Back to Intelligence

QILIN Ransomware: Financial Sector & Critical Infrastructure Under Siege — Detection Rules & IOCs

SA
Security Arsenal Team
June 22, 2026
6 min read

Date: 2026-06-22 Source: Ransomware.live / Direct .onion Observation Analyst: Security Arsenal Intel Unit

Threat Actor Profile — QILIN

AKA: Agenda (historical association) Model: Ransomware-as-a-Service (RaaS) Ransomware Type: Rust-based (highly obfuscated, cross-platform)

Qilin operates a sophisticated RaaS model, aggressively recruiting affiliates with high-profit sharing margins (up to 80-90%). The group is known for customizing encryptors per victim to evade static signature detection. They typically employ a double extortion strategy, exfiltrating sensitive data before encryption and threatening leakage on their dedicated leak site.

Typical TTPs:

  • Initial Access: Exploitation of public-facing vulnerabilities (VPN/Firewalls), compromised credentials via phishing, and exploitation of remote management tools (e.g., ConnectWise ScreenConnect).
  • Dwell Time: Short. Qilin affiliates typically move laterally within 1-3 days of gaining access, aiming to encrypt before defenders can isolate the network.
  • Lateral Movement: Heavy use of Cobalt Strike beacons, RDP for internal traversal, and PsExec/WMI for deployment.

Current Campaign Analysis

Campaign Overview: Qilin has posted 15 new victims between 2026-06-18 and 2026-06-22. The campaign displays a shift towards high-value financial institutions and critical infrastructure, specifically targeting regions with potentially slower patch cycles or legacy VPN infrastructure.

Sector Targeting:

  • High Impact: Financial Services (Central Bank of Libya), Telecommunication (Sivatel Bangkok), Public Sector (Commune d'Eyguires).
  • Volume Targets: Manufacturing, Construction, and Business Services remain the bulk of the victimology, indicating a "spray and pray" approach for smaller ransoms alongside "big game hunting".

Geographic Concentration: While the US remains a primary target (Florida Engineering Services, Pacific Lamp & Supply), Qilin is aggressively expanding into EMEA (Libya, Germany, Ireland, France) and APAC (Thailand, Taiwan, Malaysia).

Initial Access Vectors (Correlated): The recent victimology correlates strongly with the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway). The compromise of the Central Bank of Libya strongly suggests the exploitation of the Check Point IKEv1 vulnerability, given the profile of the target.

Detection Engineering

Sigma Rules

The following rules detect the specific vectors and tooling associated with this Qilin campaign.

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
cve: 2024-1708
date: 2026/06/22
status: experimental
description: Detects potential authentication bypass or exploitation attempts on ConnectWise ScreenConnect resulting in suspicious process execution.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\\ConnectwiseControl.Client.exe'
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use via ScreenConnect
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
    - ransomware.qilin
---
title: Check Point Security Gateway IKEv1 Anomaly Indicator
cve: 2026-50751
date: 2026/06/22
status: experimental
description: Detects suspicious network activity or process execution patterns associated with post-exploitation activity following Check Point VPN exploitation.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_src:
        Image|endswith: '\\vpn.exe'
    selection_dst:
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
    filter_legit:
        User|contains: 'SYSTEM' # Contextual filter, adjust to env
    condition: selection_src and selection_dst
falsepositives:
    - Administrative VPN troubleshooting
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.50751
    - ransomware.qilin
---
title: Qilin Ransomware Rust Process Pattern
date: 2026/06/22
status: experimental
description: Detects the execution of Qilin ransomware binaries (Rust-based) characterized by specific command line arguments often used by the group.
references:
    - Internal Research
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '.exe'
        Company|contains:
            - 'None' # Rust binaries often lack metadata
    selection_cli:
        CommandLine|contains:
            - '-p'
            - '--path'
            - '--threads'
    condition: selection_img and selection_cli
falsepositives:
    - Legitimate legacy utilities or development tools
level: critical
tags:
    - attack.impact
    - attack.t1486
    - malware.ransomware.qilin

KQL Hunt Query (Microsoft Sentinel)

Hunt for lateral movement and staging indicators typical of Qilin affiliates (PsExec usage and SMB enumeration).

