Qilin ransomware, a notorious cybercrime group known for its “double extortion” tactics, has recently adopted a dangerous new method to steal credentials from users of the popular Google Chrome browser.
This development is particularly concerning given Chrome’s dominance, with over 65% of the global browser market share. The widespread use of Chrome means that a large number of users could be at risk, making this attack potentially devastating.
The Rise of Qilin Ransomware
Qilin ransomware has been active since at least 2022, making a name for itself by employing a ruthless double extortion strategy.
Typically, this involves two phases: first, the attackers steal sensitive data from their victims and then encrypt the victims’ systems, rendering them inaccessible.
The attackers then demand a ransom, threatening to either expose the stolen data or sell it on the dark web if the ransom is not paid.
This tactic places victims under immense pressure, as they face the dual threat of financial loss and reputational damage.
The Synnovis Breach
In June 2024, Qilin ransomware struck a major blow against Synnovis, a UK-based government service provider for healthcare. This attack brought the ransomware group into the spotlight due to the scale and sophistication of the breach.
The attack began when the cybercriminals gained access to the Synnovis network through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). This lack of MFA made it easier for the attackers to infiltrate the network undetected.
Once inside, the attackers spent 18 days silently surveilling the network, carefully planning their next move. They eventually gained control of a domain controller, a critical component of the network infrastructure.
Here, they manipulated the Group Policy Objects (GPO), a powerful tool used to manage and configure operating systems and applications across the network.
The Credential Harvesting Technique
The attackers introduced a PowerShell script named IPScanner.ps1
into the GPO, which was designed to harvest credentials stored in Google Chrome browsers. This script was executed each time a user logged into their device, allowing the attackers to collect credentials from every device connected to the network.
The stolen credentials were then stored in the SYSVOL share, a network location used for sharing files among users, with each file named after the infected device’s hostname.
The credentials were later exfiltrated to the attackers’ command-and-control server, where they could be used to gain further access to sensitive systems or sold to other cybercriminals.
After stealing the data, the attackers took steps to cover their tracks. They deleted the local copies of the harvested credentials and cleared the event logs to erase any evidence of their activities.
Once this was done, they deployed the ransomware payload, encrypting the victims’ systems and demanding a ransom for their release.
The Implications of This Attack
This new technique of harvesting credentials poses a significant risk not only to the immediate victims but also to other organizations that may be targeted in the future.
Sophos researchers have warned that this approach could act as a “bonus multiplier” for the chaos already caused by ransomware attacks.
By gaining access to a vast array of usernames and passwords, Qilin and other similar groups can identify high-value targets and launch even more damaging attacks.
For organizations affected by this attack, the response must be swift and comprehensive. All Active Directory passwords should be reset, and users should be advised to change passwords for any sites saved in their browsers.
The scale of the breach means that a single compromised account could lead to dozens or even hundreds of additional breaches, complicating response efforts and increasing the potential damage.