Back to Intelligence

QILIN Ransomware: 19 New Victims & Surge in Business Services Targeting — Detection Rules for CVE Exploitation

SA
Security Arsenal Team
July 1, 2026
7 min read

Intelligence Level: Urgent Source: Ransomware.live / Dark Web Leak Sites Date of Analysis: 2026-07-01


Threat Actor Profile — QILIN

Known Aliases: Agenda (previously), Qilin.B Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate-heavy model, offering a Rust-based encryptor known for its customization capabilities and speed of encryption.

Typical Ransom Demands: Variable, typically ranging from $500,000 to $5 million USD, largely dependent on the victim's revenue and the extent of data exfiltration.

Initial Access Vectors:

  • Exploited Vulnerabilities: Heavily reliant on exploiting internet-facing appliances. Recent activity strongly indicates the use of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway).
  • Phishing: Targeted spear-phishing with malicious macro-laden documents remains a staple for initial foothold in less mature environments.
  • Valid Accounts: Compromised credentials via info-stealers or brute-force attacks on VPN gateways (RDP/SSTP).

TTP Overview: Qilin affiliates utilize a double-extortion model. They employ tools like Cobalt Strike for C2 and lateral movement, followed by data exfiltration using tools like RClone or WinSCP. Encryption is executed via a Rust-based binary. Average dwell time is aggressive, often between 3 to 5 days from initial access to encryption.


Current Campaign Analysis

Based on the 19 recent victim postings observed on 2026-06-29 through 2026-07-01:

Sector Targeting:

  • Business Services: The primary target, accounting for nearly 30% of recent victims (e.g., Mattatuck Industrial Scrap Metal, Rossum Integration, Hemmersbach GmbH). This suggests a strategy of attacking service providers to potentially pivot into larger downstream clients.
  • Manufacturing: A secondary focus (20% of victims), including targets like Dynamic Laser Solutions and Kunert Fashion.

Geographic Concentration:

  • Primary: United States (US) and Great Britain (GB).
  • Secondary: Germany (DE), Japan (JP), and South Korea (SK).
  • Analysis: The Anglophone focus suggests English-speaking affiliates or a specific focus on economies with higher ransom-paying capabilities.

Victim Profile: The victims range from mid-market entities (e.g., Dennis Waters Rental Properties) to larger international organizations (e.g., GSMA, Musashino University). The targeting of Education (Musashino University) and Telecommunications (GSMA) represents an expansion from their traditional commercial focus.

CVE Connection & Exploitation Patterns: The timing of these postings correlates with the weaponization of specific CISA KEV-listed vulnerabilities:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): Victims in the Business Services sector heavily utilize remote management software. The path traversal vulnerability allows attackers to execute remote code, bypassing standard authentication.
  2. CVE-2026-50751 (Check Point Security Gateway): The IKEv1 improper authentication vulnerability provides a direct vector into the network perimeter, likely used against victims with exposed VPN interfaces.
  3. CVE-2023-21529 (Microsoft Exchange): Used for persistence or initial access in environments where Exchange servers are internet-facing.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
id: 4d9d3b6e-1a2b-4c3d-8e5f-6a7b8c9d0e1f
status: experimental
description: Detects potential exploitation of CVE-2024-1708 (ScreenConnect Path Traversal) via suspicious process creation by the ScreenConnect service.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/01
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'ScreenConnect'
        NewProcessName|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_legit:
        CommandLine|contains: 'ScreenConnect.Client' # Legit client activity
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative tasks via ScreenConnect
level: high
---
title: Microsoft Exchange Deserialization Gadget Suspicious Activity
id: 5e0e4c7f-2b3c-4d4e-9f0a-7b8c9d0e1f2a
status: experimental
description: Detects patterns associated with CVE-2023-21529 exploitation involving Exchange PowerShell deserialization.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/01
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.21529
logsource:
    product: windows
    service: msexchange-management
    definition: 'Requirements: Exchange Management Cmdlet Logging'
detection:
    selection:
        EventID: 6 # Generic cmdlet execution
        |contains:
            - 'New-ManagementRoleAssignment'
            - 'Add-RoleGroupMember'
    context:
        SubjectUserName|contains:
            - 'SYSTEM'
            - 'Administrator'
    condition: selection and context
falsepositives:
    - Legitimate Exchange Administration
level: high
---
title: Ransomware Preparation - Shadow Copy Deletion via VssAdmin
id: 6f1f5d8g-3c4d-5e5f-0a1b-8c9d0e1f2a3b
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin, a common precursor to Qilin encryption.
references:
    - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal Research
date: 2026/07/01
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System administrators manually managing disk space
level: critical

