Sophos X-Ops uncovered a major breach involving Qilin ransomware, revealing a novel and alarming tactic involving the mass theft of credentials stored in Google Chrome browsers from compromised endpoints.
The Qilin ransomware group has been operational since at least 2022 and gained notoriety for its “double extortion” strategy. This method involves stealing a victim’s data, encrypting their systems, and threatening to expose or sell the stolen data unless a ransom is paid.
This credential-harvesting technique poses serious risks beyond the immediate victims, highlighting the evolving nature of ransomware attacks.
Initial Access and Lateral Movement
In June 2024, Qilin ransomware attacked Synnovis, a UK governmental service provider for healthcare bringing the cybercrime group into the spotlight. The breach began with the attackers gaining access through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
After 18 days of surveillance, the attackers moved laterally within the network to a domain controller. Here, they modified the Group Policy Objects (GPO) to introduce a PowerShell script named `IPScanner.ps1`, designed to harvest credentials stored in Chrome browsers.
This script was executed every time a user logged into their device, allowing the attackers to collect credentials from multiple devices connected to the network. The harvested data was stored in the SYSVOL share, named after the infected device’s hostname, and was subsequently exfiltrated to the attackers’ command-and-control server. After this data theft, the attackers deleted the local copies and cleared event logs to cover their tracks before deploying the ransomware payload.
Qilin ransomware targets Google Chrome, which holds over 65% of the browser market share. Therefore, the attackers could potentially access a vast array of usernames and passwords stored by users.
Organizations affected by this attack must reset all Active Directory passwords and advise users to change passwords for any sites saved in their browsers. The scale of the breach means that a single compromised account could lead to dozens or even hundreds of additional breaches across various services, significantly complicating response efforts.
Sophos researchers noted that this new approach could be a “bonus multiplier” for the chaos already inherent in ransomware situations. By harvesting credentials, Qilin and similar groups can gain insights into high-value targets, facilitating more sophisticated and damaging attacks in the future. This trend raises significant concerns about the security of organizations that may not be adequately prepared to defend against such multifaceted threats.