QILIN Ransomware Gang: Surge in Attacks on US Business Services & Critical Infrastructure Vulnerabilities

Threat Actor Profile — QILIN

Aliases & Affiliation: Qilin (formerly known as Agenda). The group operates as a sophisticated Ransomware-as-a-Service (RaaS) entity, recruiting affiliates with varying levels of technical expertise to conduct initial access and deployment.

Operational Model: Qilin follows a strict double-extortion playbook. They encrypt victim environments using a custom GoLang-based encryptor and simultaneously exfiltrate sensitive data to their .onion leak sites to pressure victims into paying. Ransom demands vary significantly based on victim revenue, typically ranging from $300,000 to several million USD.

Initial Access Vectors: Qilin affiliates are aggressive opportunists. They primarily leverage:

• External Remote Services: Exploitation of VPNs (Check Point, Cisco) and Remote Management tools (ConnectWise ScreenConnect, Nx Console).
• Phishing: Targeted spear-phishing campaigns delivering malicious macros or initial access loaders.
• Valid Credentials: Brute-forcing RDP and VPN endpoints using credentials obtained from initial access brokers (IABs).

Dwell Time: Recent intelligence indicates a decreased dwell time, averaging 3–5 days from initial compromise to encryption. Qilin actors move laterally rapidly using Cobalt Strike beacons and custom PowerShell scripts to deploy the payload.

Current Campaign Analysis

Sector Targeting: The latest data from Qilin's leak site reveals a distinct pivot towards the Business Services sector. Of the 15 recent victims analyzed, over 60% fall into this category, specifically targeting law firms (e.g., Miller & Zois, Bekman Marder Hopper Malarkey & Perlin) and consultancy agencies. Secondary targets include Consumer Services (e.g., Maui Divers Jewelry, Efficient Home) and Technology firms.

Geographic Concentration: The campaign is overwhelmingly focused on the United States. 10 of the 15 recently posted victims are US-based organizations. Significant activity is also detected in Germany (DE) and Spain (ES), with single outliers in Mexico, South Korea, and Australia.

Victim Profile: The victims appear to be Small to Mid-sized Businesses (SMBs) to upper-mid-market enterprises. Revenue estimates likely range from $10M to $500M. These organizations often possess valuable intellectual property (legal firms) or sensitive customer PII (consumer services) but may lack the mature 24/7 SOC capabilities of larger enterprises, making them ideal targets for Qilin's "smash-and-grab" tactics.

Observed Posting Frequency: Qilin is maintaining a high tempo of operations. The data shows a cluster of postings on 2026-06-10 (11 victims) followed by consistent additions through 2026-06-12. This burst pattern suggests a coordinated effort by multiple affiliates or the automation of their leak site posting pipeline.

CVE Connection: This campaign correlates directly with the active exploitation of critical edge vulnerabilities:

• CVE-2026-50751 (Check Point Security Gateway): With US-based legal firms relying heavily on VPNs, this improper authentication vulnerability is a likely primary vector for the US victim surge.
• CVE-2024-1708 (ConnectWise ScreenConnect): The targeting of Business Services often correlates with the compromise of Managed Service Providers (MSPs) or internal IT management via ScreenConnect path traversal.
• CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation of firewall management consoles provides Qilin with a beachhead to disable security controls before detonation.

Detection Engineering

SIGMA Rules

---
title: Potential Qilin Ransomware Activity via ScreenConnect Exploit
id: 8a7f6c5d-4b3e-2a1f-9c8d-7e6f5a4b3c2d
description: Detects suspicious process execution patterns associated with CVE-2024-1708 exploitation where ScreenConnect client spawns cmd or powershell.
status: experimental
date: 2026/06/12
author: Security Arsenal Intel
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
        NewImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrator troubleshooting via ScreenConnect
level: high
---
title: Qilin Lateral Movement via PsExec and WMI
id: 9b0g7d6e-5c4f-3b2g-0d9e-8f7g6b5c4d3e
description: Detects the use of PsExec or WMI for lateral movement, a common TTP for Qilin affiliates to spread ransomware payloads.
status: experimental
date: 2026/06/12
author: Security Arsenal Intel
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: '-accepteula'
    selection_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'process call create'
    condition: 1 of selection*
falsepositives:
    - System administration activities
level: high
---
title: Ransomware Preparation - Shadow Copy Deletion
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects commands used to delete Volume Shadow Copies, a precursor to encryption used by Qilin to prevent recovery.
status: experimental
date: 2026/06/12
author: Security Arsenal Intel
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection*
falsepositives:
    - Rare system maintenance (usually low volume)
level: critical

KQL (Microsoft Sentinel)

// Hunt for lateral movement and data staging patterns associated with Qilin
// Looks for mass file copying or archive creation on admin shares
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where FileName in~ ('cmd.exe', 'powershell.exe', 'robocopy.exe', 'rclone.exe', '7z.exe', 'winrar.exe')  
| where ProcessCommandLine has_any ('\\\\*\\', '\\192.168', '\\10.0', 'copy', 'compress', 'archive')  
| summarize count(), arg_min(Timestamp, *) by DeviceName, AccountName, FileName, ProcessCommandLine  
| where count_ > 5  // High frequency indicates automation/staging  
| project DeviceName, AccountName, FileName, ProcessCommandLine, Timestamp

PowerShell Rapid Response

<#
.SYNOPSIS
    Qilin Ransomware T-Minus Checklist
.DESCRIPTION
    Checks for signs of ransomware precursor activity: recent scheduled tasks,
    unusual user accounts, and Shadow Copy manipulation.
#>

Write-Host "[!] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[!] Checking local users for suspicious additions..." -ForegroundColor Yellow
Get-LocalUser | Where-Object { $_.LastLogon -gt (Get-Date).AddDays(-3) -or $_.PasswordLastSet -gt (Get-Date).AddDays(-3) } | Select-Object Name, Enabled, LastLogon, PasswordLastSet

Write-Host "[!] Checking Volume Shadow Copy Storage status..." -ForegroundColor Yellow
vssadmin list shadows

Write-Host "[!] Checking for recent PowerShell script block logging (encoded commands)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} -MaxEvents 50 | Where-Object { $_.Message -match 'EncodedCommand' } | Select-Object TimeCreated, Message

Incident Response Priorities

T-minus Detection Checklist:

1. VPN Gateway Logs: Immediate audit of Check Point (CVE-2026-50751) and Cisco FMC (CVE-2026-20131) logs for authentication anomalies or mass login failures.
2. Remote Management Tools: Hunt for ScreenConnect (CVE-2024-1708) and Nx Console logs showing unauthorized access or process spawning.
3. PowerShell Logs: Review Event ID 4104 for encoded commands, a hallmark of Qilin's Cobalt Strike and loader execution.

Critical Assets for Exfiltration: Qilin prioritizes data that maximizes blackmail leverage:

• Legal Dockets & Client Files: (Primary target for Business Services victims).
• HR & Payroll Data: containing PII and banking details.
• Financial Records: Audit reports and tax documents.
• Source Code & IP: For the Technology sector victims.

Containment Actions (Ordered by Urgency):

1. Isolate: Disconnect compromised VPN concentrators and jump servers from the network immediately.
2. Disable Accounts: Suspend service accounts associated with ScreenConnect and local administrator accounts on endpoint devices.
3. Block C2: Block known IP addresses and domains associated with Qilin/Cobalt Strike beacons at the firewall perimeter.
4. Preserve: Snapshot memory of active domain controllers and critical file servers before rebooting to capture encryption keys or malware artifacts.

Hardening Recommendations

Immediate (24h):

• Patch CVE-2026-50751: Apply the Check Point Security Gateway hotfix immediately. This is the top driver for the current US-based intrusion wave.
• Patch CVE-2024-1708: Update ConnectWise ScreenConnect instances to the latest patched version.
• MFA Enforcement: Ensure phishing-resistant MFA (FIDO2) is enforced on all VPN and remote access entry points.

Short-term (2 weeks):

• Network Segmentation: Restrict lateral movement by enforcing strict micro-segmentation between IT management servers and user endpoints.
• EDR Rollout: Ensure endpoint detection and response (EDR) coverage is 100% on all internet-facing servers and high-value workstations.
• Audit Privileged Access: Review and revoke unnecessary administrative rights for service accounts used by remote management tools.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub