Back to Intelligence

QILIN Ransomware: Legal Sector Under Siege — 15 Victims Posted & Critical Check Point CVE Exploited

SA
Security Arsenal Team
June 10, 2026
7 min read

Date: 2026-06-11
Source: Ransomware.live / Dark Web Leak Site (.onion)
Analyst: Security Arsenal Intelligence Unit

Threat Actor Profile — QILIN

  • Aliases: Agenda (formerly), Qilin.
  • Operational Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program that aggressively recruits penetration testers and initial access brokers (IABs). They distinguish themselves with a Rust-based encryptor that is highly customizable and difficult to analyze.
  • Ransom Demands: Typically range from $500,000 to $5 million USD, negotiated primarily through a TOR-based chat portal. They aggressively push for payment by threatening immediate data leak.
  • Initial Access Methods: Qilin affiliates heavily rely on exploiting external-facing vulnerabilities (VPN appliances, Remote Access Tools) rather than pure phishing. Recent intelligence shows a pivot toward exploiting Check Point Security Gateways and ConnectWise ScreenConnect instances. Phishing with malicious macros remains a secondary vector.
  • Double Extortion: Yes. Qilin steals sensitive data prior to encryption and threatens to publish it on their "Calendar" leak site if ransom demands are not met.
  • Average Dwell Time: 3–7 days. Affiliates move fast, often achieving domain administrator privileges within 48 hours of initial access before detonating the payload.

Current Campaign Analysis

Executive Summary

On 2026-06-10, the Qilin gang posted 15 new victims to their dark web leak site, marking a significant spike in activity (28 victims in the last 100 postings). The campaign demonstrates a distinct geographic and sectoral focus.

Sector Targeting

  • Dominant Sector: Business Services (specifically Legal & Professional Services).
    • Analysis: 7 of the 15 victims posted are clearly identified as law firms or legal partnerships (e.g., Miller & Zois, Bekman Marder Hopper Malarkey & Perlin, Dulany Leahy Curtis & Brophy, Wright Constable & Skeen). Qilin affiliates are actively targeting firms handling high-value M&A and litigation data.
  • Secondary Targets: Consumer Services, Manufacturing, Energy, and Healthcare.
    • Notable: Metro Electric (Energy) suggests an expansion into critical infrastructure adjacent sectors.

Geographic Concentration

  • United States: Primary target (11/15 victims).
  • International: Germany (2), Mexico (1), and "Not Found"/Unknown (1).

Vulnerability Correlation

The recent surge in victims correlates directly with the exploitation of CVEs added to the CISA KEV catalog:

  1. CVE-2026-50751 (Check Point Security Gateway): Added to KEV on 2026-06-08. Given the 48-hour gap, it is highly probable that the victims posted on 2026-06-10 were compromised via this unauthenticated bypass on perimeter VPN devices.
  2. CVE-2024-1708 (ConnectWise ScreenConnect): A historic favorite for Qilin affiliates for remote code execution (RCE). This remains a persistent threat for unpatched MSPs and internal IT teams.

Detection Engineering

SIGMA Rules

YAML
title: Potential Check Point VPN IKEv1 Exploitation Attempt
description: Detects potential exploitation of CVE-2026-50751 involving abnormal IKEv1 key exchange patterns or subsequent suspicious process execution on the gateway. Note: Requires VPN gateway logs or endpoint logs on management servers.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/11
status: experimental
logsource:
    category: firewall
    product: checkpoint
detection:
    selection:
        service|contains: 'ike'
        action: 'accept' or 'decrypt' or 'encrypt'
        vpn_type|contains: 'ikev1'
    filter_main_legit:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter_main_legit
falsepositives:
    - Legacy VPN configurations requiring IKEv1 from known trusted IPs
level: high

title: Suspicious ScreenConnect Child Process (CVE-2024-1708)
description: Detects suspicious processes spawned by ConnectWise ScreenConnect service, indicative of authenticated RCE exploitation.
references:
    - https://attack.mitre.org/techniques/T1210/
author: Security Arsenal Research
date: 2026/06/11
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
    selection_img:
        - Image|endswith: '\cmd.exe'
        - Image|endswith: '\powershell.exe'
        - Image|endswith: '\powershell_ise.exe'
        - Image|endswith: '\pwsh.exe'
        - Image|endswith: '\mshta.exe'
        - Image|endswith: '\regsvr32.exe'
        - Image|endswith: '\rundll32.exe'
    condition: selection_parent and selection_img
falsepositives:
    - Legitimate administrative use via ScreenConnect (rare for cmd.exe/powershell.exe to be direct children)
level: critical

