QILIN Ransomware: 15 New Victims in Professional Services & Retail — KEV Exploitation Alert

Qilin (also known as Agenda) is a Ransomware-as-a-Service (RaaS) operation that has aggressively targeted corporate networks since 2022. Known for their Go-based ransomware variant, they employ a sophisticated double-extortion model, encrypting systems while exfiltrating sensitive data for leverage.

• Model: RaaS with an affiliate network focusing on high-volume encryption and rapid data theft.
• Ransom Demands: Typically range from $500,000 to several million USD, largely dictated by victim revenue and data sensitivity.
• Initial Access: Historically leverages valid credentials obtained via phishing, exploits against VPN appliances (Check Point, Fortinet), and remote management tools (ScreenConnect).
• Dwell Time: Qilin affiliates are operational security conscious, often maintaining persistence for 3–7 days before detonating encryption to maximize data exfiltration.

Current Campaign Analysis

Targeting Overview

In the last 48 hours (2026-06-10 to 2026-06-11), Qilin has posted 15 new victims, marking a significant spike in activity. The campaign shows a distinct pivot towards professional services and consumer retail.

• Sectors:
  • Business Services (Law Firms): 4 victims (Miller & Zois, Bekman Marder, Dulany Leahy, Wright Constable).
  • Consumer Services: 4 victims (Maui Divers Jewelry, Efficient Home, Teserra Outdoors, C.C. Creations).
  • Other: Healthcare, Technology, Manufacturing.
• Geographic Concentration: Heavy focus on the United States (10 victims), with secondary activity in Germany, Mexico, and South Korea.
• CVE Correlation: This wave strongly correlates with the active exploitation of CVE-2024-1708 (ConnectWise ScreenConnect). The high number of Law and Business Services victims suggests affiliates are gaining initial access via compromised Managed Service Providers (MSPs) or direct exploitation of ScreenConnect instances used for remote IT management. Additionally, CVE-2026-50751 (Check Point Security Gateway) presents a likely perimeter bypass vector for the enterprise targets.

Victim Profile

The recent victims range from mid-market businesses ($50M - $500M revenue) to large specialty retailers and legal practices. The targeting of legal firms implies a strategic focus on acquiring Intellectual Property (IP) and Personally Identifiable Information (PII) to maximize extortion pressure.

Detection Engineering

SIGMA Rules

---
title: Potential ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
id: 5a234567-89ab-cdef-0123-456789abcdef
status: experimental
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns including path traversal or legacy App_Themes access.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/11
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '../'
            - '..\'
            - 'App_Themes'
            - 'Bin'
    filter:
        c-ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter
falsepositives:
    - Authorized internal penetration testing
level: critical
---
title: Suspicious PowerShell Encoded Command Execution
date: 2026/06/11
status: experimental
description: Detects PowerShell execution with encoded commands, a common technique used by Qilin affiliates for obfuscation and payload delivery.
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - '-Enc'
            - '-EncodedCommand'
            - 'FromBase64String'
    condition: all of selection*
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Check Point IKEv1 Anomaly Detection (CVE-2026-50751)
id: bcd12345-6789-efab-0123-456789abcdef
status: experimental
description: Detects anomalies in Check Point Security Gateway logs indicative of CVE-2026-50751 exploitation attempts involving IKEv1 key exchange issues.
author: Security Arsenal
date: 2026/06/11
logsource:
    product: firewall
    service: check_point
detection:
    selection:
        product: 'VPN'
        service: 'ike'
        ike_phase: '1'
        reason|contains:
            - 'encryption_failure'
            - 'invalid_cookie'
            - 'no_proposal_chosen'
    condition: selection | count() by src_ip > 50
timeframe: 5m
falsepositives:
    - Misconfigured VPN clients
    - Network instability
level: medium

KQL Hunt Query

// Hunt for lateral movement and suspicious process execution common in Qilin incidents
let TimeFrame = 2d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for RMM tools often abused (ConnectWise, ScreenConnect)
| where ProcessCommandLine has_any("ScreenConnect", "ConnectWise", "RemoteManager") 
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any("IEX", "DownloadString", "FromBase64String"))
// Filter out known safe paths if necessary, but high alert is recommended
| summarize Count = count(), StartTime = min(Timestamp), EndTime = max(Timestamp) by DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Count desc

Rapid Response Hardening Script

# Qilin Triage Script: Check for Persistence and Shadow Copy Deletion
Write-Host "[+] Checking for recently created Scheduled Tasks (Persistence)..."
$Date = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object { $_.Date -gt $Date } | Select-Object TaskName, TaskPath, Author, Date

Write-Host "[+] Checking for VSS Deletion (Pre-Encryption Activity)..."
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24); Id=12345} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "[+] enumerating unusual network connections (Potential Exfil)..."
Get-NetTCPConnection -State Established | Where-Object { $_.RemotePort -in 443, 80 -and $_.OwningProcess -ne 0 } | ForEach-Object { $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue; [PSCustomObject]@{Process=$proc.ProcessName; PID=$_.OwningProcess; RemoteAddress=$_.RemoteAddress; RemotePort=$_.RemotePort} } | Group-Object RemoteAddress | Where-Object { $_.Count -gt 10 }

Incident Response Priorities

T-Minus Detection Checklist

• Log Analysis: Immediate review of ConnectWise ScreenConnect logs for /App_Themes/ path traversal or ../ sequences (CVE-2024-1708).
• ** perimeter:** Check Point logs for IKEv1 failures or anomalies (CVE-2026-50751).
• Host: Hunt for powershell.exe spawning from svchost.exe or unexpected parent processes.

Critical Assets (Exfil Targets)

Qilin historically prioritizes:

1. Legal contracts and client files (High priority for Law Firm victims).
2. Customer PII and financial databases (Retail/E-commerce).
3. R&D documentation and source code (Technology victims).

Containment Actions

1. Isolate: Immediately disconnect suspected hosts from the network; do not power down to preserve memory artifacts.
2. Block: Block outbound traffic to known Qilin C2 infrastructure (if available) and non-essential file-sharing sites (Mega, Dropbox) at the firewall.
3. Revoke: Rotate credentials for all privileged accounts, specifically those used for remote access (VPN, RDP).

Hardening Recommendations

Immediate (24h)

• Patch CVE-2024-1708: Apply the latest security patches to all ConnectWise ScreenConnect instances immediately. If patching is delayed, enforce MFA and restrict access to known IP ranges.
• Patch CVE-2026-50751: Update Check Point Security Gateways to the latest version that addresses the IKEv1 authentication bypass.
• Audit RMM Tools: Revoke unnecessary admin rights for RMM software accounts and enforce strict IP allow-listing.

Short-term (2 weeks)

• Network Segmentation: Implement strict Zero Trust segmentation, separating high-value servers (Legal, Finance, HR) from general user networks and internet-facing systems.
• EDR Deployment: Ensure EDR coverage is 100% on all servers and workstations, specifically enabling behavioral detection for PowerShell and RDP.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub