Back to Intelligence

QILIN Ransomware Gang: 15 New Victims Posted — Global Targeting Analysis & Detection Rules

SA
Security Arsenal Team
June 7, 2026
8 min read

Threat Actor Profile — QILIN

Aliases: Agenda, BlackSuit (shared codebase) Model: RaaS operation with sophisticated affiliate network Typical Ransom Demands: $500,000 - $10M depending on victim size Initial Access Methods: Phishing, VPN exploitation, RDP brute force, supply chain compromise Approach: Double extortion - data theft combined with encryption with threats of public disclosure Average Dwell Time: 7-14 days before detonation

QILIN (formerly Agenda) has emerged as a sophisticated ransomware operation using a Rust-based encryptor that targets Windows systems. The group operates as a RaaS model, distributing to affiliates who handle initial access and lateral movement. QILIN is particularly aggressive in their double-extortion tactics, often threatening to release stolen data within 3-5 days if ransom demands aren't met. Their encryption algorithm is designed to maximize disruption while avoiding security controls, and they've been observed using legitimate administrative tools for lateral movement to evade detection.

Current Campaign Analysis

Sector Targeting

Recent activity shows QILIN targeting multiple sectors with a focus on healthcare (20% of recent victims), construction and business services (each 13%), energy (13%), and consumer services (13%). The diversity suggests affiliates are pursuing opportunistic targets rather than highly focused sector-specific campaigns.

Geographic Distribution

  • North America: 47% (US, CA)
  • Europe: 33% (DE, AT, PT, SI)
  • Asia: 7% (KR)
  • South America: 13% (BR, CL)

The concentration in North America and Europe aligns with QILIN's focus on organizations with higher ransom-paying capabilities and regulatory pressure (HIPAA, GDPR).

Victim Profile

Victims appear to range from small businesses with 50-100 employees to mid-size enterprises with 500-1000 employees. Estimated annual revenues likely range from $10M-$200M based on sector analysis.

Posting Frequency

QILIN maintained consistent posting activity of 4-5 victims per day between June 2-5, 2026, indicating steady operational tempo.

CVE Connection

Recent campaigns likely exploiting:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Initial access vector for 6 victims with remote access requirements
  • CVE-2023-21529 (Microsoft Exchange Server): Likely used in healthcare/business services victims
  • CVE-2026-48027 (Nx Console): Recent addition to KEV suggests potential exploitation in new campaigns

