QILIN Ransomware: Surge in Construction Sector Attacks & Critical Firewall Exploitation

Date: 2026-06-24
Source: Ransomware.live (Dark Web Leak Site Monitoring)
Analyst: Security Arsenal Intel Team

Threat Actor Profile — QILIN

Aliases: Agenda (previously), Qilin.B

Operating Model: Ransomware-as-a-Service (RaaS). Qilin operates an affiliate program that aggressively recruits penetration testers and initial access brokers (IABs). They have recently upgraded their malware to a Rust-based cryptor (Agenda v2/Black variant) optimized for speed and cross-platform compatibility (Windows/Linux/ESXi).

Ransom Demands: Typically range from $300,000 to $5 million USD, varying strictly based on victim revenue and perceived urgency to restore operations.

TTPs & Initial Access:

Initial Access: Heavily reliant on exploiting edge perimeter vulnerabilities (VPNs, Firewalls) and compromising remote management software (ScreenConnect).
Double Extortion: Strict adherence to exfiltration before encryption. They typically threaten to leak data within 3-5 days if negotiations stall.
Dwell Time: Short. Recent intelligence indicates an average dwell time of 3–5 days from initial compromise to detonation, reducing the window for detection.

Current Campaign Analysis

Based on the last 100 postings (16 recent victims analyzed), Qilin has pivoted focus significantly towards the Construction and Manufacturing sectors, alongside high-value Financial targets.

Sector Targeting

Sector	Victim Count	Notable Victims
Construction	4	Schumacher Homes, Florida Engineering Services, PJ Daly Contracting, Homes By J Anthony
Manufacturing	3	Taiwan Sintong Machinery, Pacific Lamp & Supply, Roth Industries
Financial Services	1	Central Bank of Libya (Critical Infrastructure)
Public Sector	1	Commune d'Eyguires
Telecommunication	1	Sivatel Bangkok

Geographic Concentration

While United States (US) entities comprise nearly 44% of the recent victims (7 total), the campaign is distinctly global with confirmed impacts in Singapore (SG), Libya (LY), Germany (DE), and Taiwan (TW). This suggests a broad-spectrum "spray and pray" approach to vulnerability exploitation rather than geo-targeted spear-phishing.

Victim Profile

Construction/Manufacturing Dominance: These sectors often rely on legacy VPN infrastructure and have lower tolerance for operational downtime, making them ideal for high-velocity ransom demands.
Financial Targeting: The compromise of the Central Bank of Libya suggests capabilities for bypassing high-security perimeters, likely via the Cisco Secure Firewall vulnerability (CVE-2026-20131).

CVE Correlation & Attack Vector

The recent victimology correlates strongly with the exploitation of CISA Known Exploited Vulnerabilities (KEVs) observed in the wild:

CVE-2026-50751 (Check Point Security Gateway): Likely utilized for initial access into corporate VPNs, explaining the spread across diverse geolocations (SG, US, TH).
CVE-2026-20131 (Cisco Secure Firewall FMC): The most probable vector for the Central Bank of Libya compromise.
CVE-2024-1708 (ConnectWise ScreenConnect): A persistent favorite for Qilin affiliates to gain remote code execution (RCE) on IT management consoles within MSPs supporting the Construction and Manufacturing victims.

Detection Engineering

The following detection rules and hunt queries are designed to identify Qilin-specific behaviors, particularly focusing on the perimeter exploitation and lateral movement stages.

