Back to Intelligence

QILIN Ransomware Gang: 19 New Victims Posted — Sector Targeting Analysis & Detection Rules

SA
Security Arsenal Team
June 13, 2026
10 min read

Threat Actor Profile — QILIN

Known Aliases: Agenda (former name before rebranding to Qilin)

Operation Model: Ransomware-as-a-Service (RaaS) with an affiliate network. Qilin maintains their own leak site and provides affiliates with a customized ransomware payload written in Go and Rust for cross-platform capabilities.

Typical Ransom Demands: $200,000 to $4 million USD depending on victim size and revenue, with higher demands for victims with sensitive data subject to regulatory requirements.

Known Initial Access Methods:

  • Phishing campaigns with malicious Office documents containing macros
  • Exploitation of VPN vulnerabilities (particularly Check Point and Cisco appliances)
  • RDP brute force attacks against externally-facing servers
  • Supply chain compromises via managed service providers
  • Compromise of remote administration tools like ScreenConnect

Double Extortion Approach: Qilin follows the modern playbook of exfiltrating sensitive data (particularly financial, legal, and client information) before encryption, with threats to publish data on their leak site if ransom is not paid. They provide samples of stolen data to victims as proof.

Average Dwell Time: 3-7 days between initial access and encryption, though this varies based on network complexity and defender detection capabilities.

Current Campaign Analysis

Sectors Being Targeted

Based on recent leak site postings, Qilin is heavily focusing on:

  • Business Services (37% of victims): 7 out of 19 recent victims, including law firms (Bekman Marder Hopper Malarkey & Perlin, Dulany Leahy Curtis & Brophy, Wright Constable & Skeen, Miller & Zois), strategic consulting (AltaVista Strategic Partners), and IT services (Distinet Murcia SL)
  • Consumer Services (16%): Maui Divers Jewelry, Efficient Home, and Teserra Outdoors
  • Technology (5%): Bitek System
  • Healthcare (5%): dbHMS
  • Manufacturing (5%): JV Equipment
  • Not Found/Undisclosed (21%): Plaxen & Adler, Iliff, and SAMES

Geographic Concentration

  • United States (47%): 9 out of 19 victims
  • Germany (11%): 2 victims
  • Spain (5%): 1 victim
  • Mexico (5%): 1 victim
  • South Korea (5%): 1 victim
  • Moldova (5%): 1 victim

The clear preference for US targets (especially in the Business Services sector) suggests Qilin's affiliates believe this market provides the highest return on investment.

Victim Profile

Analysis of recent victims indicates a focus on:

  • Small to mid-sized enterprises with revenues between $10M-$100M
  • Organizations with limited security resources but valuable data
  • Firms with client information that would cause reputational damage if leaked
  • Companies in regulated industries where data breaches carry legal consequences

Observed Posting Frequency & Escalation Patterns

Unusual pattern detected:

  • Single victim posted on 2026-06-12
  • Two victims posted on 2026-06-11
  • 15 victims posted in a single day on 2026-06-10

This massive single-day posting suggests either:

  1. A coordinated campaign targeting multiple victims simultaneously
  2. A backlog of posts being published after a technical issue with the leak site
  3. A shift in Qilin's operations to batch-publish victims

Connections to Actively Exploited CVEs

Qilin's recent campaigns show strong correlation with these vulnerabilities:

  • CVE-2026-50751 (Check Point Security Gateway): This recent addition to CISA KEV (2026-06-08) is likely being used for initial access in some of the latest victims, particularly those with Check Point perimeter defenses.

  • CVE-2026-20131 (Cisco Secure Firewall Management Center): Added to CISA KEV on 2026-03-19, this vulnerability provides a bypass of traditional network security controls and has been associated with Qilin operations for several months.

  • CVE-2024-1708 (ConnectWise ScreenConnect): This authentication bypass vulnerability (CISA KEV added 2026-04-28) is a common lateral movement tool in Qilin's arsenal, allowing remote execution on systems with ScreenConnect installed.

  • CVE-2023-21529 (Microsoft Exchange Server): This Exchange vulnerability (CISA KEV added 2026-04-13) provides email-based initial access and is frequently chained with phishing campaigns.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Qilin Ransomware Initial Access via VPN Exploitation
id: 96c0a3a1-f4c2-4b92-8f7b-8b2b7d3a3d44
description: Detects potential exploitation of VPN vulnerabilities commonly used by Qilin for initial access
author: Security Arsenal
status: stable
date: 2026/06/13
references:
    - https://securityarsenal.com/darkside
tags:
    - attack.initial_access
    - attack.t1190
    - detection.emerging_threats
logsource:
    product: firewall
    category: network
detection:
    selection:
        dest_port:
            - 443
            - 500
            - 4500
        protocol:
            - tcp
            - udp
    filter_standard:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    filter_known_good:
        user|contains:
            - 'service account'
            - 'legitimate vpn'
    condition: selection and not 1 of filter*
falsepositives:
    - Legitimate remote access from new locations
level: high
---
title: Qilin Ransomware Lateral Movement via PsExec and WMI
id: 7c4e1d6c-2e4b-4a8a-9d3a-1e7f5b4d6c8a
description: Detects lateral movement techniques commonly used by Qilin ransomware operators
author: Security Arsenal
status: stable
date: 2026/06/13
references:
    - https://securityarsenal.com/darkside
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - attack.t1047
logsource:
    product: windows
    service: security
detection:
    selection_psexec:
        EventID: 5145
        ShareName|contains: 'ADMIN$'
        RelativeTargetName|contains: 
            - 'PSEXESVC'
    selection_wmi:
        EventID: 4688
        NewProcessName|contains: 'wmiprvse.exe'
        CommandLine|contains: 
            - 'Invoke-CimMethod'
            - 'Invoke-WmiMethod'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative activities
level: high
---
title: Potential Qilin Ransomware Data Staging and Exfiltration
id: 8a5e2d7b-3f5c-4b9a-8e4b-2f8c6a5d7e9f
description: Detects potential data staging and exfiltration activities preceding Qilin ransomware deployment
author: Security Arsenal
status: stable
date: 2026/06/13
references:
    - https://securityarsenal.com/darkside
tags:
    - attack.exfiltration
    - attack.t1041
    - attack.t1020
logsource:
    product: windows
    service: security
detection:
    selection_archiving:
        EventID: 4663
        ObjectName|contains: 
            - '.zip'
            - '.rar'
            - '.7z'
        AccessMask: '0x1'
    selection_rclone:
        EventID: 4688
        NewProcessName|contains: 'rclone.exe'
    selection_large_data_transfer:
        EventID: 5156
        DestPort: 
            - 443
            - 21
            - 22
    timeframe: 2h
    condition: 1 of selection*
falsepositives:
    - Legitimate data backup activities
    - Authorized large file transfers
level: medium

Microsoft Sentinel KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Qilin Ransomware Pre-Encryption Activity Hunt
// This query looks for indicators of Qilin's pre-encryption activities
let timeRange = 7d;
let suspiciousProcesses = dynamic(["rclone.exe", "megacmd.exe", "psexec.exe", "procdump.exe", "mimikatz.exe"]);
let commonQilinTools = dynamic(["7z.exe", "winrar.exe", "powershell.exe", "cmd.exe", "wmi.exe"]);
// Hunt for unusual process execution patterns
DeviceProcessEvents
| where Timestamp > ago(timeRange)
| where FileName in~ (suspiciousProcesses) 
   or (FileName in~ (commonQilinTools) and ProcessCommandLine contains any("-enc", "-c", "-w", "hidden", "bypass"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
// Hunt for unusual network connections potentially related to data exfiltration
| union (DeviceNetworkEvents
| where Timestamp > ago(timeRange)
| where RemotePort in (443, 21, 22, 8443, 9443)
| where InitiatingProcessFileName in~ (suspiciousProcesses) or 
   (InitiatingProcessFileName in~ (commonQilinTools) and InitiatingProcessCommandLine contains any("upload", "sync", "copy"))
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine)
// Hunt for file access patterns consistent with data staging
| union (DeviceFileEvents
| where Timestamp > ago(timeRange)
| where FileName endswith_any(".zip", ".rar", ".7z", ".iso")
| where InitiatingProcessFileName in~ (commonQilinTools)
| project Timestamp, DeviceName, AccountName, FileName, ActionType, InitiatingProcessFileName)
| summarize count() by DeviceName, bin(Timestamp, 1h)
| where count_ > 5
| sort by count_ desc

PowerShell Rapid Response Script

PowerShell
<#
.Qilin Ransomware Response Check
.This script helps identify potential indicators of Qilin ransomware activity
.Usage: Run as Administrator on potentially compromised systems
#>

# Check for recently scheduled tasks (common persistence mechanism)
Write-Host "Checking for suspicious scheduled tasks created in the last 7 days..." -ForegroundColor Yellow
$RecentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($RecentTasks) {
    Write-Host "Found $($RecentTasks.Count) tasks created in the last 7 days:" -ForegroundColor Red
    $RecentTasks | ForEach-Object {
        Write-Host "Task: $($_.TaskName), Author: $($_.Author), Created: $($_.Date)" -ForegroundColor Red
    }
} else {
    Write-Host "No suspicious recent scheduled tasks found." -ForegroundColor Green
}

# Check for unusual processes related to Qilin toolset
Write-Host "Checking for suspicious processes..." -ForegroundColor Yellow
$SuspiciousProcesses = @("rclone.exe", "megacmd.exe", "psexec.exe", "procdump.exe", "mimikatz.exe", "7z.exe", "winrar.exe")
$FoundProcesses = Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName }
if ($FoundProcesses) {
    Write-Host "Found $($FoundProcesses.Count) suspicious processes:" -ForegroundColor Red
    $FoundProcesses | ForEach-Object {
        Write-Host "Process: $($_.ProcessName), ID: $($_.Id), Path: $($_.Path)" -ForegroundColor Red
    }
} else {
    Write-Host "No suspicious processes found." -ForegroundColor Green
}

