Back to Intelligence

QILIN Ransomware: 19 New Victims Posted — Surge in Professional Services & Detection Engineering

SA
Security Arsenal Team
June 12, 2026
7 min read

Aliases: Agenda, Qilin.B

Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate-driven model, leasing their Go-based ransomware payload to diverse cybercriminals. This leads to a wide variation in TTPs, though a preference for living-off-the-land (LotL) binaries is consistent.

Ransom Demands: Highly variable, typically ranging from $500,000 to $5 million USD, depending on victim revenue and encrypted data volume. They are known for aggressive negotiation tactics and strict deadlines.

Initial Access: Primarily relies on External Remote Services. Historically, Qilin affiliates exploit VPN vulnerabilities (e.g., FortiGate, Check Point) and compromised remote management tools like ConnectWise ScreenConnect. Phishing remains a secondary vector, often utilizing macro-laden documents or ISO files.

Double Extortion: Strictly adheres to the double extortion playbook. Exfiltration occurs days or weeks prior to encryption. The gang maintains a dedicated "Wall of Shame" .onion site to leak stolen data if ransoms are not paid.

Dwell Time: Average dwell time is estimated between 3 to 7 days. Qilin affiliates are opportunistic; once they gain valid credentials or establish a C2 channel, they move rapidly to lateral movement and data staging to minimize detection windows.

Current Campaign Analysis

Campaign Dates: 2026-06-10 to 2026-06-12 Data Source: Qilin Leak Site (Live Monitor)

Sector & Geographic Targeting

Based on the last 19 postings, Qilin has shifted focus aggressively toward Professional Services, specifically the Legal sector.

  • Top Targeted Sectors:

    • Business Services (Legal/Consulting): ~47% of victims (e.g., Miller & Zois, Bekman Marder Hopper, Wright Constable & Skeen).
    • Consumer Services: ~21% (e.g., Maui Divers Jewelry, Efficient Home).
    • Technology & Manufacturing: ~16% combined.

  • Geographic Concentration:

    • United States (US): Dominant target, representing ~60% of recent victims.
    • Europe (ES, DE): Significant secondary target (~26%).
    • Others: KR, MX, MD.

Victim Profile & Patterns

  • Victimology: Predominantly SMB to Mid-Market organizations. The prevalence of law firms suggests a specific pivot toward organizations that handle sensitive client data (PII/Case Files) but may lack mature security operations centers (SOCs).
  • Posting Frequency: High-volume dumping. 10 out of 19 victims were published on a single day (2026-06-10), indicating either a mass-exploitation event or a backlog clearing by the gang.

Threat Landscape & CVE Correlation

The campaign coincides with the active exploitation of critical perimeter vulnerabilities. Given Qilin's historical reliance on remote access bypasses, we assess with high confidence that the following CISA KEV-listed CVEs are being leveraged as initial access vectors in this surge:

  1. CVE-2026-50751 (Check Point Security Gateway): Added to KEV 2026-06-08. The proximity of this CVE addition (just days before the victim surge) and the targeting of business sectors relying on enterprise firewalls suggests active scanning and exploitation.
  2. CVE-2024-1708 (ConnectWise ScreenConnect): A persistent favorite for RaaS affiliates. Allows for authenticated remote code execution (RCE) and immediate deployment of webshells or Cobalt Strike beacons.
  3. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization vulnerability allowing remote code execution, likely used in network perimeter breaches.

Detection Engineering

The following detection content is designed to identify the specific TTPs observed in Qilin's recent campaign: perimeter bypass (Check Point/ScreenConnect), lateral movement (PsExec/WMI), and data staging.

Sigma Rules

YAML
title: Potential Check Point Security Gateway Exploitation CVE-2026-50751
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects potential exploitation attempts of CVE-2026-50751 involving IKEv1 key exchange anomalies or authentication bypass patterns on Check Point Security Gateways.
status: experimental
date: 2026/06/13
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    service: check_point
detection:
    selection:
        action|contains: 'accept'
        service: 'ike'
        vpn_feature: 'ikev1'
    filter_legit:
        src_ip_range:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate remote employee VPN connections
level: high
tags:
    - cve.2026.50751
    - attack.initial_access
    - qilin
---
title: ScreenConnect Path Traversal Exploitation CVE-2024-1708
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious path traversal patterns in URI queries associated with ConnectWise ScreenConnect authentication bypass (CVE-2024-1708).
status: experimental
date: 2026/06/13
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: connectwise_screenconnect
detection:
    selection_uri:
        cs-uri-query|contains:
            - '..%2f'
            - '..%5c'
            - '%2fbin%2fsh'
            - 'Web.config'
    selection_status:
        sc-status:
            - 200
            - 500
    condition: all of selection_*
falsepositives:
    - Scanning activity (noise)
level: critical
tags:
    - cve.2024.1708
    - attack.initial_access
    - attack.t1190
    - qilin
---
title: Qilin Ransomware Lateral Movement PsExec
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects the use of PsExec or similar tools for lateral movement, a hallmark of Qilin affiliates moving from the initial beachhead to domain controllers.
status: experimental
date: 2026/06/13
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\psexec.exe'
        - Image|endswith: '\psexec64.exe'
        - OriginalFileName: 'psexec.exe'
    selection_cli:
        CommandLine|contains:
            - '-accepteula'
            - '\\*'
            - '-d '
    condition: 1 of selection_*
falsepositives:
    - Administrative IT tasks
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - qilin

