New Qilin tactics a ‘bonus multiplier’ for ransomware chaos

The Qilin ransomware gang, known for their high-stakes ransomware attacks, has taken their tactics to a new level by not only stealing data from their victims but also harvesting credentials stored within Google Chrome browsers on their endpoints. This unprecedented technique has raised concerns among cybersecurity experts, as it poses a significant threat to both targeted organizations and individuals.

In a recent incident uncovered by the Sophos X-Ops research team, Qilin targeted a domain controller within a victim’s Active Directory domain, using compromised credentials obtained from a VPN portal lacking multifactor authentication. The cybercriminals then executed a series of scripts to extract credential data stored within Chrome browsers on connected machines, ultimately exfiltrating sensitive information and encrypting the victim’s files.

With Chrome being the dominant browser in the market, the potential impact of such a breach is substantial, as users often store a multitude of passwords within the browser. The X-Ops team emphasized the importance of changing all Active Directory passwords and recommended that users also update their passwords for third-party sites stored in Chrome.

Ransomware gangs are constantly evolving their tactics, and the X-Ops team warned that Qilin’s shift towards credential theft could have broader implications for future cyberattacks. By targeting endpoint-stored credentials, threat actors could gain easier access to additional targets or valuable information for targeted attacks.

What do I do now?