Back to Intelligence

QILIN Ransomware: Global Surge Targets Healthcare, Agriculture, and Tech — CVE-2026-50751 Exploitation Confirmed

SA
Security Arsenal Team
July 16, 2026
6 min read

Aliases: Agenda, BlackSuit (noted overlaps) Model: RaaS (Ransomware-as-a-Service) with aggressive affiliate recruiting. Typical Ransom Demands: High variability, generally ranging from $500,000 to $5 million USD, heavily influenced by the victim's revenue and urgency of data restoration. Initial Access Methods: Qilin affiliates heavily favor exploiting vulnerabilities in internet-facing perimeter appliances (VPN/Firewalls) and remote management tools (RMM). Phishing is observed but secondary to direct exploitation. Double Extortion Approach: Strict adherence to double extortion. Data is exfiltrated using tools like Rclone or Mega.nz prior to encryption execution. They maintain a dedicated leak site to pressure non-paying victims. Average Dwell Time: Short and aggressive. Historically, Qilin operators move from initial access to encryption in 3-5 days to minimize detection opportunities.

Current Campaign Analysis

Sectors Targeted: The current campaign shows a distinct diversification of targets compared to previous months. The primary sectors hit include:

  • Agriculture and Food Production: International Delights (US), Cemoi (FR)
  • Healthcare: Hillebrand Home Health (US)
  • Technology: TitanTV, Inc. (US)
  • Transportation/Logistics: Busscar de Colombia (CO)
  • Hospitality: URH Hoteliers (ES)

Geographic Concentration: While globally dispersed, there is a heavy concentration in the United States (5 victims) followed by Europe (Spain, Finland, Portugal, France) and Latin America (Mexico, Colombia).

Victim Profile: The victim list indicates a focus on mid-market enterprises. Targeted organizations likely range in revenue from $20M to $300M USD. The inclusion of specific regional entities (e.g., Centro Científico e Cultural de Macau) suggests affiliates are leveraging automated vulnerability scanners rather than manual, highly selective targeting.

Observed Posting Frequency / Escalation: Qilin displayed a "burst" posting pattern, with 8 victims published on 2026-07-13 and 3 on 2026-07-15. This clustering usually indicates the successful deployment of a new exploit kit or automated attack script against a widespread vulnerability.

Connection to CVEs:

  • CVE-2026-50751 (Check Point Security Gateway): Given the high number of corporate and tech-heavy victims, this vulnerability (added to CISA KEV in June) is the likely primary vector for initial access in this campaign.
  • CVE-2024-1708 (ConnectWise ScreenConnect): Frequently used by Qilin to gain access to managed service providers (MSPs) or IT-managed environments within the Business Services and Technology sectors.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point Security Gateway Exploitation CVE-2026-50751
id: 6a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects potential exploitation attempts of CVE-2026-50751 involving IKEv1 anomalies or specific payload drops associated with Qilin initial access.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/17
tags:
    - attack.initial_access
    - cve.2026.50751
    - qilin
logsource:
    product: firewall
    category: network
detection:
    selection:
        dst_port: 500
        protocol: udp
        IKEv1:
            - payload_size: '>1000' # Suspicious large payload for IKE
            - vendor_id: '*Gnu*'
    condition: selection
falsepositives:
    - Legitimate misconfigured VPN peers
level: high
---
title: Suspicious ConnectWise ScreenConnect Path Traversal Activity
id: 9d0e1f2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: Detects path traversal patterns associated with CVE-2024-1708 exploitation on ScreenConnect servers, a common Qilin entry point.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/17
tags:
    - attack.initial_access
    - cve.2024.1708
    - qilin
logsource:
    product: webserver
    service: access
detection:
    selection:
        c-uri|contains:
            - '..%2f'
            - '..\\'
            - 'bin\\Debug'
    condition: selection
falsepositives:
    - Scanning activity
level: critical
---
title: Qilin Ransomware Lateral Movement via PsExec
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Identifies the use of PsExec for lateral movement, frequently used by Qilin operators to deploy ransomware binaries across the network.
references:
    - internal research
author: Security Arsenal Research
date: 2026/07/17
tags:
    - attack.lateral_movement
    - qilin
    - psexec
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'IPC$'
        RelativeTargetName|contains: 'PSEXESVC'
    condition: selection
falsepositives:
    - System administration activity
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Qilin-associated lateral movement and data staging
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has "-accepteula" or ProcessCommandLine has "process call create" or ProcessCommandLine has "Invoke-WebRequest"
| join kind=inner (DeviceNetworkEvents | where RemotePort in (443, 80, 445) | where InitiatingProcessFileName in~ ("rclone.exe", "powershell.exe")) on DeviceId
| summarize count() by DeviceName, FileName, InitiatingProcessFileName, bin(Timestamp, 5m)
| sort by count_ desc

PowerShell (Rapid Response)

PowerShell
<#
.SYNOPSIS
    Qilin Ransomware Response Script
.DESCRIPTION
    Checks for recent scheduled task creation (staging) and VSS manipulation often seen in Qilin attacks.
#>
Write-Host "Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize

Write-Host "Checking for Volume Shadow Copy Deletion attempts..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -MaxEvents 10 -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "Enumerating recent processes running from unusual locations..." -ForegroundColor Yellow
Get-Process | Where-Object { $_.Path -notlike "C:\Windows*" -and $_.Path -ne $null } | Select-Object ProcessName, Path, StartTime | Format-Table -AutoSize


# Incident Response Priorities

**T-minus Detection Checklist (Pre-Encryption):**
*   **VPN Anomalies:** Scrub VPN logs (specifically Check Point and Cisco FMC) for the last 14 days looking for successful authentications followed immediately by mass SMB/LDAP queries.
*   **ScreenConnect Audit:** Immediately audit all active sessions on ConnectWise ScreenConnect instances. Kill any sessions not explicitly verified by the IT staff.
*   **Process Anomalies:** Hunt for `rclone.exe` processes communicating with non-whitelisted cloud storage IP ranges (Mega.nz, Dropbox), a signature sign of Qilin data exfiltration.

**Critical Assets Prioritized for Exfiltration:**
Based on the victim profile (Healthcare, Agriculture, Tech), Qilin will prioritize:
1.  **PHI / Patient Records** (Hillebrand Home Health)
2.  **Intellectual Property / Source Code** (TitanTV)
3.  **Financial Ledger / Tax Documents** (Counts & Dobyns)
4.  **Supply Chain / Logistics Schedules** (Busscar, International Delights)

**Containment Actions (Ordered by Urgency):**
1.  **Disconnect Perimeter:** If a Check Point or Cisco firewall is suspected compromised, disconnect it from the management plane and internal network immediately to stop C2 beaconing.
2.  **Credential Reset:** Force reset of all local administrator passwords and service account credentials, especially for accounts used by the IT team (Privileged Access Management).
3.  **Disable SMB:** Temporarily disable inbound SMB (ports 445, 139) at the network level on non-critical segments to halt lateral movement.

# Hardening Recommendations

**Immediate (24h):**
*   **Patch Edge:** Apply the emergency patches for **CVE-2026-50751** (Check Point) and **CVE-2026-20131** (Cisco FMC) immediately. Do not wait for the next maintenance window.
*   **Kill RMM Web Interfaces:** If not strictly necessary, disable web interfaces for RMM tools like ScreenConnect from the public internet; enforce VPN access to reach the management console.
*   **Block Exfil Tools:** Create firewall/EDR rules to block execution of known exfiltration tools: `rclone.exe`, `winscp.exe`, and `megacmd.exe`.

**Short-term (2 weeks):**
*   **Network Segmentation:** Enforce strict isolation between OT/IoT networks (common in Agriculture/Transport) and the corporate IT domain.
*   **Zero Trust Access:** Implement conditional access policies for VPNs requiring device health attestation (compliant EDR status) before connection is granted.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarecve-2026-50751threat-intelcve-2024-1708

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.