Detection Engineering

YAML
---
title: Potential Qilin Ransomware Lateral Movement via PsExec
id: 892a1c45-4d13-4b9b-8a7e-3d5e9f6c2a1b
description: Detects potential lateral movement by Qilin ransomware operators using PsExec with parameters commonly associated with their activity
status: experimental
author: Security Arsenal
references:
    - Internal Research
date: 2026/06/08
tags:
    - attack.lateral_movement
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\psexec.exe'
        CommandLine|contains:
            - '\\'
            - '-accepteula'
            - '-s'
    condition: selection
falsepositives:
    - Legitimate administrative activities
level: high
---
title: Suspicious ScreenConnect Activity (Qilin Initial Access)
id: a4b3c2d1-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects potential exploitation of ScreenConnect (CVE-2024-1708) as used by Qilin for initial access
status: experimental
author: Security Arsenal
references:
    - CVE-2024-1708
date: 2026/06/08
tags:
    - attack.initial_access
    - attack.remote_service
    - attack.t1021.004
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        LogonProcessName: 'ScreenConnect'
        ComputerName|startswith: 'WEB'
    filter:
        SubjectUserName|contains:
            - 'admin'
            - 'service'
    condition: selection and not filter
falsepositives:
    - Legitimate remote administration
level: high
---
title: Ransomware Pre-Encryption Staging Activity
id: f7e8d9c0-1a2b-3c4d-5e6f-7g8h9i0j1k2l
description: Detects common ransomware pre-encryption staging indicators observed in Qilin operations
status: experimental
author: Security Arsenal
references:
    - Internal Research
date: 2026/06/08
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\wbadmin.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'delete catalog'
            - 'Remove-Item'
            - 'shadowcopy'
            - 'Format-Volume'
    condition: selection
falsepositives:
    - Legitimate system administration
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for potential Qilin lateral movement indicators
let ProcessEvents = SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4688, 5140, 5145)
| extend ProcessName = tostring(NewProcessName), 
         CommandLine = tostring(CommandLine), 
         SubjectUserName = tostring(SubjectUserName),
         TargetUserName = tostring(TargetUserName),
         SourceIp = tostring(IpAddress);
// Detect suspicious PsExec usage
let PsExecEvents = ProcessEvents
| where ProcessName contains "psexec"
| where CommandLine contains "\\" and CommandLine contains "-accepteula"
| project TimeGenerated, Computer, SubjectUserName, ProcessName, CommandLine;
// Detect unusual SMB access patterns
let SMBAccess = ProcessEvents
| where EventID in (5140, 5145)
| where ShareName !in ("ADMIN$", "IPC$", "C$", "NETLOGON", "SYSVOL")
| where TargetUserName != SubjectUserName
| project TimeGenerated, Computer, SubjectUserName, TargetUserName, ShareName, SourceIp, AccessMask;
// Detect potential data exfiltration indicators
let DataExfil = ProcessEvents
| where ProcessName contains "powershell" 
| where CommandLine contains "Compress-Archive" or CommandLine contains "Invoke-WebRequest" or CommandLine contains "Net.WebClient"
| where CommandLine contains ".zip" or CommandLine contains "http"
| project TimeGenerated, Computer, SubjectUserName, ProcessName, CommandLine;
union PsExecEvents, SMBAccess, DataExfil
| order by TimeGenerated desc

PowerShell Hardening Script

PowerShell
# QILIN Ransomware Rapid Response Script
# Run with elevated privileges

Write-Host "[+] Starting QILIN ransomware hardening checks..." -ForegroundColor Yellow

# 1. Check for exposed RDP
$rdpStatus = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpStatus.fDenyTSConnections -eq 0) {
    Write-Host "[!] WARNING: RDP is enabled. Consider disabling if not required." -ForegroundColor Red
    Write-Host "    To disable RDP, run: Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1" -ForegroundColor Yellow
} else {
    Write-Host "[+] RDP is disabled." -ForegroundColor Green
}

# 2. Check for recently created suspicious scheduled tasks
$recentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($recentTasks) {
    Write-Host "[!] Found scheduled tasks created in the last 7 days:" -ForegroundColor Red
    $recentTasks | Format-List TaskName, Date, Author, Actions
} else {
    Write-Host "[+] No suspicious scheduled tasks found from the last 7 days." -ForegroundColor Green
}

# 3. Check for recent Volume Shadow Copy modifications
$shadowCopies = Get-WmiObject -Class Win32_ShadowCopy | Where-Object { $_.InstallDate -gt (Get-Date).AddDays(-7) }
if ($shadowCopies) {
    Write-Host "[!] Found Volume Shadow Copies created/modified in the last 7 days:" -ForegroundColor Yellow
    $shadowCopies | Format-List ID, VolumeName, InstallDate
} else {
    Write-Host "[+] No recent Volume Shadow Copy modifications found." -ForegroundColor Green
}

# 4. Check for PowerShell logging status
$psLogging = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue
if (-not $psLogging -or $psLogging.EnableScriptBlockLogging -ne 1) {
    Write-Host "[!] WARNING: PowerShell Script Block Logging is not enabled." -ForegroundColor Red
    Write-Host "    To enable, run: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1 -Force" -ForegroundColor Yellow
} else {
    Write-Host "[+] PowerShell Script Block Logging is enabled." -ForegroundColor Green
}

