Aliases: Agenda, Qilin.B Model: Ransomware-as-a-Service (RaaS) Ransom Demands: Typically ranges from $500,000 to $5 million, varying heavily based on victim revenue and perceived data value.
TTPs & Modus Operandi: Qilin operates a sophisticated RaaS model known for utilizing a custom Rust-based encryptor. They are aggressive in their double-extortion tactics, often threatening to leak sensitive client data if negotiations fail. The group frequently gains initial access through exposed VPN vulnerabilities, compromised valid credentials (phishing), and exploitation of remote management tools like ScreenConnect. Once inside, dwell time is short—often between 2 to 4 days—before detonation. They prioritize rapid lateral movement via PsExec and WMI to deploy the payload broadly before encryption begins.
Current Campaign Analysis
Sector Targeting: Based on the last 100 postings, Qilin has a distinct preference for Business Services (specifically Law Firms), Consumer Services, and Technology. The recent victim list indicates a saturation attack on the legal sector, with victims like Miller & Zois, Bekman Marder Hopper Malarkey & Perlin, Dulany Leahy Curtis & Brophy, and Wright Constable & Skeen hit within a 48-hour window.
Geographic Concentration:
- Primary: United States (Dominant)
- Secondary: Spain (ES), South Korea (KR), Mexico (MX), Germany (DE)
Victim Profile: The victims are predominantly mid-market organizations (revenue $10M - $200M). The targeting of law firms suggests a pivot towards high-value data theft (attorney-client privilege) to maximize extortion leverage.
CVE Correlation: This campaign strongly correlates with the active exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect). Given that several victims (e.g., Bitek System and Miller & Zois) rely on complex IT infrastructure and remote access, it is highly probable that initial access was achieved via unpatched VPN gateways or remote management interfaces.
Detection Engineering
Sigma Rules
---
title: Potential Qilin Ransomware Activity - PowerShell Encoded Payload
id: 4a3b2c1d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects base64 encoded PowerShell command lines often used by Qilin loaders to obfuscate injection logic.
status: experimental
author: Security Arsenal Research
date: 2026/06/14
references:
- https://securityarsenal.com/threat-research/qilin-ttps
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\\powershell.exe'
CommandLine|contains: ' -e '
CommandLine|contains: 'AAABAAI=' # Generic header check, adjust per environment
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
---
title: ScreenConnect Authentication Anomaly (CVE-2024-1708)
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal allowing unauthenticated access.
status: experimental
author: Security Arsenal Research
date: 2026/06/14
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort: 8040
DestPort: 8041
SourceAddress|contains:
- 'Tor' # Use known threat intel feeds if available
- 'VPN' # Or correlate with VPN logs
filter:
SourceAddress:
- '10.0.0.0/8'
- '192.168.0.0/16'
- '172.16.0.0/12'
condition: selection and not filter
falsepositives:
- Legitimate remote administration by known IPs
level: critical
---
title: Volume Shadow Copy Deletion via VssAdmin
description: Detects commands used to delete Volume Shadow Copies, a common pre-encryption step for Qilin.
status: experimental
author: Security Arsenal Research
date: 2026/06/14
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- '\\vssadmin.exe'
- '\\wmic.exe'
CommandLine|contains:
- 'delete shadows'
- 'shadowcopy delete'
condition: selection
falsepositives:
- System admin maintenance
level: high
KQL (Microsoft Sentinel)
// Hunt for Qilin lateral movement and staging
// Looks for suspicious SMB file copies and rapid service creation
let TimeRange = 1h;
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "pwsh.exe"]);
let AdminShares = dynamic(["ADMIN$", "C$", "IPC$"]);
SecurityEvent
| where TimeGenerated > ago(TimeRange)
| where EventID in (5140, 5145) // Share access
| where ShareName in (AdminShares)
| join kind=inner (
SecurityEvent
| where TimeGenerated > ago(TimeRange)
| where EventID == 4688
| where NewProcessName in (SuspiciousProcesses)
) on Account, Computer
| project TimeGenerated, Account, Computer, ShareName, ProcessName = NewProcessName, CommandLine
| distinct TimeGenerated, Account, Computer, ShareName, CommandLine
| order by TimeGenerated desc
PowerShell Response Script
<#
.SYNOPSIS
Rapid Response Script for Qilin Indicators of Compromise
.DESCRIPTION
Checks for recent scheduled tasks (persistence), VSS deletion attempts, and suspicious PowerShell processes.
#>
Write-Host "[+] Initiating Qilin IOE Scan..." -ForegroundColor Cyan
# 1. Check for Scheduled Tasks created in last 24 hours
Write-Host "[*] Checking for suspicious Scheduled Tasks created in last 24h..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object { $_.Date -ge $DateCutoff } | Select-Object TaskName, TaskPath, Date, Author, Actions | Format-Table -AutoSize
# 2. Check for VSS Deletion Events in System Log
Write-Host "[*] Checking System Event Log for VSS Deletion (EventID 7036/1 from VSS)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$DateCutoff; ID=1} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -like '*delete*' -and $_.Message -like '*shadow*'} |
Select-Object TimeCreated, Message | Format-List
# 3. Hunt for Encoded PowerShell processes (Parent/Child)
Write-Host "[*] Scanning for high-risk PowerShell processes..." -ForegroundColor Yellow
Get-WmiObject Win32_Process | Where-Object {
$_.Name -eq 'powershell.exe' -and
$_.CommandLine -match '-e[ncodedcommand]' -and
$_.CommandLine.Length -gt 200
} | Select-Object ProcessId, ParentProcessId, CommandLine
Write-Host "[+] Scan Complete." -ForegroundColor Green
# Incident Response Priorities
**T-minus Detection Checklist (Pre-Encryption):**
1. **VPN Gateway Logs:** Immediately review Check Point Security Gateway logs for authentication anomalies related to CVE-2026-50751.
2. **Remote Access:** Audit ConnectWise ScreenConnect logs for successful logins outside of business hours or from impossible travel locations.
3. **Lateral Movement:** Trigger alerts on any `PsExec` or `WMI` execution attempts originating from non-admin workstations.
**Critical Assets for Exfiltration:**
Qilin historically prioritizes:
* Legal case files and client databases (high extortion value).
* Executive HR records and financial documents.
* CAD/Design files (in Manufacturing/Engineering contexts).
**Containment Actions (Ordered by Urgency):**
1. **Isolate:** Disconnect identified infected hosts from the network immediately; pull the plug if shutdown is not possible (to prevent VSS wipe logic on reboot).
2. **Reset Credentials:** Force reset of all domain admin credentials and service account passwords used on VPN concentrators.
3. **Block Access:** Revoke external access for ScreenConnect and RDP protocols at the firewall level until the vulnerability is confirmed patched.
# Hardening Recommendations
**Immediate (24h):**
* **Patch:** Apply the emergency patch for **CVE-2026-50751** on all Check Point Security Gateways immediately.
* **Patch:** Update ConnectWise ScreenConnect instances to the latest secure version to mitigate **CVE-2024-1708**.
* **MFA:** Enforce strict MFA on all VPN and remote desktop entry points.
**Short-term (2 weeks):**
* **Network Segmentation:** Ensure sensitive Legal/Finance file servers are on a separate VLAN with strict firewall rules (Zero Trust).
* **Egress Filtering:** Block outbound SMB (TCP 445) and non-standard HTTP/HTTPS ports to prevent data exfiltration.
* **Audit:** Conduct a full audit of local administrator memberships on endpoints to limit lateral movement paths.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.