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and potential ransomware staging
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp > TimeFrame
| where InitiatingProcessFileName in (\"psexec.exe\", \"psexec64.exe\", \"wmic.exe\") 
   or ProcessCommandLine contains \"New-PSDrive\" 
   or ProcessCommandLine contains \"-ExecutionPolicy Bypass\"
// Filter for high risk command lines often used in staging
| where ProcessCommandLine has \"\\\\\" or ProcessCommandLine has \"-f\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Rapid Response Hardening Script (PowerShell)

This script audits the system for signs of Qilin pre-encryption activity: exposed RDP, recent unusual scheduled tasks, and Volume Shadow Copy manipulation.

PowerShell
# Qilin Rapid Response Audit Script
Write-Host \"[*] Starting Qilin Ransomware Pre-Encryption Audit...\" -ForegroundColor Cyan

# 1. Check for exposed RDP (Reg Check)
$fDenyTSConnections = (Get-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\").fDenyTSConnections
if ($fDenyTSConnections -eq 0) {
    Write-Host \"[!] ALERT: RDP is ENABLED. Consider disabling or restricting via firewall.\" -ForegroundColor Red
} else {
    Write-Host \"[+] PASS: RDP is disabled.\" -ForegroundColor Green
}

# 2. Enumerate Scheduled Tasks created in last 7 days (Persistence)
$tasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($tasks) {
    Write-Host \"[!] ALERT: Suspicious Scheduled Tasks created in last 7 days:\" -ForegroundColor Yellow
    $tasks | Select-Object TaskName, Date, Author
} else {
    Write-Host \"[+] PASS: No new scheduled tasks detected in last 7 days.\" -ForegroundColor Green
}

# 3. Check Volume Shadow Copy Status (Staging/Destruction)
try {
    $vss = vssadmin list shadows
    if ($vss -match \"No shadow copies found\") {
        Write-Host \"[!] WARNING: No Volume Shadow Copies found. This may indicate prior deletion.\" -ForegroundColor Red
    } else {
        Write-Host \"[+] INFO: Volume Shadow Copies exist.\" -ForegroundColor Green
    }
} catch {
    Write-Host \"[!] ERROR: Could not query VSS.\" -ForegroundColor Red
}

Write-Host \"[*] Audit Complete.\" -ForegroundColor Cyan


---

Incident Response Priorities

T-minus Detection Checklist:

  1. Check Point Logs: Immediately review VPN logs for IKEv1 connection anomalies or spikes in failed/authenticated sessions correlating to CVE-2026-50751.
  2. ConnectWise ScreenConnect: Audit session logs for logins outside of business hours or from impossible travel locations (CVE-2024-1708).
  3. New Service Accounts: Look for creation of local administrator accounts or accounts added to the "Domain Admins" group within the last 48 hours.

Critical Assets for Exfiltration: Qilin prioritizes:

  • Financial databases (SQL, Oracle) and transaction logs.
  • Executive HR files and PII.
  • CAD/Engineering schematics (Manufacturing victims).

Containment Actions (Urgency Order):

  1. Isolate: Disconnect compromised VPN concentrators or Management Servers from the network immediately if exploitation is suspected.
  2. Disable Accounts: Force reset passwords for service accounts associated with ConnectWise and VPNs; suspend privileged accounts until integrity is verified.
  3. Block Network Segments: Segregate critical manufacturing and financial subnets to prevent lateral spread.

Hardening Recommendations

Immediate (24 Hours):

  • Patch: Apply patches for CVE-2024-1708 (ConnectWise), CVE-2026-50751 (Check Point), and CVE-2026-20131 (Cisco FMC) immediately.
  • Disable IKEv1: If Check Point devices cannot be patched immediately, disable IKEv1 on the Security Gateway as a temporary mitigation.

Short-term (2 Weeks):

  • Network Segmentation: Implement strict Zero Trust controls for remote access tools; ensure ScreenConnect/VPN endpoints are in a DMZ with no direct access to the internal core network.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and remote management tool access.
darkwebransomware-gangqilinransomwarefinancial-servicescheck-pointconnectwiseransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action