Back to Intelligence

QILIN Ransomware: 15 New Victims Posted — Legal & Consumer Services Targeted via ScreenConnect & Firewall Exploits

SA
Security Arsenal Team
June 14, 2026
6 min read

Aliases: Agenda (previously used in rebranding efforts), Qilin.Breeder

Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program where core developers maintain the encryption payload (written in Go, cross-platform capable for Windows and Linux ESXi) while affiliates handle initial access and lateral movement.

Ransom Demands: Typically ranges from $200,000 to multi-million dollars, generally calculated as a percentage of the victim's annual revenue or based on the sensitivity of exfiltrated data.

Initial Access Vectors: Qilin affiliates are opportunistic but sophisticated, frequently exploiting:

  • Public-Facing Vulnerabilities: Unpatched VPN appliances (Check Point, Fortinet) and Remote Management Tools (ConnectWise ScreenConnect).
  • Phishing: Spear-phishing with malicious attachments or links leading to credential harvesting.
  • Valid Credentials: Purchased access logs (Initial Access Brokers) to bypass perimeter defenses via RDP or VPN.

Tactics: Double extortion is standard. The group steals data before encryption and threatens leaks on their .onion site. They are known for aggressive pressure tactics, contacting victims' clients and partners if negotiations stall.

Dwell Time: Average dwell time is estimated between 3 to 7 days, though some affiliates have been known to maintain persistence for weeks to maximize data exfiltration.

Current Campaign Analysis

Sector Targeting: Based on the last 15 postings (2026-06-10 to 2026-06-12), Qilin is aggressively targeting Business Services (specifically legal firms) and Consumer Services.

  • Business Services (53%): Heavy concentration in legal partnerships (e.g., Miller & Zois, Bekman Marder Hopper Malarkey & Perlin). These firms hold sensitive PII and high-value case data, increasing the likelihood of ransom payment.
  • Consumer Services (27%): Retailers and jewelry chains (Maui Divers Jewelry).
  • Other: Technology (Bitek System), Healthcare (dbHMS), and Manufacturing.

Geographic Concentration: The campaign is overwhelmingly US-centric. 10 out of 15 victims (66%) are US-based. International victims include Spain (ES), Korea (KR), Mexico (MX), and Germany (DE).

Posting Frequency & Escalation: A significant "bulk upload" event occurred on 2026-06-10, where 10 victims were published simultaneously. This pattern often indicates either a mass-exploitation of a specific vulnerability or a deliberate "catch-up" on leak site operations by the gang.

CVE Correlation: The victim profile—specifically legal and business services firms—strongly correlates with the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway). These sectors rely heavily on RMM tools for IT support and VPNs for remote access, making them prime targets for these specific initial access vectors.

Detection Engineering

Sigma Rules

YAML
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 4b8c7c9a-1f2d-4e5b-8a7d-9c0b1e2f3a4b
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or authentication bypass attempts in ScreenConnect logs.
status: experimental
date: 2026/06/14
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
definition:
    condition: selection
fields:
    - client_ip
    - url
    - http_method
falsepositives:
    - Misconfigured security scanners
level: critical
tags:
    - cve.2024.1708
    - initial.access
    - ransomware.qilin
selection:
    cs-host|contains: 'ScreenConnect'
    url|contains:
        - '/Bin/../'
        - '%2e%2e%2f'
        - 'WebService.asmx'
---
title: Check Point VPN IKEv1 Anomalous Login Activity
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies or improper authentication attempts on Check Point Security Gateways.
id: a5b8c9d0-2e3f-4a5b-9c0d-1e2f3a4b5c6d
status: experimental
date: 2026/06/14
author: Security Arsenal Research
logsource:
    product: firewall
    service: checkpoint
definition:
    condition: selection
fields:
    - src_ip
    - dst_ip
    - product
level: high
tags:
    - cve.2026.50751
    - vpn
    - authentication.bypass
selection:
    product: 'VPN'
    ike_version: 'v1'
    action|contains:
        - 'decrypt'
        - 'key_exchange'
    failure_reason|exists: true
---
title: Suspicious PowerShell EncodedCommand with Base64 Strings
description: Detects PowerShell execution with heavily encoded commands, often used by Qilin affiliates for obfuscation during lateral movement and payload execution.
id: f1e2d3c4-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
date: 2026/06/14
author: Security Arsenal Research
logsource:
    product: windows
    service: security
definition:
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: medium
tags:
    - execution
    - powershell
    - obfuscation
    - qilin
selection:
    EventID: 4688
    NewProcessName|endswith: '\powershell.exe'
    CommandLine|contains: ' -e '
    CommandLine|contains: ' -enc '