# Check for recent modifications to Volume Shadow Copies
Write-Host "Checking for recent Volume Shadow Copy modifications..." -ForegroundColor Yellow
try {
    $ShadowCopies = Get-WmiObject -Class Win32_ShadowCopy | Where-Object { $_.InstallDate -gt (Get-Date).AddDays(-1) }
    if ($ShadowCopies) {
        Write-Host "Found $($ShadowCopies.Count) shadow copies modified in the last 24 hours:" -ForegroundColor Red
        $ShadowCopies | ForEach-Object {
            Write-Host "Volume: $($_.VolumeName), Created: $($_.InstallDate)" -ForegroundColor Red
        }
    } else {
        Write-Host "No recent shadow copy modifications found." -ForegroundColor Green
    }
} catch {
    Write-Host "Could not check shadow copies: $_" -ForegroundColor Yellow
}

# Check for unusual RDP connections
Write-Host "Checking for recent RDP connections..." -ForegroundColor Yellow
$RecentRDP = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | 
    Where-Object { $_.Message -match 'Logon Type:\s*10' }
if ($RecentRDP) {
    Write-Host "Found $($RecentRDP.Count) RDP logons in the last 24 hours:" -ForegroundColor Yellow
    $RecentRDP | ForEach-Object {
        if ($_.Message -match 'Account Name:\s*(\S+)') {
            $User = $Matches[1]
            if ($_.Message -match 'Source Network Address:\s*(\S+)') {
                $IP = $Matches[1]
                Write-Host "User: $User, IP: $IP" -ForegroundColor Yellow
            }
        }
    }
} else {
    Write-Host "No recent RDP connections found." -ForegroundColor Green
}

Write-Host "Qilin ransomware response check completed." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption Indicators)

  1. Monitor for VPN anomalies: Unusual login patterns from new geographic locations, especially targeting Check Point or Cisco VPNs
  2. Watch for ScreenConnect abuse: Unusual usage patterns or administrative logins from atypical times
  3. Detect data staging: Sudden increases in archive file creation or data movement to non-standard locations
  4. Track lateral movement: Unusual use of PsExec, WMI, or other remote administration tools
  5. Monitor for process anomalies: Unusual combinations of legitimate administrative tools being used together

Critical Assets This Gang Historically Prioritizes for Exfiltration

  1. Financial records: Accounting data, tax information, payroll records
  2. Legal documents: Contracts, case files, client information
  3. Customer PII: Personally identifiable information that could be used for identity theft
  4. Intellectual property: Proprietary business processes, designs, or trade secrets
  5. Executive communications: Email archives from C-suite executives

Containment Actions Ordered by Urgency

  1. IMMEDIATE (0-2 hours):

    • Isolate systems with detected indicators of compromise
    • Disable all unnecessary VPN and remote access accounts
    • ScreenConnect: Force password rotation and enable MFA for all accounts
    • Change administrative credentials for domain controllers

  2. URGENT (2-24 hours):

    • Implement network segmentation to limit lateral movement
    • Review and restrict firewall rules for VPN access
    • Disable or strictly limit RDP access from the internet
    • Collect and preserve forensic evidence from affected systems

  3. HIGH (24-72 hours):

    • Conduct password resets for all potentially compromised accounts
    • Review audit logs for all privileged account usage
    • Scan all systems for signs of persistence mechanisms
    • Begin restoration of critical systems from known-good backups

Hardening Recommendations

Immediate (24 Hours)

  1. Patch Critical VPN Vulnerabilities: Immediately apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco Secure Firewall)
  2. ScreenConnect Hardening:
    • Update to the latest patched version
    • Enable multi-factor authentication for all users
    • Restrict access to only necessary IPs
  3. RDP Exposure Reduction:
    • Disable internet-facing RDP where possible
    • Implement account lockout policies
    • Enforce strong password policies
  4. Email Filtering:
    • Implement strict attachment filtering
    • Block macros from the internet
    • Enable DMARC, SPF, and DKIM

Short-term (2 Weeks)

  1. Zero Trust Architecture Implementation:
    • Implement principle of least privilege
    • Deploy just-in-time access for administrative functions
    • Require continuous authentication for privileged sessions
  2. Endpoint Detection & Response (EDR) Enhancement:
    • Deploy behavioral analytics for early detection
    • Implement automated containment capabilities
    • Configure alerts for lateral movement indicators
  3. Backup Security:
    • Implement immutable backup solutions
    • Test backup restoration procedures
    • Ensure backups are isolated from production networks
  4. Security Monitoring Enhancement:
    • Deploy SIEM correlation rules for Qilin TTPs
    • Implement honeytokens in sensitive data locations
    • Conduct regular threat hunting exercises

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinqilin-ransomwarebusiness-servicescve-2026-50751screenconnectdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action