Back to Intelligence

QILIN Ransomware Campaign: 14 New Victims & Critical Firewall Exploitation

SA
Security Arsenal Team
June 29, 2026
6 min read

Date: 2026-06-30
Source: Ransomware.live / Dark Web Leak Sites
Analyst: Security Arsenal Intel Unit

Threat Actor Profile — QILIN

  • Aliases: Agenda (formerly), Carbon.
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate-heavy model, providing a Rust-based encryptor capable of targeting both Windows and Linux environments.
  • Ransom Demands: Variable, typically ranging from $500,000 to multi-million dollars depending on victim revenue, often negotiated via Tox chat.
  • Initial Access Vectors: The group aggressively exploits vulnerabilities in edge networking devices (Check Point, Cisco Firewalls) and remote management software (ConnectWise ScreenConnect). Phishing remains a secondary vector.
  • Extortion Strategy: Strict double extortion. Data is exfiltrated prior to encryption and posted on their TOR site if demands are not met. They have recently begun threatening DDoS attacks to force compliance.
  • Dwell Time: Short to moderate. Recent observations indicate a dwell time of 3–7 days when exploiting known CVEs on edge devices, longer when utilizing initial access brokers for phishing.

Current Campaign Analysis

Campaign Overview: Qilin has posted 14 new victims in the last 7 days, indicating a high-velocity campaign targeting critical supply chain sectors.

  • Targeted Sectors:

    • Primary: Manufacturing (Kunert Fashion, Metal Sur Famin), Agriculture/Food (NASCO, Lam Soon).
    • Secondary: Education (Musashino University), Telecommunications (Gsma), Technology (Axionlog).
    • Notable: Aggressive targeting of Business Services and Logistics (Transcore).

  • Geographic Concentration: Highly distributed global footprint. Concentrated activity in US (4), GB (3), DE/JP (2), with outliers in Argentina, Thailand, Czech Republic, France, Greece, Canada, and South Korea.

  • Victim Profile: Mix of upper-mid-market and enterprise.

    • Example: Gsma (Telecommunications, UK) and Transcore (Logistics, US) represent high-value targets with complex network infrastructure, suggesting the exploitation of CVE-2026-50751 (Check Point) or CVE-2026-20131 (Cisco FMC).
    • Cash Canada (Financial Services) suggests a potential pivot back to monetarily dense verticals.

  • CVE Correlation & Access Vectors: Based on victim types and CISA KEV data:

    • CVE-2026-50751 (Check Point Security Gateway): Highly probable vector for Gsma and Axionlog (Tech). The improper auth in IKEv1 allows unauthenticated VPN entry, bypassing MFA.
    • CVE-2026-20131 (Cisco Secure Firewall FMC): Likely used against large orgs like Transcore or NASCO for deserialization attacks leading to RCE.
    • CVE-2024-1708 (ConnectWise ScreenConnect): Consistent with targeting Business Services (ISOPLUS, KALIACT) and Education, allowing remote code execution via path traversal.

Detection Engineering

The following detection logic targets Qilin's specific use of edge exploits and lateral movement tooling.

YAML
title: Potential Check Point IKEv1 Exploitation CVE-2026-50751
id: 6a8b9c1d-0e3f-4a5b-8c9d-1e2f3a4b5c6d
description: Detects potential exploitation of Check Point Security Gateway improper authentication vulnerability via IKEv1 anomalies or mass authentication failures.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    service: checkpoint
detection:
    selection:
        service|contains: 'vpn'
        action: 'accept' or 'decrypt' or 'key_exchange'
    filter_legit:
        src_ip_network:
            - '192.168.0.0/16'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate remote employee VPN spikes
level: high

tags:
    - cve.2026.50751
    - attack.initial_access
    - detection.emerging_threats
---
title: Suspicious ConnectWise ScreenConnect Path Traversal
id: b2c3d4e5-1f2a-3b4c-5d6e-7f8a9b0c1d2e
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
    product: connectwise_screenconnect
detection:
    selection_uri:
        cs-uri-query|contains:
            - '..%2f'
            - '..\\'
            - '/WebUtility/'
    selection_method:
        cs-method: 'GET' or 'POST'
    condition: all of selection_*
falsepositives:
    - Misconfigured scanning tools
level: critical

tags:
    - cve.2024.1708
    - attack.initial_access
    - ransomware.qilin
---
title: Qilin Ransomware Pre-Encryption Activity
id: c3d4e5f6-2a3b-4c5d-6e7f-8a9b0c1d2e3f
description: Detects typical Qilin precursors including Volume Shadow Copy deletion and system discovery using PowerShell.
status: experimental
date: 2026/06/30
author: Security Arsenal
logsource:
    product: windows
    category: process_creation
detection:
    selection_vss:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_discovery:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Get-ChildItem'
            - 'Recurse'
            - 'ErrorAction SilentlyContinue'
    condition: 1 of selection_*
falsepositives:
    - Legitimate system admin maintenance
level: high

tags:
    - attack.impact
    - attack.discovery
    - ransomware.qilin

KQL Hunt Query (Microsoft Sentinel)

Hunt for lateral movement and data staging indicative of Qilin operations.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents 
| where Timestamp >= ago(7d) 
| where FileName in ("vssadmin.exe", "wbadmin.exe", "powershell.exe", "cmd.exe", "powershell_ise.exe") 
| where ProcessCommandLine has_any ("delete", "shadows", "copy", "move", "compress", "7z", "winrar") 
| where InitiatingProcessFileName in ("explorer.exe", "services.exe", "svchost.exe") 
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName 
| order by Timestamp desc

Rapid Response Hardening Script (PowerShell)

PowerShell
# Qilin Response: Check for recent Shadow Copy manipulation and suspicious scheduled tasks
Write-Host "Checking for VSS deletions in last 24 hours..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'delete' -or $_.Message -match 'Volume Shadow Copy'} | 
Select-Object TimeCreated, Message

Write-Host "Enumerating Scheduled Tasks created in last 7 days (Potential Persistence)..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
Select-Object TaskName, TaskPath, Date, Author, Actions

Write-Host "Checking for anomalous RDP connections (Last 24h)..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'Type 10' -or $_.Message -match 'Network'} 
if ($Events) { $Events | Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Group-Object IP | Where-Object {$_.Count -gt 50} | Select-Object Name, Count }
else { Write-Host "No high-frequency RDP connections found." }


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. VPN Logs: Review Check Point and Cisco VPN logs for CVE-2026-50751 and CVE-2026-20131 indicators (mass IKEv1 failures, anomalous admin logins from foreign IPs).
  2. ScreenConnect Audit: Audit ConnectWise ScreenConnect logs for CVE-2024-1708 (path traversal in /WebUtility/ or /Guest/*).
  3. Lateral Movement: Hunt for PsExec usage or WMI execution (wmic.exe process call create) originating from non-admin workstations.

Critical Assets Prioritized for Exfiltration:

  • Manufacturing: CAD files, IP (Intellectual Property), ERP databases (SAP/Oracle).
  • Education: Student PII, Financial Aid records, Research data.
  • Telecom: Customer call logs, Billing data, Network topology diagrams.

Containment Actions (Ordered by Urgency):

  1. Isolate Edge: Immediately block internet access to VPN concentrators and firewall management interfaces (MFA push if not active, or enforce Geo-blocking).
  2. Disable RMM: Temporarily disable ConnectWise ScreenConnect services until patched/verified.
  3. Segmentation: Sever links between IT and OT networks (critical for Manufacturing victims like Kunert and Metal Sur Famin).

Hardening Recommendations

Immediate (24 Hours):

  • Patch Edge: Apply the vendor patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC). If patching is delayed, implement strict Geo-IP blocking on VPN interfaces.
  • Kill RMM Public Access: Ensure ScreenConnect/ConnectWise instances are not exposed to the public internet; require VPN access to reach the RMM console.
  • Audit MFA: Enforce FIDO2 or hardware token MFA for all VPN and firewall admin access. Reject push notification fatigue.

Short-Term (2 Weeks):

  • Zero Trust Architecture: Implement least privilege access for firewall management; no direct admin access from the internet.
  • EDR Coverage: Ensure EDR sensors are deployed on all internet-facing jump servers and management planes.
  • Offline Backups: Verify that critical Manufacturing and Education data has immutable offline backups.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwaremanufacturingcve-2026-50751firewall-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action