Back to Intelligence

QILIN Ransomware: Global Agri-Tech & Logistics Surge — Critical Exploits Active

SA
Security Arsenal Team
June 29, 2026
6 min read

Threat Actor Profile — QILIN

Aliases & Structure: Qilin (formerly known as Agenda or Agendacrypt) operates as a Ransomware-as-a-Service (RaaS) model. They are known for a highly aggressive affiliate network that targets corporate networks rather than small businesses.

Tactics & Demands: Typical ransom demands range from $400,000 to several million dollars, heavily weighted toward the victim's annual revenue. Qilin utilizes a double-extortion model, exfiltrating sensitive data (PFI, financials, client databases) before encrypting systems using a Golang-based encryptor. Their average dwell time is approximately 3 to 5 days, meaning they move fast—often establishing persistence and exfiltrating data within 48 hours of initial access.

Current Campaign Analysis

Sector Targeting: The latest leak site data (2026-06-22 to 2026-06-29) indicates a distinct pivot toward critical infrastructure adjacent sectors:

  • Agriculture & Food Production: 2 victims (Lam Soon, NASCO).
  • Telecommunication: 1 victim (Gsma) — a high-value target indicating potential supply chain exploitation.
  • Transportation/Logistics: 1 victim (Transcore).
  • Technology: 1 victim (Axionlog).

Geographic Concentration: The campaign is globally dispersed with a heavy emphasis on the US (4 victims), followed by the UK (2) and Southeast Asia/Asia (TH, KR). However, the inclusion of victims in CZ and CA suggests a "spray and pray" approach regarding geography, focusing instead on exposed services rather than regional borders.

Victim Profile: The victims listed (e.g., Transcore, NASCO, Gsma) are large mid-to-enterprise level organizations. This correlates with Qilin's preference for high-revenue targets capable of paying significant ransoms.

Observed Posting Frequency: Qilin posted 11 victims in 7 days, averaging over 1.5 victims per day. This high cadence suggests the automated exploitation of specific vulnerabilities or a highly efficient affiliate operation.

CVE Connection: Based on the CISA KEV list provided and the victim profile:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Historically a favorite for Qilin affiliates. The attack on technology and business services (ISOPLUS) likely stems from unpatched remote management tools.
  • CVE-2026-50751 (Check Point Security Gateway): Added to KEV on 2026-06-08. Given the network-heavy targets (Gsma, Transcore), exploitation of perimeter security appliances to bypass firewall controls is highly probable.
  • CVE-2023-21529 (Exchange Server): A likely vector for the telecommunication and financial sectors where email servers are often internet-facing.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Qilin Ransomware Initial Access via ScreenConnect
id: 4a8c7b12-1d9f-4f5e-9c8a-1b2c3d4e5f6a
description: Detects potential exploitation of CVE-2024-1708 involving ScreenConnect path traversal often used by Qilin affiliates.
status: experimental
date: 2026/06/29
author: Security Arsenal
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - '/c'
      - 'wget'
      - 'curl'
  condition: selection
falsepositives:
  - Legitimate administrator troubleshooting
level: critical
---
title: Check Point VPN Gateway Anomalous IKEv1 Handshakes
id: 5b9d8c23-2e0a-5g6f-0d9b-2c3d4e5f6a7b
description: Detects signs of CVE-2026-50751 exploitation via suspicious IKEv1 packets or gateway logs indicating authentication bypass attempts.
status: experimental
date: 2026/06/29
author: Security Arsenal
logsource:
  product: firewall
definition: 'Requirements: Check Point Security Gateway Logs'
detection:
  selection_src:
    vendor: 'Check Point'
    product: 'VPN'
    action: 'key_exchange'
    protocol: 'ikev1'
  selection_suspicious:
    status|contains:
      - 'failure'
      - 'accept' # Indicates acceptance even if auth should fail
  condition: all of selection_*
falsepositives:
  - Legacy VPN configuration misconfigurations
level: high
---
title: High Volume Data Staging via Rclone or WinSCP
id: 6c0e9d34-3f1b-6h7g-1e0c-3d4e5f6a7b8c
description: Detects potential data exfiltration staging common in Qilin operations using file transfer tools.
status: experimental
date: 2026/06/29
author: Security Arsenal
logsource:
  product: windows
  category: process_creation
detection:
  selection_tools:
    Image|endswith:
      - '\rclone.exe'
      - '\winscp.exe'
      - '\filezilla.exe'
  selection_args:
    CommandLine|contains:
      - 'sync'
      - 'copy'
      - 'sftp://'
      - 'ftp://'
  condition: all of selection_*
falsepositives:
  - Legitimate backup operations
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin Affiliate Lateral Movement and Staging
let TimeFrame = 1d;
SecurityEvent
| where TimeGenerated > ago(TimeFrame)
| where EventID in (4624, 4625, 5140, 5145)
// Look for unusual remote logons or network share access immediately following admin logon
| project TimeGenerated, Computer, Account, TargetAccountName = TargetUserName, LogonType, EventID, ShareName, IpAddress
| order by TimeGenerated asc
| serialize PrevEvent = prev(TimeGenerated), PrevType = prev(EventID)
| extend TimeDiff = datetime_diff('Second', TimeGenerated, PrevEvent)
// Filter for rapid sequences typical of automation: Admin Logon -> Share Access within 60 seconds
| where EventID == 5140 and TimeDiff <= 60 and PrevType == 4624
| distinct Computer, IpAddress, Account, ShareName