title: Ransomware Shadow Copy Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies using vssadmin.exe, a common precursor to Qilin encryption to prevent recovery.
references:
    - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal Research
date: 2026/06/11
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration tasks (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for large scale file encryption patterns often seen in Qilin attacks
// Looks for rapid modification of file extensions in short timeframes
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated" or ActionType == "FileModified"
| extend Extension = tostring(split(FileName, '.')[ -1 ])
| project Timestamp, DeviceName, FolderPath, FileName, Extension, InitiatingProcessAccountName
| summarize Count = count(), UniqueExtensions = dcount(Extension) by DeviceName, bin(Timestamp, 5m)
| where Count > 50 and UniqueExtensions > 10 // Heuristic threshold
| order by Count desc

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    Qilin Response Check - Identifies signs of compromise and ransomware staging.
.DESCRIPTION
    Checks for recent shadow copy deletion, suspicious scheduled tasks, and large archive creation.
#>

Write-Host "[+] Starting Qilin Response Check..." -ForegroundColor Cyan

# 1. Check for VssAdmin deletion events in last 24 hours
Write-Host "\n[*] Checking for Shadow Copy Deletion attempts (Last 24h)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4674; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
             Where-Object { $_.Message -match 'vssadmin' -and $_.Message -match 'delete' }
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message } 
else { Write-Host "No explicit VssAdmin deletion events found in Security Log." -ForegroundColor Green }

# 2. Check for recently created Scheduled Tasks (Common persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$schtasks = schtasks /query /fo LIST /v | Select-String "TaskName","Scheduled For","Author" | 
             Out-String | ConvertFrom-String -Delimiter ":" 
# Note: Parsing schtasks output is complex; basic check via XML export is better for admins but this is a quick triage.
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | 
    Select-Object TaskName, Date, Author, Action | Format-Table -AutoSize

# 3. Check for RAR/7z processes in last 24h (Staging)
Write-Host "\n[*] Checking for Archiving Processes (WinRAR/7zip) in last 24h..." -ForegroundColor Yellow
$proc = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
         Where-Object { $_.Message -match 'winrar.exe' -or $_.Message -match '7z.exe' -or $_.Message -match 'rar.exe' }
if ($proc) { $proc | Select-Object TimeCreated, Message } 
else { Write-Host "No archiving tool activity detected via Sysmon." -ForegroundColor Green }

Write-Host "\n[+] Triage Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-minus Detection Checklist

  • Check Point Gateways: Immediately review logs for CVE-2026-50751 exploitation attempts (IKEv1 anomalies) occurring between 2026-06-08 and present.
  • ScreenConnect Audit: Identify all ScreenConnect instances. Audit logs for successful logins from unknown IPs or "Anonymous" users between 2026-05-27 and present.
  • Law Firm Specifics: If in the legal sector, audit access to document management systems (e.g., iManage, NetDocuments) for bulk exports or unusual access times.

Critical Assets at Risk

  • M&A Data and Client Files: Qilin targets legal firms specifically for sensitive client data to leverage in extortion.
  • Energy SCADA Interfaces: For victims like Metro Electric, operational technology interfaces may be scoped for encryption or disruption.

Containment Actions (Order by Urgency)

  1. Isolate VPN Infrastructure: If Check Point gateways are suspected, take them offline for forensics and force a password reset for all VPN-capable accounts.
  2. Terminate ScreenConnect Sessions: Kill all active sessions and patch to the latest version immediately.
  3. Disable Domain Admin Accounts: If lateral movement is suspected (see Sigma rules), reset DA credentials and disable the accounts until the breach scope is defined.

Hardening Recommendations

Immediate (24h)

  • Patch CVE-2026-50751: Apply the Check Point hotfix immediately to all Security Gateways. Block IKEv1 at the network perimeter if not required.
  • Patch CVE-2024-1708: Ensure all ConnectWise ScreenConnect instances are updated to the latest patched version.
  • Block RDP from Internet: Ensure RDP (TCP 3389) is not exposed to the internet. Force all RDP through a VPN or Zero Trust solution.

Short-term (2 weeks)

  • Implement phishing-resistant MFA: Enforce FIDO2/WebAuthn for all remote access and VPN logins to mitigate credential theft.
  • Network Segmentation: Separate high-value file servers (legal/energy data) from general user networks to impede lateral movement.
  • EDR Policy Tuning: Configure EDR to alert on vssadmin usage and PowerShell spawned by ScreenConnect.Service as critical incidents.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomware-as-a-servicelegal-sectorcve-2026-50751initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action