Back to Intelligence

QILIN Ransomware: Surge in Business Services Attacks & Exploitation of New Check Point CVE

SA
Security Arsenal Team
June 13, 2026
6 min read

Threat Actor Profile — QILIN

Overview: Qilin (also known as Agenda) is a Ransomware-as-a-Service (RaaS) operation that has aggressively targeted mid-market enterprises. Operating primarily as a franchised model, they provide a Rust-based encryptor to affiliates. Qilin is notorious for aggressive "double extortion," exfiltrating sensitive data before encryption to leverage ransom payments.

Ransom Demands: Demands typically range from $200,000 to several million USD, often calibrated based on the victim's revenue and the sensitivity of exfiltrated data.

Initial Access: Qilin affiliates frequently exploit vulnerabilities in perimeter network devices (specifically VPNs) and remote management software. Phishing and credential stuffing are secondary vectors. The current campaign shows a heavy reliance on exploiting CVEs in Check Point Security Gateways and ConnectWise ScreenConnect.

Dwell Time: Qilin operators are known for a short dwell time, often moving laterally and detonating payloads within 48-72 hours of initial access to minimize detection opportunities.

Current Campaign Analysis

Targeting Sectors: The latest victim set (19 organizations) indicates a concentrated effort against the Business Services sector, specifically targeting legal firms (e.g., Miller & Zois, Bekman Marder Hopper) and professional consultancies. Secondary targets include Consumer Services, Technology, and Healthcare.

Geographic Focus: The campaign is heavily US-centric, with a significant cluster of victims in Maryland (MD), Washington, and Delaware. Additional victims in Spain (ES), Mexico (MX), and South Korea (KR) suggest a global scanning effort for vulnerable perimeter devices.

Victim Profile: Targets appear to be mid-market organizations with annual revenues likely between $10M and $100M. These organizations often have robust client data (high extortion value) but may lack dedicated 24/7 SOC monitoring to detect initial perimeter breaches.

Posting Frequency & Escalation: Victims were posted in rapid succession between June 10 and June 12, 2026. This "dumping" pattern suggests a mass-exploitation event where affiliates compromised multiple targets using a common exploit (likely CVE-2026-50751) before setting deadlines for ransom payments.

CVE Correlation:

  • CVE-2026-50751 (Check Point Security Gateway): This improper authentication vulnerability in IKEv1 is a high-confidence initial access vector for this campaign, given the recent addition to CISA KEV and the gang's history of VPN exploitation.
  • CVE-2024-1708 (ConnectWise ScreenConnect): A known RCE vector used by Qilin for lateral movement and hands-on-keyboard activity following initial access.
  • CVE-2023-21529 (Microsoft Exchange): Historically used by Qilin for entry in environments with exposed Exchange servers.

Detection Engineering

SIGMA Rules

YAML
title: Potential ScreenConnect Authentication Bypass / RCE CVE-2024-1708
id: a1b2c3d4-e5f6-4a5b-8c9d-1e2f3a4b5c6d
description: Detects suspicious process execution patterns associated with the exploitation of ConnectWise ScreenConnect path traversal vulnerability leading to RCE.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'ScreenConnect'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use via ScreenConnect
level: high
---
title: Check Point VPN IKEv1 Improper Authentication Exploit Activity
id: b2c3d4e5-f6a7-4b5c-9d0e-2f3a4b5c6d7e
description: Detects potential exploitation of CVE-2026-50751 by observing spikes in IKEv1 negotiation failures or authentication anomalies on VPN gateways.
status: experimental
date: 2026/06/13
author: Security Arsenal
logsource:
    product: firewall
detection:
    selection_ikev1:
        Protocol: 'IKE'
        Version: 'V1'
    selection_anomaly:
        Action: 'Deny' or 'Drop'
    timeframe: 1m
    condition: selection_ikev1 and selection_anomaly | count() > 50
falsepositives:
    - High volume of legitimate IKEv1 connection attempts from misconfigured clients
level: medium
---
title: Ransomware Pre-Encryption Shadow Copy Deletion
id: c3d4e5f6-a7b8-4c6d-0e1f-3a4b5c6d7e8f
description: Detects commands used by Qilin and other ransomware gangs to delete Volume Shadow Copies to prevent recovery.
status: experimental
date: 2026/06/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_
falsepositives:
    - Legitimate system administration (rare)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement indicative of Qilin manual operation
// Looks for SMB/RPC connections created by accounts that recently logged in via VPN or remote access
let TimeRange = 1d;
let VPN_Users =
    DeviceLogonEvents
    | where Timestamp > ago(TimeRange)
    | where LogonType == 8 or LogonType == 10 // RemoteInteractive or NetworkCleartext
    | project AccountName, AccountObjectId, DeviceId, Timestamp;
DeviceNetworkEvents
| where Timestamp > ago(TimeRange)
| where RemotePort in (445, 135, 139) // SMB/RPC
| where ActionType == "ConnectionAccepted"
| join kind=inner VPN_Users on AccountName
| project Timestamp, DeviceName, RemoteIP, RemotePort, AccountName, InitiatingProcessFileName
| summarize ConnectionCount = count() by DeviceName, AccountName, InitiatingProcessFileName
| where ConnectionCount > 10