KQL (Microsoft Sentinel)

Hunt for lateral movement patterns indicative of Qilin (PsExec/WMI usage) combined with the credential access often seen prior to encryption.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has any("PsExec", "psexec64", "wmic", "powershell.exe -enc")
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "rundll32.exe")
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, AccountName, ProcessCommandLine, FolderPath
| where count_ < 50 // Filter out noise from high-volume legitimate automation
| sort by LastSeen desc

PowerShell Response Script

Rapid response script to enumerate scheduled tasks (persistence) and check for unexpected Volume Shadow Copy deletions (a common Qilin tactic to prevent recovery).

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Persistence & VSS Check
.DESCRIPTION
    Checks for recently created scheduled tasks (last 24h) and Volume Shadow Copy service status.
#>

Write-Host "[!] Checking for Scheduled Tasks created in the last 24 hours..." -ForegroundColor Yellow

$dateThreshold = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object {
    $_.Date -gt $dateThreshold -and 
    $_.TaskPath -notlike '\Microsoft\'
} | Select-Object TaskName, TaskPath, Date, Author, Actions | Format-Table -AutoSize

Write-Host "[!] Checking Volume Shadow Copy Service Status..." -ForegroundColor Yellow

$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService) {
    if ($vssService.Status -ne 'Running') {
        Write-Host "[CRITICAL] VSS Service is not running: $($vssService.Status)" -ForegroundColor Red
    } else {
        Write-Host "[OK] VSS Service is running." -ForegroundColor Green
    }
    
    Write-Host "[!] Checking for recent Shadow Copy deletions in Event Log..."
    $vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12343; StartTime=$dateThreshold} -ErrorAction SilentlyContinue
    if ($vssEvents) {
        Write-Host "[WARNING] Found Shadow Copy Deletion Events:" -ForegroundColor Red
        $vssEvents | Select-Object TimeCreated, Message | Format-Table
    } else {
        Write-Host "[OK] No Shadow Copy deletion events found in the last 24h." -ForegroundColor Green
    }
} else {
    Write-Host "[ERROR] Could not find VSS Service." -ForegroundColor Red
}


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. RMM Logs: Review ConnectWise ScreenConnect logs for the dates 2026-06-08 to 2026-06-14 for suspicious path traversal or session hijacks (CVE-2024-1708).
  2. VPN Logs: Correlate Check Point firewall logs for successful IKEv1 connections originating from anomalous geolocations (CVE-2026-50751).
  3. Lateral Movement: Hunt for PsExec.exe or wmic.exe spawning from unexpected parent processes (e.g., web server processes or Office apps).

Critical Assets (Exfiltration Targets):

  • Legal case files and client databases (highest priority for Business Services victims).
  • Customer PII and credit card data (Consumer Services).
  • Intellectual property and source code (Technology victims).

Containment Actions (Urgency Order):

  1. Disconnect VPN/RMM: If compromise is suspected, immediately disable external access to VPNs and quarantine RMM servers.
  2. Isolate Legal/Finance Segments: Qilin targets these specifically; network segmentation is critical to stop spread.
  3. Reset Service Account Credentials: Force password resets for accounts used by ConnectWise ScreenConnect and VPN services.

Hardening Recommendations

Immediate (24h):

  • Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-50751 (Check Point) immediately. If patching is delayed, implement mitigation (disable ScreenConnect web interface if unused, restrict IKEv1 on Check Point).
  • MFA Enforcement: Ensure Multi-Factor Authentication is enforced on all VPN and RMM access points without exception.

Short-term (2 weeks):

  • RMM Access Control: Restrict RMM tools to specific source IP ranges via firewall policies. Move RMM interfaces behind a Zero Trust Network Access (ZTNA) gateway.
  • Audit External Attack Surface: Conduct a scan for exposed RDP, VPN, and management interfaces on the public internet and close those not strictly necessary.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarelegal-sectorcve-2024-1708screenconnectinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action