# 5. Check for ScreenConnect service
$screenConnect = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($screenConnect) {
    Write-Host "[!] WARNING: ScreenConnect service detected. Ensure it's patched against CVE-2024-1708." -ForegroundColor Red
    $screenConnect | Format-List Name, Status, StartType
} else {
    Write-Host "[+] No ScreenConnect services detected." -ForegroundColor Green
}

Write-Host "[+] Hardening check complete." -ForegroundColor Yellow

Incident Response Priorities

T-minus Detection Checklist

  1. Immediate (0-4 hours before encryption):

    • Abnormal RDP connection patterns (off-hours, multiple failed attempts)
    • Unexpected ScreenConnect session creation with admin privileges
    • Unusual PowerShell processes with command arguments containing archive or web operations
    • New scheduled tasks created with privileged accounts
    • Volume Shadow Copy deletion attempts via vssadmin.exe or wbadmin.exe

  2. Data Staging Indicators:

    • Large data transfers to external IPs during off-hours
    • Creation of archives on local systems with unusual names
    • Execution of tools like Rclone, WinSCP, or FileZilla from non-standard paths
    • Registry modifications to disable recovery options and notifications

Critical Assets for Exfiltration Priority

Based on QILIN's historical playbook, they prioritize exfiltration of:

  1. Customer databases and PII
  2. Financial records and accounting systems
  3. Employee information including HR data
  4. Intellectual property and proprietary documentation
  5. Executive email archives
  6. System configuration files revealing infrastructure details

Containment Actions (Ordered by Urgency)

  1. Critical (Immediate):

    • Isolate affected systems from network
    • Revoke credentials for accounts showing suspicious activity
    • Disable all remote access (RDP, VPN) until verified clean
    • Preserve volatile memory and disk images of affected systems

  2. High (Within 2 hours):

    • Disable unused Active Directory accounts
    • Review and limit domain admin privileges
    • Block IP addresses associated with malicious activity
    • Enable additional logging on critical systems

  3. Medium (Within 6 hours):

    • Implement network segmentation
    • Conduct password resets for privileged accounts
    • Review and update firewall rules
    • Implement time-based access controls for administrative accounts

Hardening Recommendations

Immediate (24 hours)

  1. Patch Critical Vulnerabilities:

    • ScreenConnect (CVE-2024-1708) - Update to latest version
    • Microsoft Exchange Server (CVE-2023-21529) - Apply security updates
    • Cisco Secure Firewall Management Center (CVE-2026-20131) - Apply patches

  2. Secure Remote Access:

    • Disable RDP where not required
    • Implement MFA for all VPN connections
    • Review and restrict ScreenConnect access to only authorized administrators
    • Monitor for unusual remote access patterns

  3. Account Security:

    • Reset passwords for privileged accounts
    • Review and limit domain administrator privileges
    • Implement just-in-time access for administrative accounts

Short-term (2 weeks)

  1. Network Architecture:

    • Implement network segmentation to limit lateral movement
    • Establish jump hosts for administrative access
    • Create separate VLANs for critical systems
    • Deploy micro-segmentation for high-value assets

  2. Monitoring and Detection:

    • Implement SIEM correlation rules for ransomware TTPs
    • Deploy EDR across endpoints with specific ransomware detection capabilities
    • Implement behavioral analytics for unusual data access patterns
    • Configure alerts for suspicious administrative activities

  3. Data Protection:

    • Implement immutable backups for critical systems
    • Test backup restoration procedures
    • Deploy data loss prevention (DLP) solutions
    • Create offline backup copies for essential data

  4. Identity and Access Management:

    • Implement privileged access management (PAM)
    • Establish regular access reviews for privileged accounts
    • Deploy conditional access policies for sensitive resources
    • Implement the principle of least privilege across all systems

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinqilin-ransomwarehealthcare-sectorenergy-sectorinitial-access-vectorsdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action