QILIN Ransomware Gang: 17 New Victims Posted — Global Campaign Targeting Financial & Construction Sectors | Security Arsenal

Threat Actor Profile — QILIN

Known Aliases: Agrius, Agenda

RaaS vs Closed-group Model: RaaS (Ransomware-as-a-Service) operation with affiliate networks, recent shift toward highly targeted operations with multiple country focus

Typical Ransom Demands: Ranges from $500,000 to $5 million depending on victim size, recently observed demands around $2-3 million for mid-sized enterprises

Known Initial Access Methods:

Exploiting vulnerabilities in VPN infrastructure (recent Check Point Security Gateway exploitation)
Phishing campaigns with malicious macros
RDP brute force attacks against exposed systems
Supply chain compromise through trusted relationships
Recent use of CVE-2024-1708 (ConnectWise ScreenConnect) for initial access

Double Extortion Approach: Data exfiltration before encryption, threatens to leak sensitive corporate data on their dark web leak site, known to pressure victims by releasing sample data as proof of compromise

Average Dwell Time: 3-14 days before detonation depending on victim environment size, extended dwell observed in financial sector targets (up to 21 days), rapid progression (1-3 days) in construction/manufacturing targets

Current Campaign Analysis

Sectors Being Targeted: Based on recent victim data:

Financial Services: 3 victims (Cash Canada, Central Bank of Libya, [potentially another])
Construction: 4 victims (Schumacher Homes, Florida Engineering Services, PJ Daly Contracting, Homes By J Anthony)
Manufacturing: 3 victims (Taiwan Sintong Machinery Co., Ltd, Pacific Lamp & Supply, Roth Industries)
Telecommunication: 1 victim (Sivatel Bangkok)
Consumer Services: 1 victim (Sparkle Pools)
Public Sector: 1 victim (Commune d'Eyguires)
Business Services: 1 victim (ATCOM Outsourcing)
Not Found/Unspecified: 2 victims (Lee International, Tri-tec)

Geographic Concentration:

North America: 6 victims (US: 5, CA: 1)
Europe: 3 victims (DE: 1, IE: 1, FR: 1)
Asia: 3 victims (KR: 1, TH: 1, TW: 1)
Middle East/Africa: 1 victim (LY: 1)
South America: 1 victim (CL: 1)

Victim Profile: Mix of mid-sized to large enterprises with estimated revenue range: $20M-$500M based on sector and company types. Construction victims appear to be mid-sized regional firms, while financial targets include regional banks and financial service providers.

Posting Frequency/Escalation Patterns: Average of 2-3 victims posted daily with steady increase in posting frequency over the past week. Weekend activity continues with no significant pause, and campaign appears to be coordinated across multiple regions simultaneously.

Connection to CVEs:

Recent exploitation of CVE-2026-50751 (Check Point Security Gateway) likely used for initial access in multiple victims
CVE-2024-1708 (ConnectWise ScreenConnect) path traversal vulnerability used for remote code execution
CVE-2023-21529 (Microsoft Exchange Server) deserialization vulnerability likely used for persistence
CVE-2026-20131 (Cisco Secure Firewall Management Center) may have been used to bypass network defenses
CVE-2026-48027 (Nx Console) indicates supply chain compromise vector

Detection Engineering

SIGMA Rules

YAML

---
title: QILIN Ransomware Initial Access via VPN Vulnerabilities
id: 9a8f4e2d-1c3b-4a5e-8b6d-7c9e0f1a2b3c
description: Detects potential QILIN ransomware initial access through exploitation of VPN vulnerabilities including Check Point Security Gateway and Cisco Firewall Management Center
author: Security Arsenal
date: 2026/06/24
status: stable
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: firewall
detection:
    selection:
        - dst_port: 443
        - protocol: 'IKEv1'
        - status: 'failed'
        - msg|contains: 
            - 'authentication failure'
            - 'invalid user'
    condition: selection
falsepositives:
    - Legitimate misconfigurations
    - Failed legitimate access attempts
level: high
---
title: QILIN Ransomware Lateral Movement via PsExec
id: 8a7e3d1c-2b4a-59e6-9c7d-8b0f1a2b3c4d
description: Detects potential QILIN ransomware lateral movement using PsExec across network shares
author: Security Arsenal
date: 2026/06/24
status: stable
references:
    - https://attack.mitre.org/techniques/T1021/002/
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 
            - 'ADMIN$'
            - 'IPC$'
        SubjectUserName|contains:
            - 'ADMIN'
            - 'SYSTEM'
    filter:
        SubjectLogonId: '0x3e7'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative activities
    - System management tools
level: medium
---
title: QILIN Ransomware Data Staging Prior to Encryption
id: 7c6d2b1a-3958-48f5-7b0c-9a1e2f3d4c5e
description: Detects potential QILIN ransomware data staging patterns observed before encryption including mass file operations and archive creation
author: Security Arsenal
date: 2026/06/24
status: stable
references:
    - https://attack.mitre.org/techniques/T1074/
tags:
    - attack.collection
    - attack.t1074
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11  # File creation
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        TargetFilename|contains:
            - '\Temp\'
            - '\AppData\Local\'
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
    condition: selection | count(TargetFilename) > 10
timeframe: 5m
falsepositives:
    - Legitimate backup operations
    - User file compression activities
level: high

