Back to Intelligence

QILIN Ransomware: 15+ Victims in 48 Hours — Check Point & ConnectWise Exploitation Surge

SA
Security Arsenal Team
June 11, 2026
6 min read

Threat Actor Profile — QILIN

Aliases: Agenda, Qilin RaaS Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Typically $500,000 to $5 million USD, depending on victim revenue. Initial Access: Heavily relies on exploiting external-facing vulnerabilities (VPN appliances, Remote Monitoring and Management (RMM) tools) and valid credentials obtained via phishing. Double Extortion: Aggressively employs double extortion tactics. They exfiltrate sensitive data (PFI, PHI, IP) before encrypting systems and threaten leakage if ransoms are not paid. Dwell Time: Average dwell time is short, ranging from 3 to 5 days. Qilin operators move quickly laterally once initial access is established, often bypassing EDR via custom Rust-based payloads.

Current Campaign Analysis

Sector Targeting: The current campaign shows a distinct pivot towards Consumer Services (4 victims: Maui Divers Jewelry, Efficient Home, Teserra Outdoors, C.C. Creations) and Business Services (5 victims: AltaVista Strategic Partners, Miller & Zois, Bekman Marder Hopper Malarkey & Perlin, Dulany Leahy Curtis & Brophy, Wright Constable & Skeen). Notably, Healthcare (dbHMS) and Technology (Bitek System) remain in the crosshairs.

Geographic Concentration: There is a heavy concentration of victims in the United States. Of the 15 recent victims listed, 11 are US-based organizations. Secondary targets include Germany (2), Mexico (1), South Korea (1), and Maryland (1 - treated as distinct region in data).

Victim Profile:

  • Revenue/Size: Victims appear to be mid-market enterprises, estimated between $20M and $500M in revenue. The mix of specialized legal firms (e.g., Miller & Zois), jewelry retailers, and HVAC manufacturers suggests Qilin is targeting organizations with sophisticated data but potentially fragmented security postures.
  • Posting Frequency: The gang is operating at high velocity. 15 victims were posted between 2026-06-10 and 2026-06-11, indicating a significant escalation in operational tempo.

CVE Correlation:

  • CVE-2026-50751 (Check Point Security Gateway): Added to CISA KEV on 2026-06-08. The spike in victims on 2026-06-10 and 2026-06-11 strongly suggests Qilin is actively exploiting this unpatched vulnerability for initial access.
  • CVE-2024-1708 (ConnectWise ScreenConnect): Remains a critical vector. Given the targeting of MSPs and IT service providers (Bitek System), exploitation of RMM tools is highly probable.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Check Point Security Gateway IKEv1 Exploitation
id: 9b1f8c8d-1e4f-4b9a-a0b2-3c5d6e7f8a9b
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 improper authentication or abnormal VPN session patterns.
status: experimental
date: 2026/06/11
author: Security Arsenal Research
logsource:
  product: firewall
definition:
  condition: selection
fields:
  - src_ip
  - dst_ip
  - user
falsepositives:
  - Legitimate misconfigured VPN clients
level: high
tags:
  - cve.2026.50751
  - attack.initial_access
  - qilin
selection:
  service|contains: 'vpn'
  protocol|contains: 'ikev1'
  action: 'accept'
  status: 'success'
filter:
  src_ip|startswith:
    - '10.'
    - '192.168.'
---
title: Suspicious ScreenConnect Path Traversal Activity
id: a2b3c4d5-e6f7-8a9b-0c1d-2e3f4a5b6c7d
description: Detects path traversal patterns associated with CVE-2024-1708 exploitation on ConnectWise ScreenConnect servers.
status: experimental
date: 2026/06/11
author: Security Arsenal Research
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-1708
logsource:
  category: web
definition:
  condition: selection
fields:
  - cs_uri_query
  - c_ip
falsepositives:
  - Scanning activity
level: critical
tags:
  - cve.2024.1708
  - attack.initial_access
  - attack.remote_service
  - qilin
selection:
  cs_uri_query|contains:
    - '..%2f'
    - '..\\'
    - '%2e%2e%2f'
  cs_uri_stem|contains: '/Guest.'
---
title: Qilin Ransomware High Volume File Transfer via Rclone
id: f1e2d3c4-b5a6-9780-1e2f-3a4b5c6d7e8f
description: Detects the use of rclone or winscp for high-volume data exfiltration, a common TTP for Qilin staging.
status: experimental
date: 2026/06/11
author: Security Arsenal Research
logsource:
  category: process_creation
definition:
  condition: selection and filter
fields:
  - ParentProcessName
  - CommandLine
falsepositives:
  - Legitimate backup operations
level: high
tags:
  - attack.exfiltration
  - attack.t1048
  - qilin
selection:
  Image|endswith:
    - '\rclone.exe'
    - '\winscp.exe'
    - '\scp.exe'
filter:
  ParentImage|contains:
    - '\Program Files\'
    - '\Backup\'