PowerShell Response Script

PowerShell
# Qilin Rapid Response: Check for Shadow Copy Manipulation and Suspicious Tasks
$Date = (Get-Date).AddDays(-1)

Write-Host "Checking for recent VSS deletions (Ransomware precursor)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=$Date} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'delete' -or $_.Message -match 'shadow copy'} |
Select-Object TimeCreated, Message

Write-Host "\nChecking for scheduled tasks created in the last 24 hours..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -ge $Date} | 
Select-Object TaskName, TaskPath, Date, Author

Write-Host "\nChecking for unexpected RDP connections (non-admin)..." -ForegroundColor Cyan
$RecentRDP = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$Date} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type:\s*10'} | 
Select-Object TimeCreated, Message
if ($RecentRDP) { $RecentRDP } else { Write-Host "No recent RDP logons found." }

Incident Response Priorities

T-minus Detection Checklist:

  1. Hunt for ScreenConnect: Immediately audit ConnectWise ScreenConnect logs for path traversal attempts (specifically looking for ..%2f or similar URI encoding) between June 22-29.
  2. Check Point Logs: Review VPN gateway logs for successful IKEv1 connections from unknown IPs or excessive failures followed by success (potential auth bypass).
  3. Identity Audit: Look for accounts created or modified in the last 48 hours, specifically in Domain Admins groups.

Critical Assets for Exfiltration: Qilin aggressively targets:

  • SQL Databases (often enumerated via sqlcmd or PowerSQL).
  • HR and Payroll files (PDFs, XLSX).
  • Intellectual Property (CAD files, source code).

Containment Actions (Urgency Order):

  1. Disconnect Internet-Facing RMM: If ScreenConnect is exposed to the internet without MFA, sever the connection immediately.
  2. Reset VPN Credentials: Assume credentials are compromised if using Check Point gateways affected by CVE-2026-50751.
  3. Isolate Domain Controllers: Prevent lateral movement using the "LAPS not deployed" vector.

Hardening Recommendations

Immediate (24h):

  • Patch CVE-2024-1708: Apply the ScreenConnect patch immediately or enforce MFA on all access.
  • Patch CVE-2026-50751: Update Check Point Security Gateways to the latest firmware that fixes the IKEv1 improper authentication.
  • Block Port 8041: ScreenConnect default port should not be exposed to the public internet.

Short-term (2 weeks):

  • Implement Geo-Blocking: Restrict VPN and RDP access to specific countries where the organization operates, given Qilin's global targeting.
  • Network Segmentation: Ensure OT (Agriculture/Logistics) networks are strictly separated from IT environments to prevent cross-domain encryption.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2024-1708cve-2026-50751telecommunicationagriculture

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action