KQL Hunt Query

KQL — Microsoft Sentinel / Defender

// Hunt for QILIN ransomware lateral movement indicators
// Search for unusual SMB access patterns, PsExec execution, and WMI commands
union SecurityEvent, WindowsEvent
| where TimeGenerated > ago(7d)
| where 
    // Potential PsExec or WMI lateral movement
    (EventID == 5145 and ShareName in ('ADMIN$', 'IPC$') and RelativeTargetName contains 'PSEXESVC') or
    (EventID == 4688 and ProcessName contains 'psexec') or
    (EventID == 4688 and CommandLine contains 'wmic' and CommandLine contains 'node:') or
    // Potential Cobalt Strike beacon activity
    (EventID == 4688 and ProcessName contains 'powershell' and CommandLine contains 'DownloadString') or
    (EventID == 4688 and ProcessName contains 'rundll32' and CommandLine contains 'javascript:')
| summarize 
    count() by 
    Computer, 
    Account, 
    ProcessName, 
    EventID, 
    bin(TimeGenerated, 1h)
| where count_ > 5  // Threshold for suspicious activity
| sort by count_ desc

PowerShell Rapid Response Script

PowerShell

# QILIN Ransomware Rapid Response Assessment Script
# Author: Security Arsenal
# Purpose: Check for indicators of QILIN ransomware activity

Write-Host "=== QILIN Ransomware Assessment Script ===" -ForegroundColor Cyan
Write-Host "Scanning for potential QILIN ransomware indicators..." -ForegroundColor Yellow
Write-Host ""

# Check for unusual scheduled tasks created in the last 7 days
Write-Host "Checking for recently created scheduled tasks..." -ForegroundColor Yellow
$recentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($recentTasks) {
    Write-Host "[$(Get-Date)] Found $($recentTasks.Count) recently created scheduled tasks:" -ForegroundColor Red
    $recentTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
    Write-Host "[$(Get-Date)] No suspicious scheduled tasks found." -ForegroundColor Green
}

# Check for modifications to Volume Shadow Copies in the last 7 days
Write-Host "`nChecking for modifications to Volume Shadow Copies..." -ForegroundColor Yellow
$vssChanges = vssadmin list shadows | Select-String "Shadow Copy Volume Creation Time"
if ($vssChanges) {
    $recentShadows = $vssChanges | Where-Object { 
        $_.ToString() -match "Creation Time: (\d{2}/\d{2}/\d{4})" -and 
        [DateTime]::ParseExact($matches[1], 'MM/dd/yyyy', $null) -gt (Get-Date).AddDays(-7)
    }
    if ($recentShadows) {
        Write-Host "[$(Get-Date)] Found recent modifications to Volume Shadow Copies:" -ForegroundColor Red
        $recentShadows | ForEach-Object { Write-Host $_.ToString() }
    } else {
        Write-Host "[$(Get-Date)] No suspicious VSS changes found." -ForegroundColor Green
    }
}

# Check for open RDP connections
Write-Host "`nChecking for active RDP connections..." -ForegroundColor Yellow
$rdpSessions = qwinsta | Select-String "rdp-tcp"
if ($rdpSessions) {
    Write-Host "[$(Get-Date)] Found active RDP sessions:" -ForegroundColor Red
    $rdpSessions | ForEach-Object { Write-Host $_.ToString() }
} else {
    Write-Host "[$(Get-Date)] No active RDP sessions found." -ForegroundColor Green
}

# Check for recent service installations
Write-Host "`nChecking for recently installed services..." -ForegroundColor Yellow
$recentServices = Get-WmiObject Win32_Service | Where-Object { 
    $_.InstallDate -and 
    [DateTime]::ParseExact($_.InstallDate.SubString(0,8), 'yyyyMMdd', $null) -gt (Get-Date).AddDays(-7)
}
if ($recentServices) {
    Write-Host "[$(Get-Date)] Found $($recentServices.Count) recently installed services:" -ForegroundColor Red
    $recentServices | Select-Object Name, DisplayName, State, InstallDate | Format-Table
} else {
    Write-Host "[$(Get-Date)] No suspicious service installations found." -ForegroundColor Green
}

# Check for common QILIN file extensions
Write-Host "`nChecking for files with suspicious extensions..." -ForegroundColor Yellow
$suspiciousExtensions = @('.qilin', '.encrypted', '.locked', '.crypt')
$foundFiles = @()
foreach ($ext in $suspiciousExtensions) {
    $files = Get-ChildItem -Path C:\ -Filter "*$ext" -Recurse -ErrorAction SilentlyContinue
    if ($files) {
        $foundFiles += $files
    }
}
if ($foundFiles) {
    Write-Host "[$(Get-Date)] Found $($foundFiles.Count) files with suspicious extensions:" -ForegroundColor Red
    $foundFiles | Select-Object FullName, LastWriteTime | Format-Table
} else {
    Write-Host "[$(Get-Date)] No files with suspicious extensions found." -ForegroundColor Green
}

Write-Host "`n=== Assessment Complete ===" -ForegroundColor Cyan
Write-Host "If any RED indicators were found, initiate your incident response procedures immediately." -ForegroundColor Yellow

Incident Response Priorities

T-minus Detection Checklist (What to look for BEFORE encryption fires):

Monitor for successful authentication on VPN gateways from unusual geographic locations
Track unusual SMB file access patterns across multiple systems
Look for mass file encryption indicators (multiple file type changes in short timeframe)
Monitor for scheduled task creation with SYSTEM privileges
Check for unusual service installations, particularly with random names
Monitor for PowerShell command execution with network-related parameters
Watch for Volume Shadow Copy deletion events (Event ID 5140)
Track unusual RDP session creation from non-standard administrative accounts
Monitor for large data transfers to external storage services

Critical Assets Historically Prioritized for Exfiltration:

Customer databases and personally identifiable information (PII)
Financial records and transaction histories
Executive communications and sensitive corporate documents
Intellectual property and proprietary design files
Internal network documentation and credentials
Mergers and acquisitions documentation
Human resources data (particularly for larger organizations)

Containment Actions (by urgency):

IMMEDIATE (0-2 hours):
- Disconnect compromised systems from the network
- Isolate affected segments using network segmentation
- Change credentials for all privileged accounts
- Suspend VPN access temporarily until systems are verified clean
URGENT (2-12 hours):
- Deploy network-based signatures for known QILIN C2 infrastructure
- Implement temporary MFA requirements for all VPN access
- Review and lock down firewall rules to limit unnecessary outbound connections
- Collect forensic images of affected systems
HIGH PRIORITY (12-48 hours):
- Conduct comprehensive password reset for all users
- Review all privileged access rights and revoke unnecessary permissions
- Implement additional logging on critical systems
- Deploy detection rules for QILIN TTPs across all security tools

Hardening Recommendations

Immediate (24h):

Patch CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Firewall Management Center)
Implement MFA for all VPN access points, especially for administrative users
Disable unnecessary services on VPN gateway devices
Restrict RDP access to specific jump hosts with MFA
Review and restrict inbound/outbound firewall rules to essential business needs
Enable strict logging for authentication events on VPN gateways

Short-term (2 weeks):

Implement network segmentation to limit lateral movement
Deploy deception technology (honeypots) to detect early reconnaissance activities
Implement continuous monitoring for privilege escalation attempts
Enhance endpoint detection capabilities with specific QILIN ransomware signatures
Conduct vulnerability assessment specifically targeting VPN and remote access infrastructure
Implement least-privilege access models for all administrative accounts
Review and update incident response playbooks specific to ransomware scenarios
Conduct security awareness training focused on phishing and social engineering

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

QILIN Ransomware Gang: 17 New Victims Posted — Global Campaign Targeting Financial & Construction Sectors