On May 27, 2026, the Qilin ransomware group claimed responsibility for a cyberattack against Roofing Solutions, a U.S. construction company. The group warned it would leak sensitive data unless its demands are met; Roofing Solutions has not confirmed the attack or the group's claims as of publication. This alleged breach was first reported by DeXpose on May 28, 2026.
What Happened
The Qilin ransomware group, also known as Agenda, claimed responsibility on May 27, 2026, for an attack against Roofing Solutions, a U.S. construction firm, according to BleepingComputer. This Ransomware-as-a-Service (RaaS) operation uses a double extortion model: encrypting victim data with AES-256-CTR and threatening public disclosure of exfiltrated sensitive information. The group’s toolkit includes ransomware variants developed in both Golang and Rust, allowing cross-platform deployment on Windows, Linux, and VMware ESXi environments.
Attackers gain initial access via social engineering or by exploiting built-in software flaws. This includes authentication bypasses in Fortinet products, specifically CVE-2024-21762, and critical remote authentication flaws in JetBrains TeamCity On-Premises like CVE-2024-27198. Qilin has also been observed using CVE-2023-27532 in Veeam Backup & Replication to acquire encrypted credentials, as reported by BleepingComputer. Once inside, affiliates customize deployments, configuring parameters to skip specific directories or processes and exclude certain virtual machines from shutdown. The group also uses Chrome Extension Stealers for credential harvesting.
Why It Matters
Qilin ransomware rapidly became the most prolific ransomware operation in 2025, claiming over 1,000 victims globally, as reported by SecurityWeek. The group's activity saw a 56% increase in monthly victim count after the collapse of RansomHub, with affiliates migrating to Qilin, according to SecurityWeek. In July 2025 alone, Qilin was responsible for 73 victims, representing approximately 17% of all reported ransomware attacks. They strategically target primary verticals offering large payouts, including manufacturing, legal, financial services, healthcare, and education. These targets often share common IT infrastructure weaknesses: large enterprises with distributed environments, organizations with legacy systems, or misconfigured remote access. The United States remains the most targeted country, accounting for over half of all Qilin victims. For instance, in June 2024, Qilin demanded a $50 million ransom from Synnovis, a UK-based medical company, claiming to have exfiltrated 400GB of healthcare data, according to BleepingComputer. Synnovis did not confirm the exfiltration amount or ransom demand.
Affected Scope & Remediation
Organizations running vulnerable instances of Fortinet, JetBrains TeamCity On-Premises, or Veeam Backup & Replication are directly exposed to Qilin's preferred initial access vectors. If you're running any of these platforms, patch them now. Specifically, FortiOS SSL VPN users need to patch for CVE-2024-21762, an authentication bypass flaw actively exploited in the wild and listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Similarly, JetBrains TeamCity On-Premises administrators must patch CVE-2024-27198 to prevent remote authentication bypasses and unauthorized admin access. Veeam Backup & Replication users should ensure they've applied patches for CVE-2023-27532 to mitigate the risk of credential acquisition.
Beyond specific CVEs, Qilin's reliance on social engineering for initial access and stolen credentials means MFA enforcement and password rotation are critical. Deploy multi-factor authentication (MFA) everywhere, especially for remote access services and privileged accounts. Consider solutions like YubiKey for strong hardware-based authentication. Implement network segmentation to limit lateral movement if an initial breach occurs. Aggressive endpoint detection and response (EDR) solutions, such as CrowdStrike Falcon or SentinelOne, are essential for identifying post-exploitation activities like Chrome Extension Stealers or customized ransomware deployments. Regularly audit configurations for remote access services, ensuring minimal exposure and proper logging.
For the specific vulnerabilities Qilin has exploited:
- Fortinet FortiOS SSL VPN: Patch for CVE-2024-21762.
- Vendor Advisory: Fortinet PSIRT Advisory FG-IR-24-015
- NVD Entry: CVE-2024-21762
- CISA KEV Entry: CVE-2024-21762
- JetBrains TeamCity On-Premises: Patch for CVE-2024-27198.
- Vendor Advisory: JetBrains Security Advisory 2024-03-04
- NVD Entry: CVE-2024-27198
- Veeam Backup & Replication: Patch for CVE-2023-27532.
- Vendor Advisory: Veeam KB4424
- NVD Entry: CVE-2023-27532
If immediate patching isn't possible, apply vendor-recommended workarounds or consider temporarily disabling vulnerable services until fixes can be deployed. Implement an immutable, tested backup strategy using secure, air-gapped backups to mitigate the impact of data encryption, leveraging solutions like Veeam. This reduces your overall attack surface.
Technical Breakdown
Qilin's attack chain typically begins with Initial Access via T1566.001 (Spearphishing Attachment) or T1190 (Exploit Public-Facing Application), targeting vulnerabilities like those in Fortinet, JetBrains, or Veeam. A RaaS operation functions like a franchise: Qilin developers build the ransomware and infrastructure, then affiliates buy access to use it, getting a cut of successful ransoms. This decentralizes the attack vector, making it harder to track and enabling a wider range of initial access techniques, from social engineering to exploiting common network edge devices.
