Qilin ransomware targets Google Chrome credentials

Steals user information every time a login is executed

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Sophos X-Opsuncovered a major breach involving Qilin ransomware, revealing a novel and alarming tactic involving the mass theft of credentials stored inGoogle Chromebrowsers from compromised endpoints.

The Qilin ransomware group has been operational since at least 2022 and gained notoriety for its “double extortion” strategy. This method involves stealing a victim’s data, encrypting their systems, and threatening to expose or sell the stolen data unless a ransom is paid.

This credential-harvesting technique poses serious risks beyond the immediate victims, highlighting the evolving nature of ransomware attacks.

Initial Access and Lateral Movement

In June 2024,Qilin ransomware attacked Synnovis, a UK governmental service provider for healthcare bringing the cybercrime group into the spotlight. The breach began with the attackers gaining access through compromised credentials for aVPNportal that lackedmulti-factor authentication(MFA).

After 18 days of surveillance, the attackers moved laterally within the network to a domain controller. Here, they modified the Group Policy Objects (GPO) to introduce a PowerShell script named IPScanner.ps1, designed to harvest credentials stored in Chromebrowsers.

This script was executed every time a user logged into their device, allowing the attackers to collect credentials from multiple devices connected to the network. The harvested data was stored in the SYSVOL share, named after the infected device’s hostname, and was subsequently exfiltrated to the attackers' command-and-control server. After this data theft, the attackers deleted the local copies and cleared event logs to cover their tracks before deploying the ransomware payload.

Qilin ransomware targetsGoogleChrome, which holds over 65% of the browser market share. Therefore, the attackers could potentially access a vast array of usernames andpasswordsstored by users.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Organizations affected by this attack must reset all Active Directory passwords and advise users to change passwords for any sites saved in their browsers. The scale of the breach means that a single compromised account could lead to dozens or even hundreds of additional breaches across various services, significantly complicating response efforts.

Sophos researchers noted that this new approach could be a “bonus multiplier” for the chaos already inherent in ransomware situations. By harvesting credentials, Qilin and similar groups can gain insights into high-value targets, facilitating more sophisticated and damaging attacks in the future. This trend raises significant concerns about the security of organizations that may not be adequately prepared to defend against such multifaceted threats.

More from TechRadar Pro

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master’s and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products.

HP Elite x360 1040 2-in-1 G11 review

Lenovo ThinkPad T14s Gen 6 review

Sihoo Doro S100 ergonomic office chair review