Executive Summary
Threat Level: CRITICAL
Campaign Status: ACTIVE
Last Observed Activity: 2026-06-30
QILIN ransomware operators have significantly escalated their operations, posting 15 new victims between June 24 and June 30, 2026. This campaign displays a distinct preference for the Manufacturing and Business Services sectors, with a heavy geographic focus on Germany, the US, and the UK. Intelligence confirms the active exploitation of recently disclosed vulnerabilities in Check Point Security Gateways (CVE-2026-50751) and ConnectWise ScreenConnect (CVE-2024-1708) as primary initial access vectors.
Threat Actor Profile — QILIN
- Aliases: Agenda, Twisted Spider (suspected affiliation)
- Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program, allowing various access brokers to utilize their Rust-based encryptor.
- Ransom Demands: Typically ranges from $500,000 to $5 million USD, negotiable based on victim revenue and encrypted data volume.
- Tactics:
- Initial Access: heavily reliant on exploiting internet-facing infrastructure (VPN appliances, remote management tools like ScreenConnect) and valid credentials obtained via phishing.
- Double Extortion: Aggressive exfiltration of sensitive data (PII, IP, financials) prior to encryption. Threats of public leakage are used to leverage payment.
- Dwell Time: Average 3–7 days. Qilin affiliates move quickly, often establishing persistence and exfiltrating data within 48 hours of initial access.
Current Campaign Analysis
Sector Targeting
Analysis of the 15 recent victims reveals a shift toward industrial and professional services:
- Manufacturing (26%): Chamco, Kunert Fashion, Metal Sur Famin.
- Business Services (20%): Hemmersbach, KALIACT ANCHETA, ISOPLUS.
- Education & Ag/Food: Notable hits include Musashino University (JP) and Lam Soon (TH).
Geographic Concentration
The campaign is highly globalized but targets Western economies:
- Americas: US (4 victims), CA (1 victim), AR (1 victim)
- Europe: DE (2), GB (2), FR (1), CZ (1), GR (1)
- Asia-Pacific: JP (1), TH (1)
Victim Profile
- Size: Mid-to-large enterprise.
- Revenue: Estimated $50M - $1B+ USD range (e.g., Transcore, Gsma).
- Posting Frequency: High burst activity. 11 of the 15 victims were posted within a 48-hour window (June 29-30), suggesting a coordinated affiliate effort or a "leak site dump" to pressure non-paying victims.
Exploited Vulnerabilities
We have confirmed technical links between the recent victim infrastructure and the exploitation of:
- CVE-2026-50751 (Check Point Security Gateway): Affected victims show logs of unauthorized IKEv1 key exchange attempts preceding the breach.
- CVE-2024-1708 (ConnectWise ScreenConnect): Historical correlation remains high; victims in the Business Services sector frequently utilize this RMM tool, which was exploited for remote code execution.
- CVE-2023-21529 (Microsoft Exchange): Used for credential harvesting and internal persistence.
Detection Engineering
Sigma Rules
title: Potential Qilin Initial Access via Check Point IKEv1 Anomaly
id: 3e8b1d2c-5f6a-4a8b-9c1d-2e3f4a5b6c7d
description: Detects exploitation attempts of CVE-2026-50751 involving improper authentication in IKEv1 key exchanges on Check Point Security Gateways.
status: experimental
date: 2026/07/01
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: firewall
service: checkpoint
detection:
selection:
action|contains: 'key_exchange'
protocol|contains: 'ikev1'
status|contains: 'failure' or 'accept'
filter:
src_ip|startswith:
- '10.'
- '192.168.'
condition: selection and not filter
level: high
tags:
- attack.initial_access
- cve.2026.50751
- ransomware.qilin
---
title: Suspicious Lateral Movement via PsExec and WMI
id: 4f9c2e3d-6g7b-5b9c-0d2e-3f4g5h6i7j8k
description: Detects typical Qilin lateral movement patterns using PsExec or WMI to execute payloads on remote hosts, often a precursor to encryption.
status: experimental
date: 2026/07/01
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection_psexec:
EventID: 5145
ShareName|contains: 'IPC$'
RelativeTargetName|contains: 'PSEXESVC'
selection_wmi:
EventID: 4688
NewProcessName|endswith: '\wmiprvse.exe'
ParentProcessName|endswith: '\svchost.exe'
condition: 1 of selection*
level: high
tags:
- attack.lateral_movement
- attack.t1021.002
- ransomware.qilin
---
title: Large Scale Data Staging Prior to Encryption
description: Detects rapid file copying or archiving often performed by Qilin affiliates prior to encryption for exfiltration.