Once a foothold is established, affiliates often move to Credential Access, employing techniques like T1003 (OS Credential Dumping) to extract credentials from systems, facilitated by vulnerabilities such as CVE-2023-27532 in Veeam or custom Chrome Extension Stealers. These stolen credentials, categorized under T1078 (Valid Accounts), are then used for lateral movement and privilege escalation. The group's customizability (e.g., specifying directories to skip or processes to terminate) points to sophisticated Execution techniques, allowing tailored deployments.
Finally, the Impact phase involves T1486 (Data Encrypted for Impact), where AES-256-CTR encrypts victim data, and T1490 (Inhibit System Recovery), by deleting shadow copies and backups. Before encryption, they engage in T1041 (Exfiltration Over C2 Channel), stealing sensitive data to enforce their double extortion threat. The entire operation demands strong controls around IA-2 Identification and Authentication (Organizational Users) to prevent initial access, AC-6 Least Privilege to limit lateral movement, and SI-2 Flaw Remediation to ensure known vulnerabilities aren't left unpatched. Effective IR-4 Incident Handling is critical when these controls fail.
Historical Context
The Qilin ransomware group, originally identified as "Agenda" in July 2022, has systematically evolved its operations to become a dominant force. A key historical incident illustrating its capability and impact was the attack on Synnovis, a UK-based medical company, in June 2024. During this incident, Qilin demanded a significant $50 million ransom for approximately 400GB of healthcare data, according to BleepingComputer. Synnovis has not confirmed the ransom amount or the volume of data exfiltrated.
What is consistent across Qilin's history, from Synnovis to the alleged Roofing Solutions attack, is their consistent use of double extortion and their RaaS model. The technical sophistication, with Golang and Rust variants and custom payloads, has been a constant. The main difference lies in their escalating scale and targeted sectors. Initially, Agenda/Qilin showed broader, less focused targeting. By 2025, however, they had significantly refined their approach, zeroing in on high-value sectors like manufacturing, healthcare, and increasingly, construction, which often presents common IT infrastructure weaknesses, offering better payouts. This strategic shift and operational growth mark a significant evolution from their earlier activities.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Qilin Victims Claimed in 2025 | 1,000+ | SecurityWeek |
| Monthly Victim Increase Post-RansomHub | 56% | SecurityWeek |
| Qilin Victims in July 2025 | 73 | SecurityWeek |
| Percentage of Total Attacks (July 2025) | 17% | SecurityWeek |
| Synnovis Ransom Claim (June 2024) | $50 million | BleepingComputer |
| Synnovis Data Exfiltration Claim (June 2024) | 400GB | BleepingComputer |
| Cleveland Municipal Court Ransom Demand (Feb 2025) | $4 million | BleepingComputer |
| Malaysia Airports Ransom Demand (March 2025) | $10 million | BleepingComputer |
| Most Targeted Sector | Manufacturing (23%) | SecurityWeek |
The CVEDaily Take
Qilin's rapid scaling and exploitation of common infrastructure weaknesses are a blueprint for modern RaaS success. Focusing on patching known vulnerabilities is table stakes, but strong identity management, network segmentation, and aggressive EDR are the real differentiators against such adaptable threat actors. We see that the "Call Lawyer" button in their affiliate panel is not just a psychological trick; it signals operational maturity designed to streamline the negotiation process. That they are now hitting sectors like construction, historically less hardened than, say, finance or defense, tells us they are maximizing their addressable market. It's a pragmatic, if unethical, business model. Has your team re-evaluated your critical asset protection strategies against a RaaS model that exploits multiple initial access vectors?
FAQ
Q1: What is the significance of the "Call Lawyer" button in Qilin's affiliate panel?
A1: The "Call Lawyer" button is a unique psychological tactic designed to increase pressure on victims during ransom negotiations. It suggests Qilin affiliates have legal guidance on standby, aiming to intimidate victims into believing they have limited legal recourse or better negotiation outcomes by paying.
Q2: How does Qilin typically gain initial access to target networks?
A2: Qilin employs multiple initial access vectors, including social engineering (often via spearphishing), exploiting public-facing applications with known vulnerabilities (such as CVE-2024-21762 in Fortinet and CVE-2024-27198 in JetBrains TeamCity), and leveraging compromised managed service providers (MSPs) or stolen credentials obtained through infostealer malware.
Q3: Why does Qilin use both Golang and Rust for its ransomware variants?
A3: Using Golang and Rust allows Qilin to develop ransomware variants that are highly portable and performant across different operating systems. Golang and Rust enable deployment on Windows, Linux, and VMware ESXi servers with a single codebase, broadening their attack surface and increasing the effectiveness of their RaaS model.
