Sophos X-Ops has discovered a major Qilin ransomware breach, revealing a novel and alarming tactic involving the mass theft of credentials stored in Google Chrome browsers from compromised endpoints.
The Qilin ransomware group has been operational since at least 2022 and gained notoriety for its “double extortion” strategy. This method involves stealing a victim’s data, encrypting their systems, and threatening to expose or sell the stolen data unless a ransom is paid.
This credential harvesting technique poses serious risks beyond the immediate victims, highlighting the changing nature of ransomware attacks.
Initial access and lateral movement
In June 2024, the Qilin ransomware attacked Synnovis, a UK-based government healthcare services provider, putting the cybercriminal group in the spotlight. The breach began when the attackers gained access through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
After 18 days of surveillance, the attackers moved laterally within the network to a domain controller. There, they modified Group Policy Objects (GPOs) to introduce a PowerShell script called `IPScanner.ps1`, designed to harvest credentials stored in Chrome browsers.
This script was executed every time a user logged into their device, allowing the attackers to harvest credentials from multiple devices connected to the network. The collected data was stored in the SYSVOL share, named after the hostname of the infected device, and then leaked to the attackers’ command and control server. Following this data theft, the attackers deleted local copies and erased event logs to cover their tracks before deploying the ransomware payload.
Qilin ransomware targets Google Chrome, which holds more than 65% of the browser market. Attackers could therefore access a wide range of usernames and passwords stored by users.
Organizations affected by this attack should reset all Active Directory passwords and recommend that users change passwords for all sites saved in their browsers. The scale of the breach means that a single compromised account could lead to dozens or even hundreds of additional breaches across multiple services, significantly complicating response efforts.
Sophos researchers noted that this new approach could be an “additional multiplier” to the chaos already inherent in ransomware situations. By harvesting credentials, Qilin and similar groups can gain information about high-value targets, facilitating more sophisticated and damaging attacks in the future. This trend raises significant security concerns for organizations that may not be adequately prepared to defend against such multifaceted threats.
