Aliases: None confirmed (emergent 2026 threat).
Operational Model: AILOCK operates as a Ransomware-as-a-Service (RaaS) entity with a sophisticated affiliate network. Unlike traditional closed groups, they appear to recruit skilled penetration testers capable of leveraging enterprise-grade exploits (CVE-2026-50751, CVE-2026-20131).
Ransom Demands: Historical data suggests demands range from $2M to $8M USD, strictly calculated based on victim revenue and the sensitivity of exfiltrated data.
Initial Access (IA): The group favors external remote services over phishing. Recent intelligence indicates a heavy reliance on exploiting VPN and Firewall management vulnerabilities (Check Point, Cisco FMC) to establish persistent footholds without triggering user-centric alerts.
Double Extortion: AILOCK aggressively employs double extortion. They exfiltrate sensitive blueprints (Construction), logistical manifests (Transportation), and client databases before encrypting systems. Leak site negotiations are aggressive, with data published within 5-7 days if contact is not established.
Dwell Time: Short dwell time (approx. 3-5 days) observed in recent campaigns, suggesting automated tooling for discovery and encryption is deployed immediately after access is secured.
Current Campaign Analysis
Sector Targeting:
- Construction (50%): 2 out of 4 victims (Ferrovial, WBF Construction).
- Transportation & Logistics (25%): 1 victim (Nihon Kotsu).
- Business Services (25%): 1 victim (Solid Advance).
Geographic Focus:
- Japan (JP): 50% of recent victims. The group is specifically penetrating the Japanese market, likely due to perceived lower maturity in edge device patching management in mid-sized enterprises.
- Spain (ES): 25% of recent victims.
- Unknown: 25%.
Victim Profile: Targets are large-cap enterprises. Victims like Ferrovial (multi-national infrastructure) and Nihon Kotsu (major taxi fleet operator) suggest AILOCK affiliates can bypass substantial security budgets. The targeting of "Business Services" (Solid Advance) indicates supply chain chaining attempts to reach larger downstream targets.
CVE Correlation:
- CVE-2026-50751 (Check Point): Highly likely the vector for the Japanese targets, given Check Point's market share in APAC and the specific nature of the improper authentication vulnerability allowing unauthenticated gateway access.
- CVE-2026-20131 (Cisco FMC): Suspected vector for European victims, exploiting deserialization in firewall management centers to pivot into internal networks.
Detection Engineering
Sigma Rules
title: Potential AILOCK Initial Access Check Point Gateway IKEv1 Anomaly
description: Detects potential exploitation of CVE-2026-50751 involving improper authentication in IKEv1 key exchange on Check Point Security Gateways.
author: Security Arsenal Research
status: experimental
date: 2026/07/15
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: firewall
definition: 'requiredFields: [app, action, src_ip, dst_ip, tunnel_type]'
detection:
selection:
app|contains: 'IKE'
tunnel_type: 'IKEv1'
action: 'accept'
filter_legit:
src_ip:
- '127.0.0.1'
- '10.0.0.0/8'
- '192.168.0.0/16'
- '172.16.0.0/12'
condition: selection and not filter_legit
falsepositives:
- Legitimate remote VPN users from unknown IPs
level: high
tags:
- attack.initial_access
- cve.2026.50751
- ailock
---
title: Suspicious ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass and path traversal, often used by AILOCK for RMM access.
author: Security Arsenal Research
status: experimental
date: 2026/07/15
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: windows
service: security
definition: 'requiredFields: [EventID, ProcessName, SubjectUserName]'
detection:
selection:
EventID: 4656
ObjectType: 'File'
FileName|contains:
- 'Setup.ashx'
- 'Event.ashx'
- 'Host.ashx'
ProcessName|contains: 'ScreenConnect'
AccessMask: '0x10080' # ReadControl, GenericRead
condition: selection
falsepositives:
- Legitimate administrative use of ScreenConnect web interface
level: critical
tags:
- attack.initial_access
- cve.2024.1708
- ailock
---
title: AILOCK Ransomware Preparation - VSS Shadow Copy Deletion
description: Detects commands used to delete Volume Shadow Copies, a common step in AILOCK playbook to prevent recovery.
author: Security Arsenal Research
status: experimental
date: 2026/07/15
logsource:
category: process_creation
product: windows
detection:
selection_vssadmin:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wbadmin:
Image|endswith: '\wbadmin.exe'
CommandLine|contains: 'delete catalog'
condition: 1 of selection_
falsepositives:
- System administrator maintenance
level: high
tags:
- attack.impact
- ailock
KQL Hunt Query (Microsoft Sentinel)
// Hunt for AILOCK lateral movement and staging activities
let TimeFrame = 1h;
let SuspiciousProcesses = datatable(Process:string)['powershell.exe', 'cmd.exe', 'wmic.exe', 'psexec.exe', 'psexec64.exe', 'rclone.exe', 'winscp.exe', 'filezilla.exe'];
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousProcesses)
// Detecting base64 encoded commands often used in AILOCK scripts
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "FromBase64String"
// Detecting lateral movement indicators
| or ( InitiatingProcessAccountName != "System" and ProcessCommandLine has "\\\\")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, FolderPath
| order by Timestamp desc
PowerShell Response Script
<#
.SYNOPSIS
AILOCK Hardening and Investigation Script
.DESCRIPTION
Checks for indicators of AILOCK compromise and hardens against CVE-2026-50751 and CVE-2024-1708 vectors.
#>
Write-Host "[+] Starting AILOCK Hardening and Audit Check..." -ForegroundColor Cyan
# 1. Check for Scheduled Tasks created in last 7 days (Persistence)
Write-Host "[!] Checking for recently created Scheduled Tasks..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
Write-Host "[ALERT] Found recent scheduled tasks:" -ForegroundColor Red
$schTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
Write-Host "[OK] No suspicious recent tasks found." -ForegroundColor Green
}
# 2. Audit Check Point / Cisco Vulnerability Exposure (Simulated Check)
Write-Host "[!] Checking for exposure to AILOCK CVEs (CVE-2026-50751, CVE-2026-20131)..." -ForegroundColor Yellow
# Note: In a real env, query vulnerability scanner API or CMDB. Here we check if services are running.
$cpProcess = Get-Process -Name "vpnd" -ErrorAction SilentlyContinue
$ciscoProcess = Get-Service -Name "sfmgr" -ErrorAction SilentlyContinue
if ($cpProcess) { Write-Host "[WARN] Check Point services running. Verify patch for CVE-2026-50751 immediately." -ForegroundColor Red }
if ($ciscoProcess) { Write-Host "[WARN] Cisco FMC services running. Verify patch for CVE-2026-20131 immediately." -ForegroundColor Red }
if (-not $cpProcess -and -not $ciscoProcess) { Write-Host "[OK] No high-risk edge services detected on this host." -ForegroundColor Green }
# 3. Check for RDP Exposure (Risky Configuration)
Write-Host "[!] Checking RDP Security Layer..." -ForegroundColor Yellow
$rdpSettings = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -ErrorAction SilentlyContinue
if ($rdpSettings.UserAuthentication -eq 0) {
Write-Host "[WARN] NLA is not enabled for RDP. Enable it immediately." -ForegroundColor Red
} else {
Write-Host "[OK] RDP NLA is enabled." -ForegroundColor Green
}
Write-Host "[+] Audit complete." -ForegroundColor Cyan
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption):
- Edge Log Analysis: Immediately review Check Point and Cisco firewall logs for spikes in IKEv1 requests or FMC authentication failures.
- RMM Session Audit: Audit ConnectWise ScreenConnect logs for anonymous logins or sessions originating from unusual IP ranges (e.g., hosting providers not used by the org).
- Service Account Usage: Monitor for sudden use of dormant service accounts, particularly those with admin privileges on construction ERP systems.
Critical Assets for Exfiltration:
- Construction: CAD files (AutoCAD), blueprints, bid documents, project financials.
- Logistics: Route manifests, customer PII, fleet tracking data.
Containment Actions (Order by Urgency):
- Disconnect Edge Devices: If Check Point or Cisco FMC is suspected compromised, quarantine management interfaces from the internal network immediately to prevent lateral movement.
- Suspend RMM: Temporarily disable the ConnectWise ScreenConnect service until the vulnerability (CVE-2024-1708) is verified patched.
- Revoke Credentials: Force-reset credentials for all local admin accounts on victim subnets.
Hardening Recommendations
Immediate (24 Hours):
- Patch CVE-2026-50751: Apply the latest hotfix for Check Point Security Gateways. Disable IKEv1 if not strictly required.
- Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version immediately. Restrict access to /Setup paths via web firewall.
- Disable RDP: Ensure RDP is disabled from the internet and enforce Network Level Authentication (NLA) internally.
Short-Term (2 Weeks):
- Network Segmentation: Separate management planes for firewalls and VPN concentrators from the general user network.
- MFA Enforcement: Implement phishing-resistant MFA (FIDO2) for all VPN and remote management access.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.