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging indicative of Qilin activity
// Looks for PSExec/WMI usage combined with high network volume
DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where FileName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe') 
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName 
| join ( 
    DeviceNetworkEvents 
    | where Timestamp > ago(7d) 
    | where RemotePort in (443, 80, 21, 22) 
    | summarize TotalBytesSent = sum(SentBytes) by DeviceName, bin(Timestamp, 1h) 
    | where TotalBytesSent > 50000000 // > 50MB in an hour 
) on DeviceName 
| distinct DeviceName, AccountName, TotalBytesSent

PowerShell Hardening Script

PowerShell
# Qilin Response Check: Identify recent Shadow Copy manipulation and suspicious tasks
Write-Host "[+] Checking for recent Shadow Copy deletion attempts..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -match 'VSS'} | Select-Object TimeCreated, Message

Write-Host "[+] Enumerating Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Action

Write-Host "[+] Checking for common Qilin persistence mechanisms..." -ForegroundColor Cyan
$regPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path -ErrorAction SilentlyContinue | 
        Where-Object { $_.PSObject.Properties.Value -match 'powershell|cmd|wscript' -and $_.PSObject.Properties.Name -ne 'PSPath' -and $_.PSObject.Properties.Name -ne 'PSParentPath' }
    }
}

Incident Response Priorities

T-Minus Detection Checklist:

  1. Check Point Logs: Immediately query VPN logs for successful IKEv1 connections on or after 2026-06-08 originating from unusual geolocations.
  2. ScreenConnect Audit: Audit ScreenConnect logs for SetupWizard.aspx or path traversal strings in URI_Query fields.
  3. AD Account Audit: Look for service accounts being added to local administrator groups across multiple endpoints (indication of lateral movement).

Critical Assets for Exfiltration: Qilin prioritizes:

  • Legal documents and client case files (Business Services/Legal)
  • Customer PII and payment databases (Consumer Services)
  • HR records and employee SSNs
  • CAD drawings and intellectual property (Manufacturing)

Containment Actions:

  1. Disconnect VPNs: If unpatched, block VPN access immediately and enforce MFA for all admin console logins.
  2. Isolate Backup Servers: Qilin explicitly targets Veeam and other backup repositories. Disconnect backup servers from the network.
  3. Revoke Credentials: Assume credentials are compromised for any user logged into a machine with suspicious activity. Force password resets and require re-registration of MFA tokens.

Hardening Recommendations

Immediate (24h):

  • Patch CVE-2026-50751: Apply the Check Point Security Gateway hotfix immediately. Disable IKEv1 if not strictly required.
  • Patch CVE-2024-1708: Ensure all ScreenConnect instances are updated to the latest patched version.
  • Block RDP: Block inbound RDP from the internet via firewall policy.

Short-term (2 weeks):

  • Network Segmentation: Implement strict segmentation between user workstations and backup repositories/servers.
  • Implement Phishing-Resistant MFA: Move to FIDO2/WebAuthn for VPN and critical remote access tools.
  • EDR Tuning: Configure EDR to alert on unsigned PowerShell scripts and the execution of rclone or winscp on endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecheck-pointscreenconnectconsumer-servicesus-targets

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action