Rapid Response Script

PowerShell
# PowerShell: Qilin Ransomware Emergency Check
# Checks for recent scheduled tasks and VSS deletion attempts

Write-Host "[+] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

Write-Host "[+] Checking Event Logs for VSS Deletion attempts..." -ForegroundColor Cyan
try {
    $VSSLog = Get-WinEvent -FilterHashtable @{LogName='Application'; StartTime=(Get-Date).AddHours(-24); Id=1234} -ErrorAction Stop
    if ($VSSLog) { $VSSLog | Select-Object TimeCreated, Message | Format-List }
} catch {
    Write-Host "No specific VSS events found or access denied."
}

Write-Host "[+] Enumerating suspicious PowerShell processes..." -ForegroundColor Cyan
Get-Process | Where-Object {$_.ProcessName -eq 'powershell' -or $_.ProcessName -eq 'pwsh'} | Select-Object ProcessName, StartTime, Path | Format-Table

Write-Host "[!] If you find anomalies, isolate the host immediately." -ForegroundColor Red

Incident Response Priorities

T-Minus Detection Checklist:

  1. VPN Logs: Immediate audit of Check Point Security Gateway logs for CVE-2026-50751 exploitation indicators (IKEv1 anomalies from unfamiliar IPs).
  2. Remote Management: Audit ConnectWise ScreenConnect logs for path traversal requests (CVE-2024-1708) and unauthorized software deployments.
  3. Scheduled Tasks: Hunt for newly created scheduled tasks, which Qilin uses for persistence and payload execution.

Critical Asset Prioritization: Based on the victimology (Legal/Business Services), Qilin prioritizes:

  • Document Management Systems (e.g., iManage, NetDocuments)
  • File Servers containing PII and Client Legal Privilege data
  • HR and Financial databases (Payroll, Tax forms)

Containment Actions (Order of Urgency):

  1. Segregate VPN Access: Force MFA resets and block non-country IP ranges on VPN gateways immediately.
  2. Disable ScreenConnect: If not strictly required, stop the service; otherwise, patch CVE-2024-1708 instantly.
  3. Isolate File Servers: Disconnect high-value file servers from the network to prevent lateral spread and encryption.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2026-50751: Apply the Check Point Security Gateway update for the IKEv1 authentication bypass immediately. This is the primary vector in this campaign.
  • Patch CVE-2024-1708: Update ConnectWise ScreenConnect to the latest patched version.
  • Disable IKEv1: If legacy client support is not required, disable IKEv1 on VPN gateways and enforce IKEv2.

Short-Term (2 Weeks):

  • Network Segmentation: Implement strict Zero Trust segmentation. Legal and Finance departments should have firewalled subnets inaccessible from generic DMZ jump hosts.
  • MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all VPN and remote access entry points.
  • EDR Tuning: Configure EDR alerts specifically for vssadmin.exe and wbadmin.exe execution, and alert on any process spawning from ScreenConnect.ClientService.exe.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangqilinransomwarebusiness-servicescve-2026-50751screenconnectcheck-point

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action