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging often seen prior to Qilin detonation. This query looks for the use of PsExec/WMI for movement and high-volume file modifications.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for lateral movement tools
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
// Filter for suspicious arguments often used by Qilin affiliates
| where ProcessCommandLine has_any ("accepteula", "remote", "Invoke-Command", "New-PSSession", "-enc")
// Join with network events to see potential C2 or Exfil
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "rclone.exe", "winscp.exe")
    | summarize RemoteIPCount = dcount(RemoteIP), SentBytes = sum(SentBytes) by InitiatingProcessAccountId, DeviceName
) on DeviceName, InitiatingProcessAccountId
| where RemoteIPCount > 5 or SentBytes > 50000000 // > 50MB sent
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIPCount, SentBytes

PowerShell - Rapid Response Hardening Script

This script performs an immediate triage: checks for exposed RDP users, audits scheduled tasks created in the last 7 days (common persistence mechanism), and checks the status of Shadow Copy storage.

PowerShell
# QILIN Ransomware Triage Script
# Requires Administrator Privileges
Write-Host "[+] Starting Qilin Gang Triage Hardening Check..." -ForegroundColor Cyan

# 1. Check for Active RDP Sessions (Potential Lateral Movement)
Write-Host "\n[1] Checking for Active RDP Sessions..." -ForegroundColor Yellow
$query = "query user"
$rdpUsers = cmd /c $query 2>&1
if ($rdpUsers -match "rdp-tcp") {
    Write-Host "WARNING: Active RDP sessions detected:" -ForegroundColor Red
    Write-Host $rdpUsers
} else {
    Write-Host "No active RDP sessions found." -ForegroundColor Green
}

# 2. Audit Scheduled Tasks (Last 7 Days)
Write-Host "\n[2] Auditing Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
$dateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {
    $_.Date -gt $dateCutoff -or 
    (Get-ScheduledTaskInfo $_.TaskName).LastRunTime -gt $dateCutoff
} | Select-Object TaskName, Date, @{Name="LastRun";Expression={(Get-ScheduledTaskInfo $_.TaskName).LastRunTime}}, State

# 3. Check Volume Shadow Copy Status
Write-Host "\n[3] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
    Write-Host "CRITICAL: No Shadow Copies exist. System is vulnerable to total data loss." -ForegroundColor Red
} else {
    $shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
    Write-Host "Found $shadowCount shadow copies. Ensure recent backups are valid." -ForegroundColor Green
}

Write-Host "\n[+] Triage Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-minus Detection Checklist:

  1. Web Shell / Reverse Shell Detection: Scan for aspx, php, or jsp files modified in the last 48h in web roots (ConnectWise/Exchange directories).
  2. PowerShell Logs: Hunt for EncodedCommand entries or Base64 strings in Security Event ID 4104.
  3. Mass File Modification: Monitor for files being renamed with random extensions or massive file IO operations (Read/Write).

Critical Assets for Exfiltration: Qilin specifically targets:

  • Customer Databases (SQL): High value for Business Services victims.
  • CAD/Design Files: High value for Manufacturing victims.
  • Financial Records: Universal priority.

Containment Actions (Urgency Order):

  1. Disconnect VPN: If using Check Point gateways, isolate the management interface immediately if patches for CVE-2026-50751 are not verified.
  2. ScreenConnect Hygiene: If ScreenConnect is in use, force-update all agents to the latest patched version immediately and audit for unauthorized access logs.
  3. Disable SMB: Block inbound SMB (TCP 445) from the internet and between VLANs to halt lateral movement.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest version immediately.
  • Patch CVE-2026-50751: Apply hotfixes for Check Point Security Gateways and disable IKEv1 if not strictly required.
  • MFA Enforcement: Enforce MFA on all VPN access and remote desktop gateways.

Short-term (2 Weeks):

  • Network Segmentation: Restrict lateral movement by segmenting critical servers (Backup, Domain Controller, Database) from user workstations.
  • Application Control: Implement allow-listing (AppLocker) to prevent the execution of unsigned binaries in common ransomware paths ( %APPDATA%, %TEMP%, C:\ProgramData).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarebusiness-servicesscreenconnectcve-exploitationdetection-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.