Back to Intelligence

QILIN Ransomware: 15 Victims in 5 Days — Construction Sector Under Siege

SA
Security Arsenal Team
June 23, 2026
6 min read

Date: 2026-06-23 Analyst: Security Arsenal Threat Intelligence Unit

Executive Summary

The QILIN ransomware group (formerly known as Agenda) has significantly increased its operational tempo, posting 15 new victims between June 18 and June 22, 2026. This campaign displays a pronounced focus on the Construction and Manufacturing sectors, with a high-value intrusion into the Central Bank of Libya. Intelligence suggests the group is actively exploiting newly disclosed vulnerabilities in perimeter defenses, specifically Check Point Security Gateways and Cisco FMC, to gain initial access.

Threat Actor Profile — QILIN

  • Aliases: Agenda, Qilin.Banner
  • Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program, allowing diverse threat actors to utilize their Go-based encryption payload.
  • Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD depending on victim revenue, often negotiated via Tox chat.
  • Initial Access Vectors: Known for exploiting public-facing vulnerabilities (VPN, Firewalls), utilizing valid credentials obtained via initial access brokers (IABs), and phishing.
  • Extortion Strategy: Strict double extortion model. Victims' data is exfiltrated prior to encryption and threatened for release on their .onion site if ransom is not paid.
  • Dwell Time: Average dwell time observed is approximately 3-5 days between initial breach and detonation, indicating a "smash-and-grab" or automated post-exploitation approach.

Current Campaign Analysis

Sector Targeting

Based on the last 15 leak site postings, Qilin has shifted focus towards vertical industries with complex supply chains but potentially lower maturity in OT/IT security segmentation:

  • Construction: 33% of victims (Schumacher Homes, Florida Engineering Services, PJ Daly Contracting, Homes By J Anthony, Makel Companies).
  • Manufacturing: 20% of victims (Taiwan Sintong, Pacific Lamp & Supply, Roth Industries).
  • Financial Services: Critical intrusion into the Central Bank of Libya.

Geographic Distribution

  • Primary Target: United States (7 victims - 46%)
  • Secondary Targets: Europe (Germany, Ireland, France), APAC (Thailand, Taiwan), MENA (Libya), and LATAM (Chile).

Victim Profile

The victims range from mid-market businesses (e.g., Sparkle Pools) to large national infrastructure (Central Bank of Libya). The concentration in Construction suggests Qilin affiliates view this sector as high-payoff due to time-sensitive project deadlines.

CVEs & Initial Access

This campaign correlates strongly with the exploitation of CISA Known Exploited Vulnerabilities (KEV):

  1. CVE-2026-50751 (Check Point Security Gateway): The intrusion into the Central Bank of Libya and Sivatel Bangkok likely leveraged this critical authentication bypass.
  2. CVE-2026-20131 (Cisco Secure Firewall FMC): Affects enterprises relying on Cisco firewalls, likely used in the US and European incidents.
  3. CVE-2024-1708 (ConnectWise ScreenConnect): Remains a persistent vector for access to IT service providers and managed environments (e.g., ATCOM Outsourcing).

Detection Engineering

Sigma Rules

YAML
title: Potential Check Point Security Gateway Exploitation CVE-2026-50751
id: 8b0e4b1a-1a1b-4c5d-9e6f-1a2b3c4d5e6f
description: Detects potential exploitation of improper authentication in IKEv1 key exchange on Check Point Security Gateways.
status: experimental
date: 2026/06/23
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
definition:
    condition: selection
selection:
    dst_port: 500
    protocol: udp
    vendor: 'Check Point'
    message|contains:
        - 'ike_failure'
        - 'invalid_cookie'
        - 'auth_failure'
level: high
tags:
    - cve.2026.50751
    - detection.emerging_threats
    - qilin
---
title: Suspicious ConnectWise ScreenConnect Path Traversal Activity
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects path traversal attempts associated with CVE-2024-1708 on ConnectWise ScreenConnect servers.
status: experimental
date: 2026/06/23
author: Security Arsenal
logsource:
    product: web
    service: iis
    definition: 'requirements: extract query parameters'
detection:
    selection:
        c-uri|contains:
            - '..%2f'
            - '..\\'
            - '%2fbin%2fsh'
        cs-host|endswith: ':8040'
    condition: selection
level: critical
tags:
    - cve.2024.1708
    - initial_access
    - ransomware
---
title: QILIN Ransomware Lateral Movement Patterns
description: Detects typical Qilin lateral movement using PsExec or WMI with suspicious command lines.
status: experimental
date: 2026/06/23
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\wmic.exe'
        CommandLine|contains:
            - 'accepteula'
            - '/node:'
            - 'process call create'
    filter_legit:
        User: 'NT AUTHORITY\SYSTEM'
    condition: selection and not filter_legit
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - qilin

