By the time you finish reading this article, you’ll understand why Qilin turns CVEs into active campaigns faster than any competing group. The answer is organisational, not technological.
When CVE-2026-50751 was exploited in the wild from 7 May 2026, the attackers didn’t brute-force credentials or phish a password. They walked through the VPN’s front door as authenticated users. The vulnerability, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, let them skip the password check by exploiting a logic flaw in the deprecated IKEv1 certificate validation. No credential-compromise trail, no failed login alerts, nothing for the perimeter monitoring to catch. The full scope of the incident — from the vulnerability that made this campaign possible through to the strategic implications for VPN-dependent organisations — is covered in our overview of the Check Point VPN zero-day and Qilin ransomware campaign.
The group behind it was Qilin ransomware, formerly tracked as Agenda. Kaspersky named it the most active targeted-attack ransomware group in 2025, with more than 500 claimed victims across 2026. That trajectory is driven by a RaaS model that distributes zero-day weaponisation across an incentivised affiliate network, compressing the time from CVE discovery to deployment from months into days.
Four groups accounted for a large share of Q1 2026 ransomware victims: Qilin, Akira, LockBit, and The Gentlemen. Qilin’s structural advantage, affiliate autonomy with an 80 to 85 percent revenue share, makes it the fastest-moving operation in the ecosystem. What follows is the sequence, the signature techniques, the economics, and the competitive dynamics that put it there, starting with what actually happens after the VPN door swings open.
What Happened Inside the Network After the VPN Authentication Bypass?
The VPN bypass opens the door. What follows is a methodical sequence that transforms a perimeter breach into organisational compromise. Understanding this sequence is what separates detecting an intrusion from reading about it after encryption.
The post-exploitation pattern is consistent. The attacker arrives as a legitimate authenticated user on the VPN concentrator, then enumerates domain controllers and Active Directory trusts using built-in Windows tooling: PowerShell, WMI, and commands like net user and net group. No custom malware. Just administrative tools that look like a sysadmin having a busy morning.
From there, privilege escalation follows. Mimikatz extracts tokens from lsass.exe, winlogon.exe, and wininit.exe processes to achieve SYSTEM-level access. Then lateral movement begins: PsExec 2.43 over SMB, RDP, WMI. Credential harvesting comes next, a Group Policy Object script distributed to every domain-joined machine that scoops saved Chrome passwords on login. Data staging through Rclone to attacker-controlled VPS infrastructure follows, hosted across providers like Kaupo Cloud HK and Vultr Holdings. Volume Shadow Copies are deleted via vssadmin and wmic. Then the ransomware payload deploys.
Rapid7’s MDR team observed two high-confidence cases attributed to CVE-2026-50751 and published detection rules for InsightIDR customers. Nine attacker IP addresses and two ELF hashes have been published as concrete indicators. The dwell time from initial VPN access to encryption has compressed to a median of 3.84 days, down from 60-plus days in 2019. The window from “something looks unusual” to “the backups are gone” has narrowed to under a working week.
The vulnerability itself, and the mechanics that make this entire post-exploitation chain possible, are covered in detail in our analysis of the CVE-2026-50751 authentication bypass. The 32 days of blind exposure before Check Point’s advisory is explained in our examination of the exploitation window.
What Makes Qilin’s Post-Exploitation TTPs Distinct from Other Ransomware Groups?
The attack chain follows a recognisable structure, but Qilin’s execution of each phase differs from its competitors in three signature ways. These techniques explain why the group achieves rapid victim volume without the infrastructure scale of LockBit.
Chrome credential harvesting is the standout. A custom script distributed via Group Policy executes on login across every domain-joined endpoint, extracting saved usernames and passwords from Chrome’s local storage database. Sophos X-Ops documented the technique in 2024, and it remains unmatched at scale by LockBit or Akira. A single VPN breach becomes a credential compromise spanning banking, enterprise SaaS, email, and cloud services. The double extortion impact amplifies beyond the encryption event because every service whose credentials were stored in Chrome is now exposed.
Windows Subsystem for Linux abuse, first documented in October 2025, lets affiliates execute ransomware payloads within the WSL environment. Many EDR solutions have limited visibility into Linux subsystems on Windows hosts, and WSL is enabled by default in a growing number of enterprise deployments. Qilin’s consistent investment in staying ahead of defensive controls shows: in April 2026, affiliates were observed using a malicious msimg32.dll loader chain that side-loads vulnerable signed drivers to terminate processes tied to more than 300 EDR drivers, unhook user-mode API calls, and suppress ETW providers before the ransomware payload executes.
Then there’s the living-off-the-land philosophy. Qilin affiliates rely on PsExec, PowerShell, WMI, certutil, and RDP rather than custom malware wherever possible. Intrusions look like legitimate administrative activity. Signature-based detection misses them. Behavioural detection, anomalous RDP usage, unusual outbound transfer volumes, credential dumping patterns, is what catches them.
MITRE ATT&CK mappings cover the full chain: T1078 (Valid Accounts) for VPN access, T1003 (OS Credential Dumping) for Mimikatz, T1021 (Remote Services) for lateral movement, T1490 (Inhibit System Recovery) for VSS deletion, and T1486 (Data Encrypted for Impact). The initial access mechanism that enables these TTPs is detailed in our CVE-2026-50751 analysis.
How Does the RaaS Model Let Affiliates Weaponise Zero-Days at Speed?
Qilin’s RaaS model functions as a speed advantage. By distributing exploit development across an incentivised affiliate network, the group compresses the time from CVE discovery to operational deployment.
The model has two components. Core operators maintain the ransomware payload, payment infrastructure, and data leak site. Affiliates breach networks, escalate privileges, exfiltrate data, and deploy encryption. The core group provides the payload. It does not control or gatekeep initial access methods. Affiliates acquire and weaponise access independently.
When CVE-2026-50751 was first exploited on 7 May 2026, it was a Qilin affiliate, not a centralised development team, who operationalised the Check Point VPN bypass within days. The core group didn’t distribute updated tooling. An affiliate saw a vulnerable VPN product, acquired or developed an exploit, and moved. That autonomy is what makes the model work.
Zero-day diffusion through the affiliate network multiplies the attack surface. A single exploited VPN appliance becomes a packaged access commodity on the Initial Access Broker marketplace, where it can be sold to multiple affiliates. One CVE becomes dozens of concurrent intrusions. This is how CVE-2026-50751 propagated from first observed exploitation on 7 May to a CISA Known Exploited Vulnerabilities addition by 8 June.
The contrast with closed ransomware operations is sharp. A centralised group developing all tooling in-house is slower, less scalable, and less responsive to new CVEs. When RansomHub went dark without warning on 1 April 2025, its displaced affiliates migrated to Qilin, and the group’s data leak site disclosures doubled between February and April 2025. The hydraulic pressure the RaaS model creates is real: every time a platform collapses, the survivors absorb its operators.
That speed advantage depends on affiliates willing to invest in zero-day capability, and the revenue split is what funds that investment — a pattern our full incident analysis traces from CVE discovery to operational campaign. How the exploitation window collapse compounds this dynamic is covered in our companion analysis.
Why Do Qilin Affiliates Earn 80 to 85 Percent of Ransom Payments, and What Does That Mean for Attack Volume?
The revenue split is the structural reason Qilin has absorbed displaced talent from every major RaaS disruption since 2024.
Affiliates earn 80 percent of ransoms under $3 million and 85 percent for larger amounts. Payments flow directly to affiliate wallets before commission transfer. LockBit offers up to 90 percent at top tiers, DragonForce takes only a 20 percent operator cut, and ISC2 data shows operator commission across the broader market sits between 15 and 40 percent. Qilin’s structure attracts skilled affiliates with proven post-exploitation capability.
High margins create a self-reinforcing cycle. Affiliates retain enough revenue to fund independent zero-day acquisition and IAB access purchases, typically priced by victim revenue and persistence quality. That increases attack volume, which attracts more affiliates. MOXFIVE tracking shows approximately 1,500 claimed victims since launch, with more than 500 in 2026 alone. Corvus data shows Qilin with 551 victims in Q4 2025, accounting for 22 percent of all ransomware attacks.
Trace the affiliate migration cascade and the pattern becomes clear. ALPHV/BlackCat pulled an exit scam after the $22 million Change Healthcare ransom, stiffing its affiliate. LockBit infrastructure was dismantled by Operation Cronos in February 2024. RansomHub went dark in April 2025. Each disruption released skilled operators, and Qilin’s 85 percent split was the strongest magnet.
Ransom payment rates have compressed to roughly 25 percent. Total ransom revenue declined in 2025 even as attack volume rose 47 percent. That margin pressure, more work for less money per job, drives investment in higher-value initial access: zero-days over credential stuffing, VPN exploitation over phishing. The escalation in attack sophistication is a direct consequence of the economics.
How Does Qilin’s Double Extortion Model Amplify the Damage Beyond Encryption?
Encryption is the first pressure lever. Qilin layers additional levers, data exfiltration, staged leak publication, regulatory weaponisation, and DDoS bundling, to sustain negotiation pressure even when victims can restore from backups.
Data exfiltration via Rclone occurs before encryption. Organisations with robust offline backups still face data leak pressure, because the data is already gone. The Synnovis pathology services attack on the NHS in June 2024 is the highest-profile example: after the $50 million ransom was refused, approximately 400GB of patient data was published on Qilin’s Tor-based Data Leak Site. Patient names, NHS numbers, dates of birth, and pathology test descriptions, including HIV status and cancer diagnoses, were exposed. Thousands of NHS operations and appointments were cancelled.
Beyond the standard double extortion playbook, Qilin extends pressure through additional levers. The “Call Lawyer” feature embedded in the affiliate panel generates templated communications that frame a victim’s refusal to pay as creating regulatory liability under GDPR, CCPA, and HIPAA. It does not involve actual solicitors. It weaponises the regulatory frameworks organisations are already most worried about. DDoS capability bundled into the affiliate panel enables concurrent denial-of-service attacks during negotiations.
Staged data release follows a predictable cadence: initial victim listing with partial data preview, then a countdown timer, tranced publication if no payment, and full dataset release. In May 2024, Qilin launched WikiLeaksV2, a clear-web mirror that extends exposure beyond the dark web, ensuring that organisations who don’t monitor Tor-based leak sites still face reputational damage.
This multi-lever extortion model does not operate in isolation. It sits within a competitive landscape where four groups are now pulling ahead of the pack, and understanding why Qilin leads that pack is where the picture comes together.
How Does Qilin Compare to LockBit, Akira, and The Gentlemen in the 2026 Ransomware Landscape?
LockBit remains the largest ransomware group by infrastructure scale, but Qilin is arguably the fastest at turning novel CVEs into operational campaigns. That speed defines its competitive position.
Beazley Security’s Q1 2026 data puts Qilin at 419 public victim posts, surpassing all other groups. The Gentlemen followed with 210, and Akira with 191. Dragos analysis confirms Qilin as the most active ransomware operation impacting industrial organisations, with 198 industrial incidents in Q1 2026.
LockBit brings the broadest tooling and the deepest bench of experienced affiliates, rebuilding as LockBit 5.0 after Operation Cronos. It offers up to 90 percent affiliate splits at top tiers. But its centralised tooling development model means it is slower to operationalise novel CVEs than Qilin’s distributed approach. LockBit’s affiliates wait for the core group. Qilin’s affiliates don’t.
Akira, which has accumulated $244 million in proceeds, competes with Qilin for the same mid-market enterprise and healthcare targets. It matches Qilin’s monthly breach volume in some quarters but relies more on credential-based access and phishing than zero-day weaponisation. The Chrome credential harvesting technique is a Qilin differentiator that Akira hasn’t matched.
The Gentlemen took a different path. Founded by an experienced Qilin affiliate who left after a commission dispute, the group went from zero victims in August 2025 to 166 in Q1 2026. Its most distinctive asset: a cache of approximately 14,700 pre-exploited FortiGate devices exploited via CVE-2024-55591, plus 969 validated brute-forced FortiGate VPN credentials. A credential-aggregation model, not zero-day exploitation, but dangerous at the same scale.
Then there’s the cartelisation trend. In September 2025, DragonForce announced a coalition with Qilin and LockBit, restructured as a self-described cartel with a 20 percent operator cut and white-label options. The competitive landscape may be shifting toward cooperation rather than pure competition. Recorded Future predicts 2026 will be the first year that new ransomware actors operating outside Russia outnumber those within it.
Where Qilin’s organisational model leaves you
Qilin’s advantage lies in organisational design, not malware sophistication. The 80 to 85 percent affiliate split, the autonomy to weaponise zero-days independently, and the IAB marketplace that diffuses a single CVE into dozens of concurrent intrusions form a structural engine that traditional ransomware operations can’t replicate. The speed comes from the incentive structure, autonomous affiliates investing their own margins in capability development, not from any technical innovation in the payload.
The dwell-time collapse from 60 days to under four days reflects the RaaS model’s ability to distribute zero-day weaponisation across an incentivised network, an organisational dynamic, not a technological one. Chrome credential harvesting, WSL abuse, and LOTL tradecraft are the tactical manifestations of a structural advantage: autonomous affiliates investing their own margins in capability development.
The double extortion model, exfiltration before encryption, regulatory weaponisation, staged leak publication, demands that you plan for data exposure, not just system recovery. The competitive landscape confirms the pattern: the groups dominating Q1 2026 are all RaaS operations with high affiliate splits. You need to match structural threats with structural responses: Zero Trust architecture that contains lateral movement, behavioural detection that catches LOTL activity, and incident response planning that assumes data exfiltration has already occurred before encryption triggers. For the broader strategic picture — including what defenders can do about the VPN attack surface — our incident overview connects this actor analysis to the defence question. The architectural defence approach that addresses this pattern directly is where the conversation goes next.
Frequently Asked Questions
Why did Qilin rebrand from Agenda ransomware?
Qilin was previously tracked as Agenda ransomware, with the rebrand observed in late 2023 as the operation matured its RaaS infrastructure and expanded its affiliate network. The name change coincided with the group’s shift toward a more structured affiliate model, the launch of its dedicated Data Leak Site, and a deliberate effort to distance the operation from earlier, less sophisticated campaigns. The underlying TTPs, however, including Chrome credential harvesting and living-off-the-land tradecraft, remained consistent across both identities.
How do I know if my organisation has been targeted by Qilin?
The earliest detection opportunity is anomalous PowerShell and WMI activity against domain controllers, followed by Mimikatz execution targeting lsass.exe processes. Unusual Rclone outbound transfers to unfamiliar VPS hosts, Chrome credential harvesting scripts distributed via Group Policy, and Volume Shadow Copy deletion via vssadmin are high-confidence indicators. Rapid7 has published specific detection rules for InsightIDR customers, and nine attacker IP addresses plus two ELF hashes are publicly documented as concrete IoCs from the CVE-2026-50751 campaign.
What happens if my organisation pays the ransom?
Paying the ransom does not guarantee data deletion, system recovery, or an end to extortion pressure. Qilin’s double extortion model means exfiltrated data remains on the group’s Tor-based leak site infrastructure regardless of payment, and the “Call Lawyer” feature has demonstrated willingness to sustain regulatory pressure even after a ransom is paid. The Synnovis attack showed that refusal leads to publication, but payment creates no enforceable assurance that 400GB of patient data would not surface later through the WikiLeaksV2 clear-web mirror.
Which industries does Qilin target most?
Healthcare, education, manufacturing, and professional services organisations are Qilin’s most frequent victims, with the Synnovis pathology services attack on the NHS standing as the highest-profile healthcare compromise. The group’s targeting is driven less by sector preference than by access opportunity: any organisation with exposed Check Point VPN appliances, domain-joined Windows environments with saved Chrome credentials, and WSL enabled presents a viable target. The 500-plus victims in 2026 span multiple sectors, confirming that Qilin’s affiliate model prioritises access quality over industry specialisation.
What should organisations do if they are using vulnerable Check Point VPN appliances?
Apply the vendor patch immediately. Check Point released fixes for CVE-2026-50751 on 27 May 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog by 8 June, mandating federal agency remediation. Beyond patching, organisations should review VPN authentication logs for IKEv1-based sessions from unexpected IP addresses, audit Group Policy Objects for unauthorised script modifications, and implement network segmentation that limits lateral movement from VPN termination points to domain controllers. The 32-day window between first exploitation and advisory publication means retrospective threat hunting is essential.
How does Qilin recruit its affiliates?
Qilin recruits through Russian-language cybercriminal forums, historically including RAMP Forum before its January 2026 FBI seizure, as well as XSS and other underground marketplaces. The 80 to 85 percent revenue split functions as the primary recruitment incentive, attracting affiliates displaced by Operation Cronos, the ALPHV/BlackCat exit scam, and the RansomHub dissolution. Recruitment posts emphasise affiliate autonomy, the absence of victimology restrictions, and the core group’s provision of payload, payment infrastructure, and leak site hosting, with initial access left entirely to the affiliate’s capability and investment.
Can endpoint detection tools catch Qilin’s WSL-based ransomware execution?
Detection is possible but requires endpoint security solutions with visibility into Linux subsystem processes on Windows hosts. Standard Windows-native EDR agents often lack telemetry into WSL environments, which is precisely why Qilin affiliates adopted this technique. Organisations should ensure their EDR platforms support WSL process monitoring, deploy behavioural rules that flag ransomware-like file system modifications originating from Linux processes on Windows hosts, and audit WSL enablement across enterprise endpoints. Microsoft Defender for Endpoint has progressively improved WSL visibility since 2025.
Are decryptors available for Qilin ransomware?
No publicly available decryptor exists for Qilin’s AES-256 CTR encryption with AES-NI hardware acceleration. The encryption implementation, combined with the group’s pre-encryption Volume Shadow Copy deletion and Safe Mode reboot routine, means recovery depends entirely on offline backups that were isolated from the compromised network before the intrusion reached the backup infrastructure. The No More Ransom project has not released a Qilin decryptor, and no cryptographic weaknesses have been documented in the group’s encryption scheme that would enable third-party tool development.
Does Qilin target small businesses or only large enterprises?
Qilin affiliates target organisations across the revenue spectrum. While the Synnovis/NHS attack and other high-profile incidents involved large healthcare and enterprise victims, the group’s affiliate model does not restrict targeting by organisation size. Smaller businesses with exposed VPN appliances, limited security monitoring, and no dedicated incident response capability are attractive targets precisely because their detection and recovery timelines are longer, increasing the likelihood of ransom payment. The Initial Access Broker marketplace prices access by victim revenue, meaning smaller organisations represent lower-cost, higher-margin targets for affiliates.
What happened to the NHS after the Synnovis ransomware attack?
The June 2024 Synnovis attack, which Qilin claimed, resulted in 400GB of patient data published on the group’s Data Leak Site after the NHS refused the reported 50-million-dollar ransom demand. The immediate operational impact included cancellation of thousands of NHS appointments and surgical procedures across multiple London hospitals that relied on Synnovis pathology services. The NHS subsequently invested in strengthened third-party supply chain security requirements, and the incident became a regulatory benchmark for healthcare-sector ransomware preparedness under the UK’s updated cyber security framework.
How does Qilin’s “Call Lawyer” feature actually work?
The “Call Lawyer” feature embedded in Qilin’s affiliate panel generates templated legal-style communications that frame a victim’s refusal to pay as creating regulatory liability under GDPR, CCPA, and HIPAA. These communications cite potential fines, mandatory breach notification obligations, and civil litigation exposure in language designed to escalate pressure from the victim’s legal and compliance teams. The feature does not involve actual solicitors; it is a psychological extortion lever that weaponises the regulatory frameworks organisations are already most concerned about, adding institutional legal pressure alongside operational and reputational damage.
What makes VPN zero-days more dangerous than credential-stuffed VPN access?
Zero-day exploitation provides authenticated VPN access that leaves no credential compromise trail, making initial intrusion detection significantly harder than credential-stuffing attacks, which typically generate failed authentication logs, unusual geo-location patterns, and MFA prompt anomalies. When CVE-2026-50751 was exploited, Qilin affiliates arrived as legitimate authenticated users on the VPN concentrator, bypassing perimeter monitoring entirely. Organisations relying on credential-based detection rules will miss zero-day intrusions until post-exploitation activity triggers behavioural alerts, by which point the attacker is already inside the network.