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging indicators associated with Qilin
// Focuses on PsExec/WMI usage and unusual volume of file modifications
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'powershell.exe')
| where ProcessCommandLine has_any('\\', 'Invoke-Command', 'New-Object', 'DownloadString')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType in ('FileCreated', 'FileModified')
    | summarize count() by DeviceName, bin(Timestamp, 5m)
    | where count_ > 50 // Threshold for bulk encryption/staging
) on DeviceName
| project Timestamp, DeviceName, AccountName, CommandLine = ProcessCommandLine, FileActivityCount = count_

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware T-Minus Checklist
.DESCRIPTION
    Rapid response script to hunt for Indicators of Compromise (IOCs) associated with Qilin activity:
    1. Checks for recent suspicious Scheduled Tasks (Persistence).
    2. enumerates Volume Shadow Copy status (often deleted pre-encryption).
    3. Checks for recent PsExec executions.
#>

Write-Host "[+] Starting Qilin IOC Hunt..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 7 days
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Recent Scheduled Tasks found (Potential Persistence):" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
    Write-Host "[-] No suspicious recent Scheduled Tasks found." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Status
try {
    $vss = vssadmin list shadows /for=c: 2>&1
    if ($vss -match "No shadow copies found") {
        Write-Host "[!] CRITICAL: No Volume Shadow Copies found on C:. Deletion likely imminent or completed." -ForegroundColor Red
    } else {
        $shadowCount = ($vss | Select-String "Shadow Copy Volume").Count
        Write-Host "[+] Found $shadowCount shadow copies on C:." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Error checking VSS." -ForegroundColor Yellow
}

# 3. Check for recent PsExec usage in Event Logs (requires Admin)
$events = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName'] and (Data='psexec.exe' or Data='psexec64.exe')]]" -ErrorAction SilentlyContinue -MaxEvents 10
if ($events) {
    Write-Host "[!] WARNING: PsExec execution detected in Security Logs:" -ForegroundColor Red
    $events | Select-Object TimeCreated, Id, Message | Format-List
} else {
    Write-Host "[-] No recent PsExec events found." -ForegroundColor Green
}

Write-Host "[+] Hunt complete. Review warnings immediately." -ForegroundColor Cyan


---

# Incident Response Priorities

If Qilin activity is suspected, execute the following checklist immediately (T-Minus):

1.  **Isolate the Crown Jewels:** Identify and disconnect file servers containing Legal case files, PII databases, and Financial records. Qilin prioritizes exfiltrating high-value proprietary data.
2.  **Hunt for C2 Beacons:** Look for anomalous PowerShell processes (policies bypassing) and connections to known Cobalt Strike domains or IP addresses.
3.  **Check Perimeter Logs:** Immediate forensic review of VPN (Check Point/Cisco) and Remote Access (ScreenConnect) logs for the period 48 hours prior to the first detection alert. Look for successful logins from impossible travel geolocations.
4.  **Containment:** 
    *   **Priority 1:** Disable the accounts used for lateral movement (usually service accounts).
    *   **Priority 2:** Block inbound VPN traffic from non-corporate IP ranges immediately.

---

# Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2024-1708 & CVE-2026-50751: Apply the latest patches for ConnectWise ScreenConnect and Check Point Security Gateways. If patching is impossible, disable the VPN or ScreenConnect services externally until secured.
  • MFA Enforcement: Enforce strict MFA on all VPN and Remote Desktop access. Qilin affiliates frequently leverage credential stuffing to bypass perimeter defenses.

Short-term (2 Weeks)

  • Network Segmentation: Ensure Legal and Business Services segments are strictly segregated from the management plane. Limit lateral movement from jump servers to critical file shares.
  • EDR Tuning: Update EDR policies to flag unsigned PowerShell scripts and the execution of PsExec or WMI from non-admin workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarelegal-sectorscreenconnectcheck-pointinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action