This clever new ransomware is targeting your Google Chrome data, so be on your guard

Qilin ransomware targets network-connected endpoints to pull Google Chrome data

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Qilinransomwarehas been spotted successfully exfiltrating sensitive data stored inGoogleChrome.

In itswriteup, researchers from Sophos revealed how a criminal group used previously compromised credentials to enter the IT infrastructure of an unnamed organization.

Thebrowsercredentials were for a Virtual Private Network (VPN) portal, which lacked multi-factor authentication (MFA), and as such was relatively easy to access.

En masse credential theft

Sophos says it isn’t known if the initial breach was made by an Initial Access Broker (IAB) and then handed over to the ransomware operators, or if it was all done by a single organization.

In any case, the group dwelled for more than two weeks (18 days) before moving laterally to a domain controller using the compromised credentials. While the crooks were spotted on a single domain controller within their target’s Active Directory domain, other domain controllers in that AD domain were infected, the researchers concluded. They were, however, affected differently.

Qilin is a classic ransomware operation that engages in the usual double-extortion attack - it first steals as much information as possible, before encrypting the compromised device and asking for payment in exchange for the decryption key. However, what makes this operation relatively unique, the researchers claim, is the way it targets Google Chrome.

“During a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to en masse theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential-harvesting technique with potential implications far beyond the original victim’s organization,” the researchers explained. “This is an unusual tactic, and one that could be a bonus multiplier for the chaos already inherent in ransomware situations.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In other words, Qilin would harvest the credentials saved in Chrome browsers on machines connected to the same network as the initially compromised one.

Cybercriminals continue to evolve their tactics, Sophos concluded, stressing that organizations need to rely onpassword managersmore, and make sure to enable MFA wherever possible, to minimize the chances of falling prey.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Anker Nebula Mars 3 review: A powerful and truly portable projector