Aliases: Agenda, BlackSuit (noted overlaps) Model: RaaS (Ransomware-as-a-Service) with aggressive affiliate recruiting. Typical Ransom Demands: High variability, generally ranging from $500,000 to $5 million USD, heavily influenced by the victim's revenue and urgency of data restoration. Initial Access Methods: Qilin affiliates heavily favor exploiting vulnerabilities in internet-facing perimeter appliances (VPN/Firewalls) and remote management tools (RMM). Phishing is observed but secondary to direct exploitation. Double Extortion Approach: Strict adherence to double extortion. Data is exfiltrated using tools like Rclone or Mega.nz prior to encryption execution. They maintain a dedicated leak site to pressure non-paying victims. Average Dwell Time: Short and aggressive. Historically, Qilin operators move from initial access to encryption in 3-5 days to minimize detection opportunities.
Current Campaign Analysis
Sectors Targeted: The current campaign shows a distinct diversification of targets compared to previous months. The primary sectors hit include:
- Agriculture and Food Production: International Delights (US), Cemoi (FR)
- Healthcare: Hillebrand Home Health (US)
- Technology: TitanTV, Inc. (US)
- Transportation/Logistics: Busscar de Colombia (CO)
- Hospitality: URH Hoteliers (ES)
Geographic Concentration: While globally dispersed, there is a heavy concentration in the United States (5 victims) followed by Europe (Spain, Finland, Portugal, France) and Latin America (Mexico, Colombia).
Victim Profile: The victim list indicates a focus on mid-market enterprises. Targeted organizations likely range in revenue from $20M to $300M USD. The inclusion of specific regional entities (e.g., Centro Científico e Cultural de Macau) suggests affiliates are leveraging automated vulnerability scanners rather than manual, highly selective targeting.
Observed Posting Frequency / Escalation: Qilin displayed a "burst" posting pattern, with 8 victims published on 2026-07-13 and 3 on 2026-07-15. This clustering usually indicates the successful deployment of a new exploit kit or automated attack script against a widespread vulnerability.
Connection to CVEs:
- CVE-2026-50751 (Check Point Security Gateway): Given the high number of corporate and tech-heavy victims, this vulnerability (added to CISA KEV in June) is the likely primary vector for initial access in this campaign.
- CVE-2024-1708 (ConnectWise ScreenConnect): Frequently used by Qilin to gain access to managed service providers (MSPs) or IT-managed environments within the Business Services and Technology sectors.
Detection Engineering
SIGMA Rules
---
title: Potential Check Point Security Gateway Exploitation CVE-2026-50751
id: 6a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects potential exploitation attempts of CVE-2026-50751 involving IKEv1 anomalies or specific payload drops associated with Qilin initial access.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/17
tags:
- attack.initial_access
- cve.2026.50751
- qilin
logsource:
product: firewall
category: network
detection:
selection:
dst_port: 500
protocol: udp
IKEv1:
- payload_size: '>1000' # Suspicious large payload for IKE
- vendor_id: '*Gnu*'
condition: selection
falsepositives:
- Legitimate misconfigured VPN peers
level: high
---
title: Suspicious ConnectWise ScreenConnect Path Traversal Activity
id: 9d0e1f2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: Detects path traversal patterns associated with CVE-2024-1708 exploitation on ScreenConnect servers, a common Qilin entry point.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/17
tags:
- attack.initial_access
- cve.2024.1708
- qilin
logsource:
product: webserver
service: access
detection:
selection:
c-uri|contains:
- '..%2f'
- '..\\'
- 'bin\\Debug'
condition: selection
falsepositives:
- Scanning activity
level: critical
---
title: Qilin Ransomware Lateral Movement via PsExec
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Identifies the use of PsExec for lateral movement, frequently used by Qilin operators to deploy ransomware binaries across the network.
references:
- internal research
author: Security Arsenal Research
date: 2026/07/17
tags:
- attack.lateral_movement
- qilin
- psexec
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC$'
RelativeTargetName|contains: 'PSEXESVC'
condition: selection
falsepositives:
- System administration activity
level: high
KQL (Microsoft Sentinel)
// Hunt for Qilin-associated lateral movement and data staging
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has "-accepteula" or ProcessCommandLine has "process call create" or ProcessCommandLine has "Invoke-WebRequest"
| join kind=inner (DeviceNetworkEvents | where RemotePort in (443, 80, 445) | where InitiatingProcessFileName in~ ("rclone.exe", "powershell.exe")) on DeviceId
| summarize count() by DeviceName, FileName, InitiatingProcessFileName, bin(Timestamp, 5m)
| sort by count_ desc
PowerShell (Rapid Response)
<#
.SYNOPSIS
Qilin Ransomware Response Script
.DESCRIPTION
Checks for recent scheduled task creation (staging) and VSS manipulation often seen in Qilin attacks.
#>
Write-Host "Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize
Write-Host "Checking for Volume Shadow Copy Deletion attempts..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -MaxEvents 10 -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message
Write-Host "Enumerating recent processes running from unusual locations..." -ForegroundColor Yellow
Get-Process | Where-Object { $_.Path -notlike "C:\Windows*" -and $_.Path -ne $null } | Select-Object ProcessName, Path, StartTime | Format-Table -AutoSize
# Incident Response Priorities
**T-minus Detection Checklist (Pre-Encryption):**
* **VPN Anomalies:** Scrub VPN logs (specifically Check Point and Cisco FMC) for the last 14 days looking for successful authentications followed immediately by mass SMB/LDAP queries.
* **ScreenConnect Audit:** Immediately audit all active sessions on ConnectWise ScreenConnect instances. Kill any sessions not explicitly verified by the IT staff.
* **Process Anomalies:** Hunt for `rclone.exe` processes communicating with non-whitelisted cloud storage IP ranges (Mega.nz, Dropbox), a signature sign of Qilin data exfiltration.
**Critical Assets Prioritized for Exfiltration:**
Based on the victim profile (Healthcare, Agriculture, Tech), Qilin will prioritize:
1. **PHI / Patient Records** (Hillebrand Home Health)
2. **Intellectual Property / Source Code** (TitanTV)
3. **Financial Ledger / Tax Documents** (Counts & Dobyns)
4. **Supply Chain / Logistics Schedules** (Busscar, International Delights)
**Containment Actions (Ordered by Urgency):**
1. **Disconnect Perimeter:** If a Check Point or Cisco firewall is suspected compromised, disconnect it from the management plane and internal network immediately to stop C2 beaconing.
2. **Credential Reset:** Force reset of all local administrator passwords and service account credentials, especially for accounts used by the IT team (Privileged Access Management).
3. **Disable SMB:** Temporarily disable inbound SMB (ports 445, 139) at the network level on non-critical segments to halt lateral movement.
# Hardening Recommendations
**Immediate (24h):**
* **Patch Edge:** Apply the emergency patches for **CVE-2026-50751** (Check Point) and **CVE-2026-20131** (Cisco FMC) immediately. Do not wait for the next maintenance window.
* **Kill RMM Web Interfaces:** If not strictly necessary, disable web interfaces for RMM tools like ScreenConnect from the public internet; enforce VPN access to reach the management console.
* **Block Exfil Tools:** Create firewall/EDR rules to block execution of known exfiltration tools: `rclone.exe`, `winscp.exe`, and `megacmd.exe`.
**Short-term (2 weeks):**
* **Network Segmentation:** Enforce strict isolation between OT/IoT networks (common in Agriculture/Transport) and the corporate IT domain.
* **Zero Trust Access:** Implement conditional access policies for VPNs requiring device health attestation (compliant EDR status) before connection is granted.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.