Back to Intelligence

QILIN Ransomware Campaign: Surge in Construction & Financial Sector Attacks

SA
Security Arsenal Team
June 22, 2026
5 min read

Qilin (also known as Agenda) operates a sophisticated Ransomware-as-a-Service (RaaS) model. The group is known for aggressive double-extortion tactics, encrypting systems while threatening to leak sensitive data. Recent intelligence indicates a shift towards targeting mid-market enterprises with specific revenue bands between $10M-$200M.

  • Model: RaaS (Ransomware-as-a-Service)
  • Ransom Demands: Variable, typically ranging from $500k to $5M depending on victim revenue.
  • Initial Access: Historically relies on phishing, compromised VPN credentials (FortiGate/Check Point), and exploitation of remote management tools (ScreenConnect).
  • Dwell Time: Short. Recent campaigns show an average dwell time of 3–5 days between initial access and detonation.
  • Toolset: Cobalt Strike beacons for C2, custom PowerShell scripts for lateral movement, and Rclone for data exfiltration.

Current Campaign Analysis

Sector Targeting: Qilin has intensified focus on the Construction sector (approx. 31% of recent victims), targeting firms like Schumacher Homes and Florida Engineering Services. Financial Services and Manufacturing remain secondary high-priority verticals.

Geographic Concentration: While the US remains the primary target (30% of recent victims), the campaign shows a distinct global spread with confirmed impacts in Libya (Financial), Thailand (Telecom), and Europe (Germany/Ireland).

Victim Profile: The current victim list suggests a preference for organizations with decentralized IT infrastructure, such as regional construction firms and manufacturing plants, likely due to weaker network segmentation and legacy VPN appliances.

CVE Correlation: There is a high probability the recent surge is fueled by the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway). Victims in the Telecom and Business Services sectors often utilize these specific perimeter management tools.

Detection Engineering

The following detection logic is designed to identify Qilin's specific TTPs observed in this campaign, focusing on the exploitation of ScreenConnect and lateral movement indicators.

YAML
---
title: Potential Ransomware Initial Access via Check Point Security Gateway
id: b2c4f6a1-4e5d-4b5a-9c8d-7e6f5a4b3c2d
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 anomalies or unusual VPN authentication bursts associated with Qilin initial access.
author: Security Arsenal
date: 2026/06/23
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    product: checkpoint
detection:
    selection:
        service|contains: 'IKE'
        action|contains: 'accept'
        vpn|contains: 'ikev1'
    condition: selection | count() > 50
falsepositives:
    - Legitimate high-volume VPN reconnections
level: high
tags:
    - attack.initial_access
    - cve.2026.50751
---
title: Suspicious ConnectWise ScreenConnect Path Traversal Activity
id: c3d5e7b2-5f6e-5c6b-0d9e-8f7a6b5c4d3e
description: Detects path traversal indicators associated with CVE-2024-1708 exploitation on ScreenConnect servers, a known Qilin vector.
author: Security Arsenal
date: 2026/06/23
logsource:
    product: web server
    service: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - '../'
            - '%2e%2e'
            - 'setupWizard'
    selection_status:
        sc-status:
            - 200
            - 500
    condition: all of selection*
falsepositives:
    - Rare scanning noise
level: critical
tags:
    - attack.initial_access
    - cve.2024.1708
---
title: Qilin Ransomware Pre-Encryption PowerShell Activity
id: d4e6f8c3-6g7f-6d7c-1e0f-0g8b7c6d5e4f
description: Detects PowerShell commands used to clear logs or stop services, often observed in Qilin playbook prior to encryption.
author: Security Arsenal
date: 2026/06/23
logsource:
    product: windows
    service: security
detection:
    selection_process:
        NewProcessName|endswith:
            - '\\powershell.exe'
            - '\\pwsh.exe'
    selection_cmdline:
        CommandLine|contains:
            - 'Clear-EventLog'
            - 'wevtutil cl'
            - 'Remove-Item -Recurse -Force'
            - 'vssadmin delete shadows'
    condition: all of selection*
falsepositives:
    - System administration scripts
level: high
tags:
    - attack.execution
    - attack.defense_evasion


kql
// Hunt for lateral movement and data staging patterns associated with Qilin
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("powershell.exe", "cmd.exe", "wmi.exe", "psexec.exe", "psexec64.exe")
| where ProcessCommandLine has any ("Invoke-Command", "New-PSDrive", "net use", "copy", "robocopy")
| summarize StartTime=min(Timestamp), EndTime=max(Timestamp), ProcessCount=count() by DeviceName, AccountName, FileName, ProcessCommandLine
| where ProcessCount > 5
| extend Severity = "High"


powershell
# Rapid Response: Hunt for Qilin Indicators of Compromise
# Check for unusual scheduled tasks and recent large file modifications

Write-Host "Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "`nChecking for recently modified Volume Shadow Copies (VSS) deletions..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24); Id=12343} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "`nEnumerating non-system accounts with RDP access..." -ForegroundColor Cyan
net localgroup "Remote Desktop Users" | Where-Object { $_ -notmatch "^(The command completed successfully|$)" -and $_ -ne "" }

Incident Response Priorities

  1. T-minus Detection Checklist:

    • Hunt for rclone.exe or winscp.exe execution in Application Logs (data exfil).
    • Immediate review of VPN and ScreenConnect logs for the past 7 days for anomalous login times or successful authentication from foreign IPs (specifically LY, TH, TW).
    • Look for mass icacls command usage to disable permissions prior to encryption.

  2. Critical Assets at Risk:

    • Qilin historically prioritizes Blueprints/Intellectual Property (Construction) and Customer PII/Financial Data. File servers holding AutoCAD/DWG files or SQL databases should be isolated first.

  3. Containment Actions:

    • Immediate: Disable all internet-facing RDP and VPN access temporarily if patch status is unknown.
    • High: Isolate systems identified with ScreenConnect anomalies.

Hardening Recommendations

  • Immediate (24h):

    • Patch CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway) immediately.
    • Enforce MFA on all remote access solutions, specifically for administrative accounts.
    • Block inbound traffic from non-corporate IP ranges to VPN concentrators.

  • Short-term (2 weeks):

    • Implement network segmentation to separate construction/project management servers from the main corporate network.
    • Deploy EDR policies to flag unsigned PowerShell scripts and rclone executions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinqilin-ransomwareconstruction-sectorcve-2024-1708ransomware-intelinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action