SIGMA Rules

YAML

---
title: Potential Check Point VPN IKEv1 Exploitation CVE-2026-50751
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects potential exploitation of improper authentication in IKEv1 key exchange on Check Point Security Gateways, a known Qilin vector.
status: experimental
date: 2026/06/24
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    service: check_point
detection:
    selection:
        action|startswith: 'ike'
        protocol: 'udp'
        port: 500
    filter_legit_traffic:
        src_ip:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter_legit_traffic
falsepositives:
    - Legitimate remote employee VPN connections from unknown IPs
level: high
tags:
    - cve.2026.50751
    - attack.initial_access
    - ransomware.qilin
---
title: Suspicious ScreenConnect Web Request Path Traversal
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
description: Detects path traversal strings in ScreenConnect web requests, indicative of CVE-2024-1708 exploitation used by Qilin affiliates.
status: experimental
date: 2026/06/24
author: Security Arsenal
logsource:
    category: web
detection:
    selection_uri:
        ct_request_uri|contains:
            - '../'
            - '%2e%2e%2f'
            - '..\\'
    selection_uri_screenconnect:
        ct_request_uri|contains: '/Guest/'
    condition: all of selection_*
falsepositives:
    - Scanning activity (rare but possible)
level: critical
tags:
    - cve.2024.1708
    - attack.initial_access
    - attack.t1190
    - ransomware.qilin
---
title: PsExec Lateral Movement with Qilin Characteristics
id: c3d4e5f6-a7b8-4c5d-0e1f-2a3b4c5d6e7f
description: Detects the use of PsExec for lateral movement, a common post-exploitation tool for Qilin operators, specifically looking for admin shares.
status: experimental
date: 2026/06/24
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|startswith: '\\*\ADMIN$'
        AccessMask: '0x10080'  # WriteData and AppendData
    filter:
        SubjectUserName|endswith: '$' # Exclude computer accounts
    condition: selection and not filter
falsepositives:
    - Legitimate administration using PsExec
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - ransomware.qilin

KQL (Microsoft Sentinel)

Hunt Query: Identifies rapid creation of scheduled tasks or remote services, a precursor to Qilin encryption.

KQL — Microsoft Sentinel / Defender

let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine has "schtasks" or ProcessCommandLine has "sc.exe" or ProcessCommandLine has "reg add"
| where ProcessCommandLine has "create" or ProcessCommandLine has "start"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Response Script

Action: Enumerate scheduled tasks created in the last 7 days and check for Shadow Copy manipulation attempts.

PowerShell

# Check for Scheduled Tasks created/modified in the last 7 days
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | Select-Object TaskName, TaskPath, Date, Author

# Check Event Logs for VSSAdmin/Delete Shadow Copy attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663; StartTime=$DateCutoff} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -like '*vssadmin.exe*' -or $_.Message -like '*delete shadows*'} | 
Select-Object TimeCreated, Id, Message


---

Incident Response Priorities

If Qilin activity is suspected, execute the following IR checklist immediately:

T-Minus Detection Checklist:
- Check Point Logs: Review VPN logs for IKEv1 handshake failures followed immediately by success (indicative of CVE-2026-50751 exploitation).
- ScreenConnect Audit: Audit Setup Logs and Access Logs on ScreenConnect servers for Guest.aspx access anomalies.
- Process Anomalies: Hunt for rclone or megasync processes (common Qilin exfil tools) in %TEMP% or %APPDATA%.
Critical Assets for Exfiltration:
- Construction: Blueprints (CAD files), Project Bids, Client Financial Records.
- Finance: SWIFT credentials, ACH transfer logs, Customer PII/PIFI.
Containment Actions:
- Immediate: Isolate VPN concentrators from the internal network; disable external access to management interfaces (ScreenConnect, RDP).
- Urgent: Force-reset credentials for all privileged accounts (Domain Admins) that may have been logged into the Check Point or Cisco management consoles during the breach window.

Hardening Recommendations

Immediate (24 Hours):

Patch Perimeter: Apply the patch for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. Disable IKEv1 if not strictly required.
ScreenConnect Hygiene: Ensure ScreenConnect instances are patched for CVE-2024-1708 and enforce MFA for all administrative access.

Short-Term (2 Weeks):

Network Segmentation: Enforce strict segmentation between OT/Manufacturing networks and IT admin networks to prevent lateral movement from compromised VPNs.
Implementation of JIT: Replace persistent VPN access with Just-In-Time (JIT) access via a Zero Trust Network Access (ZTNA) solution to reduce the attack surface.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub