New Qilin tactics a ‘bonus multiplier’ for ransomware chaos

The cyber criminal Qilin ransomware gang seems to be upping the stakes in its ransomware attacks, stealing not just their victims’ data, but harvesting credentials stored within Google Chrome browsers on their endpoints, something that has never been observed before.

Described as a “bonus multiplier for the chaos already inherent in ransomware situations” by the Sophos X-Ops research team that first uncovered the novel technique, the wholesale theft of credentials that employees have innocently stored in their work browsers under the impression that they will be safe is of grave concern. Indeed, the implications could reach far beyond just the targeted organisation.

Qilin had previously favoured the standard double extortion technique, but in July 2024, Sophos’ incident responders spotted weird activity on a single domain controller within a victim’s Active Directory domain.

The gang first obtained access via compromised credentials taken from a VPN portal that lacked multifactor authentication (MFA). Then, 18 days later, its operatives started to conduct lateral movement to a domain controller, where they edited the default domain policy to introduce a logon-based Group Policy Object (GPO).

Th first of these was a PowerShell script that was written to a temporary directory within the shared NTFS directory on the domain controller. This 19-line script attempted to harvest credential data stored within Chrome. The second item was a batch script that contained the commands to execute the first. The combo resulted in the exfiltration of credentials saved on machines connected to the network, and because the two scripts were contained in a logon GPO, they were able to execute on every client when it logged in.

The X-Ops team said Qilin’s operatives seemed so confident this would not be noticed that they left the GPO active for three days – plenty of time for the majority of users to logon to their devices and inadvertently trigger the script. Additionally, once the files containing the credential data were gone, Qilin deleted all the files and cleared the event logs for both the domain controller and the user devices. Only then did they start to encrypt the victim’s files and drop their ransom note.

The research team, comprising Sophos’ Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia and Robert Weiland, said it was only natural that Qilin had targeted Chrome in this way – it holds a majority share of the browser market and according to an April 2024 NordPass survey, the average user has almost 90 work-related passwords, not to mention personal ones, to manage.

“A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also, in theory, request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser,” the team wrote.

“The defenders of course would have no way of making users do that. As for the end-user experience, though virtually every internet user at this point has received at least one ‘your information has been breached’notice from a site that has lost control of their users’ data, in this situation it’s reversed – one user, dozens or hundreds of separate breaches.”

Ransomware gangs are of course known to continuously change up their tactics, techniques and procedures (TTPs) and are – unfortunately – competent innovators when it comes to expanding their repertoire.

In this light, said the X-Ops team, that Qilin would look to change things up having been active for around two years was entirely predictable. However, they concluded, if they are now mining for endpoint-stored credentials, they and others could much more easily get their feet in the door at follow-on targets, or gain useful information on individuals of interest for targeted spear-phishing attacks.

“A dark new chapter may have opened in the ongoing story of cyber crime,” the team said.