Qilin Targets Chrome Credentials in New Ransomware Attack

The Russia-linked cybercrime group Qilin, previously known for its disruptive ransomware attacks on U.K. hospitals in June, has unveiled a new and alarming tactic in its arsenal: stealing credentials stored in Google Chrome browsers. This development adds a troubling layer to the already costly and pervasive ransomware threat.

Qilin, a relatively new entrant into the ransomware landscape, began operations in October 2022 with a Ransomware-as-a-Service model. Despite its recent emergence, the group has already made a significant impact. Researchers from the Sophos X-Ops team have recently uncovered that Qilin’s latest attack involves a novel approach that exacerbates the chaos typical of ransomware incidents. This new tactic involves not only encrypting files but also harvesting credentials from Chrome browsers across the victim network, potentially expanding the scope of the attack beyond its initial targets.

Sophos X-Ops analyzed an attack attributed to Qilin that occurred in July 2024, following the hospital disruptions in London. While the victim’s identity remains undisclosed, the attack methodology has been detailed. According to the analysis, Qilin initially compromised a set of credentials that provided access to a VPN portal. This portal lacked multi-factor authentication, making it vulnerable to exploitation. The credentials likely originated from an initial access broker—cybercriminals who procure access points for ransomware groups through illicit marketplaces.

Interestingly, there was an 18-day gap of inactivity after the initial breach. This hiatus supports the theory that an initial access broker facilitated the attack, providing the ransomware group with the necessary entry point. Paul Bischoff, a consumer privacy advocate at Comparitech, remarked on this aspect: “Although Qilin’s attack might be new, the initial access vector is not. You don’t need a new sophisticated way to prevent the attack; just secure your VPN using two-factor authentication.”

Once inside the network, Qilin’s attackers waited before moving laterally to compromise a domain controller. They modified the domain policy to include a script designed to harvest credentials from Chrome browsers. Another script was used to execute this task. As a result, credentials saved in Chrome on machines within the network were extracted. The nature of these scripts meant that they executed on each client machine as users logged in, further amplifying the attack’s impact.

The decision by Qilin to target Chrome browser credentials is particularly noteworthy given Chrome’s dominance in the browser market, holding a 65% share. According to Sophos researchers, an average machine stores around 87 work-related passwords and twice that number for personal accounts. The fact that ransomware groups are now focusing on this repository of credentials is a significant development.

Glenn Chisholm, Chief Product Officer at Obsidian Security, highlighted the implications of this tactic: “The attackers clearly understood the value of the credentials being stored in Chrome and took sophisticated steps to deploy malware across the organization. Beyond the ransomware tactics, this would give the attackers broad access to any application where credentials have been stored.” This insight underscores the potential for credential theft to provide attackers with extensive access to various applications and services within an organization.

If Qilin or other ransomware groups continue to exploit stored credentials in future attacks, it could lead to a new wave of cybercrime. Such tactics might offer attackers a foothold in subsequent targets or yield valuable information about high-value individuals that could be exploited in other ways. The researchers from Sophos X-Ops suggest that this shift could mark “a dark new chapter” in the evolving story of cybercrime.

In summary, the recent activities of the Qilin group reveal a troubling innovation in ransomware attacks. By targeting credentials stored in Google Chrome, Qilin has demonstrated an understanding of the vast potential for expanding the reach and impact of its attacks. Organizations are now faced with the urgent need to enhance their security measures, particularly in safeguarding credentials and implementing multi-factor authentication, to counter this emerging threat.