Qilin / Agenda — Rust-based ransomware-as-a-service; Q3 2025 German operational tempo tripled (GTIG); 23 Q1 2026 healthcare claims

Status update on the W24 § 1 item: NCSC-NL updated its advisory on 2026-06-16 to note public proof-of-concept code is now available for the IKEv1 VPN authentication bypass, which a Qilin ransomware affiliate has used for initial access (Help Net Security; NCSC-NL NCSC-2026-0179; daily 06-17). A Remote Access VPN gateway still running the deprecated IKEv1 path is an active ransomware entry point. Apply the Check Point hotfix and disable IKEv1 where IKEv2 can replace it.

If you did nothing this week: a Remote Access VPN gateway running the deprecated IKEv1 path is an active ransomware entry point — a Qilin affiliate is using this bypass for initial access.

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June — a certificate-validation logic flaw in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access on Security Gateway (Check Point; daily 06-09). The disclosure noted exploitation by a Qilin ransomware affiliate, which puts this firmly in the inaction-equals-incident column: VPN gateways are the front door, and a ransomware crew is already through it on unpatched IKEv1 deployments.

Apply the hotfix and, where operationally possible, disable IKEv1 entirely in favour of IKEv2 — the flaw lives in a protocol path most estates no longer need. Hunt for anomalous VPN session establishment without corresponding successful certificate validation and for new Remote Access sessions from unexpected geographies.

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources (Check Point, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate (NCSC-CH, 2026-06-08); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

Microsoft Threat Intelligence and the Digital Crimes Unit disrupted Fox Tempest, a malware-signing-as-a-service operation that supplied code-signing to multiple ransomware operations (daily 2026-05-20). Status: disrupted via combined intelligence exposure and a sealed US legal action. The defender takeaway is that code-signing trust on binaries attributable to Rhysida/INC/Qilin/Akira tooling should not be treated as a benign signal — the signing pipeline was a criminal service.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

W19 long-running record (item:qilin-agenda-raas-die-linke-confirms-q2-2026-german-activity) tracked Qilin's continued German activity. W20 status: Check Point's April 2026 report confirms Qilin leads all RaaS operators at 15% of 707 published attacks in April; Germany's share at 5% of global ransomware victims is the elevated-DACH-exposure data point (Qilin DLS German-victim count cited by W1 horizon research as approximately 65 as of 2026-05-16 — uncorroborated leak-site enumeration that should be treated as a lower bound); Die Linke (German political party) confirmed Qilin compromise in March 2026 (W19 carry-over); no new Swiss-specific victim named in window (Check Point Research).

Current state: GTIG's Europe data-leak landscape (§ 6) documented Qilin tripling Q3 2025 operational tempo in Germany; Die Linke (Germany federal political party) confirmed Qilin encryption with 1.5 TB exfiltrated (covered 2026-05-08), state DPA notified — Qilin German activity continues into 2026-Q2. No public-claim shift or victim-list expansion beyond Die Linke this week. Outstanding question: whether Qilin's targeting of political and civil-society organisations expands into other 2026 EU election cycles.

W1 horizon research added Q1 2026 healthcare quarterly context to the Groupe 3R item in § 1. Across Q1 2026, Akira posted 84 victims in March alone (second-most-active month on record) and claimed 5 healthcare victims; Qilin led healthcare at 23 claims (with RENAFAN GmbH and Suchthilfe direkt Essen gGmbH as Qilin's confirmed German victims), and The Gentlemen at 10 healthcare claims (Comparitech Q1 2026 Healthcare, 2026-04-29 · CyberMaxx Q1 2026). Akira's documented attack chain for healthcare: initial access via unpatched VPN (Cisco ASA, SonicWall, Fortinet) or compromised RDP credentials; lateral movement via T1021.001 Remote Services: Remote Desktop Protocol and T1047 Windows Management Instrumentation; LSASS credential harvesting via comsvcs.dll / Mimikatz; AV termination via PowerTool weaponising the Zemana AntiMalware driver (BYOVD); data exfiltration; double extortion. The cross-finding for Swiss / DACH operators reading after Groupe 3R: at least two ransomware-as-a-service operators (Akira and Qilin) are hitting European healthcare in Q1–Q2 2026 via the edge-device / unpatched-VPN attack surface, and the operator that hits a given hospital is less salient defensively than the shared initial-access funnel they exploit.

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.