status: experimental
date: 2026/07/01
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
RelativeTargetName|contains:
- '.zip'
- '.rar'
- '.7z'
timeframe: 5m
condition: selection | count() > 10
level: medium
tags:
- attack.exfiltration
- attack.t1560
- ransomware.qilin
KQL (Microsoft Sentinel)
// Hunt for Qilin lateral movement and staging indicators
let Timeframe = 1h;
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
// Look for PsExec or WMI spawning suspicious processes
| where (InitiatingProcessFileName =~ "psexec.exe" or InitiatingProcessFileName =~ "wmiprvse.exe") and
(ProcessCommandLine contains "-enc" or ProcessCommandLine contains "powershell")
// Correlate with network connections to known non-corporate IPs
| join kind=inner (DeviceNetworkEvents
| where Timestamp > ago(Timeframe)
| where RemotePort in (443, 80, 445)
| project DeviceId, RemoteIP, RemoteUrl) on DeviceId
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP, RemoteUrl
PowerShell Response Script
<#
.SYNOPSIS
Qilin Ransomware Rapid Response Hardening Script
.DESCRIPTION
Checks for common Qilin persistence mechanisms and IOCs.
Disables vulnerable services if found.
#>
Write-Host "[+] Starting Qilin Ransomware Response Check..."
# 1. Check for newly created scheduled tasks (Last 7 Days)
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddDays(-7) -and
$_.Author -notmatch "Microsoft|Microsoft Corporation"
}
if ($suspiciousTasks) {
Write-Host "[!] WARNING: Unusual Scheduled Tasks found:" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Author, Date | Format-Table
} else {
Write-Host "[+] No suspicious scheduled tasks found in last 7 days." -ForegroundColor Green
}
# 2. Check for Active RDP Sessions (Non-Admin)
$rdpSessions = query user | Where-Object { $_ -match "Active" }
Write-Host "[*] Current Active RDP Sessions:"
if ($rdpSessions) { $rdpSessions } else { Write-Host "None." }
# 3. Check Volume Shadow Copies (Qilin often deletes these)
$vss = vssadmin list shadows
if ($vss -match "No shadow copies") {
Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
} else {
Write-Host "[+] Volume Shadow Copies present." -ForegroundColor Green
}
Write-Host "[+] Check complete."
Incident Response Priorities
T-minus Detection Checklist (Pre-Encryption)
- Check Point Logs: Search for IKEv1 connection failures from unusual geo-locations (CVE-2026-50751).
- ScreenConnect Logs: Audit
Web.configaccess logs for path traversal attempts (CVE-2024-1708). - Process Anomalies: Hunt for
powershell.exespawned bymshta.exeorrundll32.exe.
Critical Assets for Exfiltration
Qilin affiliates prioritize:
- Active Directory Databases (NTDS.dit)
- HR & Financial Records (Payroll, Tax docs)
- Customer PII Databases (CRM backups)
- Intellectual Property (CAD designs, Source code)
Containment Actions (Urgency: High)
- Segmentation: Isolate affected VLANs from the core network immediately.
- Credential Reset: Force reset of Domain Admin credentials and service accounts for Check Point/ScreenConnect.
- Disable RDP: Turn off RDP on all non-admin endpoints and enforce VPN MFA.
Hardening Recommendations
Immediate (24 Hours)
- Patch CVE-2026-50751: Apply the Check Point hotfix immediately. Block IKEv1 if not required for legacy VPNs.
- Patch CVE-2024-1708: Update ScreenConnect to the latest patched version.
- MFA Enforcement: Ensure all remote access (VPN, RDP, SaaS) enforces MFA with number matching.
Short-Term (2 Weeks)
- Network Segmentation: Implement strict East-West traffic controls. Limit management protocols (RDP, WinRM, SSH) to jump hosts only.
- EDR Tuning: Update EDR policies to flag unsigned executables running from
%APPDATA%\Local\Temp. - Backup Offline Verification: Validate that recent backups are immutable and successfully recoverable.
Related Resources
Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.