Sophos X-Ops has discovered a major breach involving the Qilin ransomware, revealing a new and alarming tactic of stealing credentials stored in Google Chrome browsers from compromised endpoints en masse.
The Qilin ransomware group has been active since at least 2022 and has become infamous for its “double extortion” strategy. This method involves stealing a victim’s data, encrypting their systems, and threatening to release or sell the stolen data unless a ransom is paid.
This credential harvesting technique poses serious risks beyond the immediate victims, underscoring the changing nature of ransomware attacks.
Initial access and lateral movement
In June 2024, Qilin ransomware attacked Synnovis, a UK government healthcare provider, putting the cybercrime group in the spotlight. The breach began when the attackers gained access via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).
After 18 days of surveillance, the attackers moved laterally within the network to a domain controller. There, they modified the Group Policy Objects (GPO) to introduce a PowerShell script called `IPScanner.ps1`, designed to collect credentials stored in Chrome browsers.
This script was executed every time a user logged into their device, allowing the attackers to collect credentials from multiple devices connected to the network. The collected data was stored in the SYSVOL share named after the hostname of the infected device and was then exfiltrated to the attackers’ command-and-control server. Following this data theft, the attackers deleted the local copies and wiped the event logs to cover their tracks before deploying the ransomware payload.
Qilin ransomware targets Google Chrome, which holds over 65% of the browser market share. Therefore, the attackers could potentially gain access to a large number of usernames and passwords stored by users.
Organizations affected by this attack should reset all Active Directory passwords and advise users to change passwords for all sites stored in their browsers. The scale of the breach means that a single compromised account could lead to dozens or even hundreds of additional breaches across multiple services, significantly complicating the response.
Sophos researchers noted that this new approach could be a “bonus multiplier” to the chaos already inherent in ransomware situations. By collecting credentials, Qilin and similar groups could gain visibility into high-value targets, enabling more sophisticated and damaging attacks in the future. This trend raises significant security concerns for organizations that may not be adequately prepared to defend against such multifaceted threats.
