The threat actors behind a recent Qilin ransomware attack have stolen credentials stored in Google Chrome browsers from a small number of compromised endpoints. This combination of credential harvesting with ransomware marks an unusual development that could have far-reaching consequences, according to cybersecurity firm Sophos, which released a report on Thursday.
The attack, which was detected in July 2024, began by infiltrating the target network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The attackers waited 18 days after the initial access before taking further actions.
"Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items," explained researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland.
The first item was a PowerShell script named "IPScanner.ps1," which was designed to harvest credential data stored within the Chrome browser. The second item was a batch script ("logon.bat") containing commands to execute the first script.
"The attacker left this GPO active on the network for over three days," the researchers noted. "This provided ample opportunity for users to log on to their devices and, without their knowledge, trigger the credential-harvesting script on their systems. Each time a user logged in, this logon GPO would execute, resulting in repeated credential collection."
The attackers then exfiltrated the stolen credentials and took steps to erase evidence of their activities before encrypting files and dropping ransom notes in every directory on the affected systems. The theft of credentials stored in Chrome means that affected users are now required to change their username-password combinations for every third-party site they accessed.
"Predictably, ransomware groups continue to change tactics and expand their repertoire of techniques," the researchers observed. "If these or other attackers have decided to mine for endpoint-stored credentials, which could provide a foothold for subsequent attacks or valuable information about high-value targets, a dark new chapter may have opened in the ongoing story of cybercrime."
This development comes as other ransomware groups, such as Mad Liberator and Mimic, have been observed using unconventional methods for data exfiltration. Mad Liberator has been noted for leveraging unsolicited AnyDesk requests, while Mimic has exploited internet-exposed Microsoft SQL servers for initial access.
Mad Liberator's attacks are further characterized by the use of legitimate access to deploy a binary named "Microsoft Windows Update," which shows a fake Windows Update splash screen to make victims believe that software updates are being installed while data is being exfiltrated.
The use of legitimate remote desktop tools, rather than custom-made malware, allows attackers to disguise their malicious activities as normal network traffic, helping them avoid detection.
Ransomware remains highly profitable for cybercriminals despite various law enforcement efforts. The year 2024 is on track to be the highest-grossing year yet for ransomware, including the largest ransom payment ever recorded—approximately $75 million—to the Dark Angels ransomware group.
"The median ransom payment for the most severe ransomware strains has surged from under $200,000 in early 2023 to $1.5 million by mid-June 2024," stated blockchain analytics firm Chainalysis. "This suggests that these strains are targeting larger businesses and critical infrastructure providers, which may be more likely to pay high ransoms due to their deep pockets and systemic importance."
In the first half of 2024, ransomware victims paid an estimated $459.8 million, up from $449.1 million year-over-year. However, the total number of ransomware payment events, as measured on-chain, has declined by 27.29% YoY, indicating a decrease in payment rates.
Russian-speaking threat groups were responsible for at least 69% of all cryptocurrency proceeds linked to ransomware in the past year, totaling over $500 million. According to data from NCC Group, ransomware attacks observed in July 2024 increased month-on-month from 331 to 395, although this was down from 502 attacks recorded in the same month last year. The most active ransomware families were RansomHub, LockBit, and Akira, with frequent targets including the industrial, consumer cyclical, and hospitality sectors.
Industrial organizations are especially attractive to ransomware groups due to the mission-critical nature of their operations and the high impact of disruptions, which increases the likelihood of ransom payments.
"Cybercriminals target areas where they can cause significant pain and disruption, prompting public demands for swift resolution and, they hope, ransom payments to restore services quickly," noted Chester Wisniewski, global field chief technology officer at Sophos. "This makes utilities prime targets for ransomware attacks. Given their essential services, society expects them to recover rapidly with minimal disruption."
Ransomware attacks on the utility sector nearly doubled from Q1 to Q2 of 2024, rising from 169 to 312 incidents, according to Dragos. Most attacks targeted North America (187), followed by Europe (82), Asia (29), and South America (6).
"Ransomware actors are timing their attacks to coincide with peak holiday periods in certain regions to maximize disruption and pressure organizations into payment," NCC Group reported.
The 2024 State of Ransomware report from Malwarebytes highlighted several trends in ransomware tactics, including an increase in attacks during weekends and early morning hours, and a reduction in the time from initial access to encryption.
Another notable trend is the increased exploitation of edge services and the targeting of small and medium-sized businesses. WithSecure pointed out that the dismantling of groups like LockBit and ALPHV (aka BlackCat) has led to a breakdown in trust within the cybercriminal community, causing affiliates to move away from major ransomware brands.
Coveware reported that over 10% of ransomware incidents handled by the company in Q2 2024 involved attackers operating independently, often referred to as "lone wolves."
"Continued takedowns of cybercriminal forums and marketplaces have shortened the lifecycle of criminal sites, as administrators try to avoid law enforcement attention," Europol noted in an assessment. "This uncertainty, coupled with a rise in exit scams, has led to fragmentation in criminal marketplaces. Recent law enforcement actions and leaks of ransomware source codes have resulted in a fragmented landscape of active ransomware groups and variants."
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067