation.
status: experimental
date: 2026/05/31
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        WorkstationName|contains: 'ScreenConnect'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Legitimate administrator remote access
level: high
---
title: Suspicious PowerShell Activity - Qilin Loader Pattern
date: 2026/05/31
author: Security Arsenal Research
status: experimental
description: Detects obfuscated PowerShell command lines often used by Qilin payloads to download next-stage binaries.
references:
    - https://attack.mitre.org/techniques/T1059/001/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-enc '
            - 'FromBase64String'
            - 'IEX'
    condition: selection | length(CommandLine) > 800
falsepositives:
    - Legitimate admin scripts using encoding
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging associated with Qilin
// Focuses on PsExec, WMI, and large file moves within short timeframes
DeviceProcessEvents
| where Timestamp > ago(3d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe", "cmd.exe")
| where CommandLine has @"net use" or CommandLine has @"copy" 
   or CommandLine has @"move" or CommandLine has "Invoke-Command"
| extend FileSize = todouble(AdditionalFields[0]) // Assuming size is parsed or available in schema
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")
| summarize count(), make_set(FileName), arg_min(Timestamp, *) by DeviceName, InitiatingProcessAccountName
| where count_ > 3

PowerShell Rapid Response

PowerShell
# Qilin Ransomware Rapid Triage Script
# Checks for RDP anomalies, Shadow Copy deletion, and Scheduled Task persistence

Write-Host "[+] Initiating Qilin Triage Checks..." -ForegroundColor Cyan

# 1. Check for Shadow Copy Manipulation (Qilin deletes vss)
$vssState = vssadmin list shadows 2>&1
if ($vssState -match "No shadow copies present") {
    Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion by ransomware." -ForegroundColor Red
} else {
    $shadowCount = ($vssState | Select-String "Shadow Copy Volume").Count
    Write-Host "[+] Found $shadowCount Volume Shadow Copies." -ForegroundColor Green
}

# 2. Audit Scheduled Tasks for Persistence (Last 24 Hours)
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)}
if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Scheduled tasks created/modified in last 24h:" -ForegroundColor Yellow
    $suspiciousTasks | Select-Object TaskName, Author, Date | Format-Table
} else {
    Write-Host "[+] No suspicious recent scheduled tasks detected." -ForegroundColor Green
}

# 3. Check for RDP Brute Force Signs (Security Event ID 4625)
try {
    $failedRDP = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddHours(-12)} -ErrorAction Stop
    $targetUsers = $failedRDP | Select-Object -Unique @{N='Target';E={$_.Properties[5].Value}}
    Write-Host "[!] ALERT: $($failedRDP.Count) failed logon attempts detected targeting $($targetUsers.Count) unique users." -ForegroundColor Red
} catch {
    Write-Host "[+] No excessive failed logon events found." -ForegroundColor Green
}


---

Incident Response Priorities

T-minus Detection Checklist:

  1. Network Traffic: Analyze firewall logs for connections to known C2 infrastructure or large egress data transfers to non-business IP addresses.
  2. Vulnerability Scan: Immediately scan for and patch CVE-2024-1708 (ScreenConnect) and CVE-2025-52691 (SmarterMail).
  3. Privileged Accounts: Audit logs for unusual "Pass-the-Hash" or Golden Ticket attacks (Event ID 4769/4770).

Critical Assets for Exfiltration:

  • Healthcare: EMR databases, patient billing info, HIPAA-sensitive documents.
  • Manufacturing: CAD files, intellectual property, supply chain logistics data.

Containment Actions:

  1. Segment: Isolate affected VLANs immediately, especially those hosting identified victims' departments.
  2. Disable Accounts: Suspend service accounts associated with backup software and RDP immediately.
  3. Preserve: Snapshot memory of domain controllers and critical servers if feasible for forensic analysis of the Qilin payload.

Hardening Recommendations

Immediate (24h):

  • Patch Critical Vulnerabilities: Apply patches for CVE-2024-1708 immediately. If patching is delayed, disable ScreenConnect web interfaces or restrict access to trusted IPs via firewall.
  • MFA Enforcement: Ensure multi-factor authentication is enforced on all remote access solutions (VPN, RMM, RDP).
  • Account Hygiene: Reset passwords for all local administrator accounts on endpoints.

Short-term (2 weeks):

  • Network Segmentation: Implement strict micro-segmentation to prevent lateral movement from user workstations to server segments.
  • Endpoint Detection: Deploy EDR policies specifically targeting obfuscated PowerShell execution and unsigned binaries.
  • Backup Recovery: Test restoration from offline backups to ensure integrity and speed of recovery for critical healthcare and manufacturing systems.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarehealthcaremanufacturingcve-2024-1708initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action