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious PowerShell activity often used by Qilin for discovery/lateral movement
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Invoke-Command", "New-PSDrive", "Copy-Item", "Invoke-AzureADSSO")
| where ProcessCommandLine has_any ("-Hidden", "-NonInteractive", "-WindowStyle Hidden", "-EncryptedCommand")
| summarize Count=count(), distinctProcesses=dcount(ProcessCommandLine) by DeviceName, InitiatingProcessAccountName, Timestamp
| order by Count desc

PowerShell Response Script

PowerShell
# QILIN Rapid Response: Check for recent Shadow Copy manipulation and suspicious scheduled tasks
Write-Host "[*] Starting QILIN Post-Compromise Triage..." -ForegroundColor Cyan

# Check for Volume Shadow Copy Deletion attempts in last 24h
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; ID=12343; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) {
    Write-Host "[!] ALERT: Volume Shadow Copy Deletion events detected!" -ForegroundColor Red
    $vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[+] No VSS deletion events found in last 24h." -ForegroundColor Green
}

# Enumerate suspicious Scheduled Tasks created in last 3 days
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-3)}
if ($suspiciousTasks) {
    Write-Host "[!] ALERT: Scheduled Tasks created/modified in last 3 days:" -ForegroundColor Yellow
    $suspiciousTasks | Select-Object TaskName, Date, Author, Actions
} else {
    Write-Host "[+] No recent suspicious scheduled tasks found." -ForegroundColor Green
}

# Check for common Ransomware extensions in user directories (Staging check)
$extensions = @(".qilin", ".encrypted", ".lock", ".crypto")
foreach ($ext in $extensions) {
    $files = Get-ChildItem -Path C:\Users -Filter *$ext -Recurse -ErrorAction SilentlyContinue -Depth 3
    if ($files) {
        Write-Host "[!] CRITICAL: Encrypted files found with extension $ext" -ForegroundColor Red
    }
}
Write-Host "[*] Triage Complete." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist

  • Perimeter Logs: Immediate review of Check Point and Cisco FMC logs for anomalies on ports 500 (IKE), 443, or 8443 corresponding to the dates June 18-22.
  • ScreenConnect Audit: If ConnectWise ScreenConnect is in use, audit logs for /Authenticated? path traversal attempts.
  • Data Egress: Monitor for massive outbound transfers to non-corporate IP spaces (Qilin often uses rclone or Megacmd).

Critical Assets at Risk

  • Active Directory: Qilin frequently dumps NTDS.dit.
  • Financial Systems: Accounting databases and payroll systems (high priority for exfiltration).
  • Backup Servers: NAS devices and Veeam repositories are often targeted for encryption to prevent recovery.

Containment Actions

  1. Isolate: Disconnect internet-facing VPN concentrators and Firewall Management interfaces immediately if patches for CVE-2026-50751/CVE-2026-20131 are not verified.
  2. Credential Reset: Force reset of all privileged accounts (Domain Admins) and service accounts for VPN/Management appliances.
  3. Segmentation: Sever connectivity between OT/IoT networks and corporate IT, especially in manufacturing environments.

Hardening Recommendations

Immediate (24 Hours)

  • Patch CISA KEV: Apply patches for CVE-2026-50751 (Check Point), CVE-2026-20131 (Cisco FMC), and CVE-2024-1708 (ScreenConnect).
  • Disable if Unused: If VPN or remote management tools cannot be patched immediately, disable them or restrict access via strict allow-lists.
  • MFA Enforcement: Ensure phishing-resistant MFA is active on all remote access points.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict Zero Trust controls for construction management software and file servers.
  • EDR Coverage: Ensure EDR sensors are deployed on all management servers for perimeter appliances (jump hosts).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwareconstruction-sectorcve-2026-50751initial-accesslateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action