A new strain of ransomware called Qilin has been discovered using a relatively sophisticated, highly customizable tactic to steal account login information stored in the Google Chrome browser.
The Sophos X-Ops global security research team observed credential harvesting techniques during its Qilin incident response, indicating an alarming shift in the way this dangerous ransomware strain operates.
Overview of the attack process
The attack analyzed by Sophos researchers began with the Qilin malware successfully accessing the target network using compromised credentials on a VPN gateway without multi-factor authentication (MFA).
This was followed by an 18-day period of malware “hibernation,” suggesting that the hackers had purchased access to the network through an initial access broker (IAB). Qilin likely spent time mapping the network, identifying key assets, and conducting reconnaissance.
After the first 18 days, the malware moves laterally to domain controllers and modifies Group Policy Objects (GPOs) to execute a PowerShell script ('IPScanner.ps1') on all machines logged into the domain network.
This script is executed by a batch script ('logon.bat'), and is also included in the GPO. It is designed to collect login information stored in Google Chrome.
The batch script is configured to run (and trigger a PowerShell script) every time a user logs in to their machine. In parallel, the stolen credentials are saved on the 'SYSVOL' partition under the name 'LD' or 'temp.log'.
After sending the files to Qilin’s command and control (C2) server, local copies and associated event logs were deleted to conceal the malicious activity. Finally, Qilin deployed the ransomware payload and encrypted data on the compromised machines.
Another GPO and a separate command file ('run.bat') are also used to download and execute the ransomware on all machines in the domain.
Complexity in defense
Qilin's approach to Chrome credentials sets a troubling precedent that could make protecting against ransomware attacks more difficult.
Because the GPO is applied to all machines in the domain, every device where the user is logged on is subject to the credential collection process.
This means that the script is capable of stealing credentials from all machines across the system, as long as those machines are connected to the domain and have a user logged in during the time the script is running.
Such widespread credential theft can allow hackers to launch follow-up attacks, resulting in a security incident that spans multiple platforms and services, making response efforts much more cumbersome. It also creates a persistent threat that lingers long after the ransomware incident is resolved.
Organizations can mitigate risk by implementing strict policies that prohibit storing secrets in web browsers. Additionally, implementing multi-factor authentication is key to protecting accounts from being taken over, even in the event of a compromised credential.
Finally, implementing principles of least privilege and network segmentation can significantly hinder a threat actor's ability to spread across a compromised network.
Controlled Folder Access is a feature of Microsoft's Windows Security desktop antivirus application. It prevents ransomware by preventing modifications to files in protected folders.
Although these two terms are often confused, there is a difference between ransomware and Cyber Extortion. However, the pair are linked and one can lead to the other.
Over the past few years, ransomware has been increasing and more and more computers are affected by them. Once your system is infected with ransomware, it will encrypt and keep all your data for ransom. So how to decode the data already
Ransomeware, the problem is becoming a more serious threat in recent years. It spreads through infected attachments, software and programs or websites. Once your computer is infected with ransomware, hackers can encrypt these
Struggling with Microsoft Teams "Error K" Security? Follow our step-by-step guide to fix it quickly—no tech expertise needed. Get back to seamless collaboration today!
Struggling with Microsoft Teams Update Error 0x80070002? Discover step-by-step fixes to resolve it quickly. Clear cache, repair files, and get back to seamless updates today!
Tired of Microsoft Teams "Web Error" blocking your browser login? Follow our step-by-step guide with proven fixes to resolve Teams web login issues fast and securely. Get back to work!
Stuck with Microsoft Teams "Error O" Offline? Discover proven, step-by-step fixes to get back online fast. Clear cache, restart, and more – no tech skills needed!
Frustrated by the missing Microsoft Teams icon in Outlook? Learn exactly where to find it, why it disappears, and proven steps to restore it for effortless meetings. Updated for the latest versions!
Struggling with Microsoft Teams "Windows 10 Error" login issues? Get instant fixes for cache clears, updates, and more. Step-by-step solutions to solve Microsoft Teams login error on Windows 10 fast and frustration-free.
Tired of the frustrating Microsoft Teams "Website Error" where tabs won’t load? Get step-by-step fixes to resolve it quickly and boost your productivity. Essential troubleshooting for seamless Teams experience.
Tired of the frustrating Microsoft Teams "Web Error" 503 Service Unavailable? Discover proven, step-by-step fixes for Teams 503 error on web. Get back online fast with our expert guide. Works on all browsers!
Struggling with Microsoft Teams "Win 7 Error" compatibility? Discover step-by-step fixes to restore seamless video calls and chats on unsupported Windows versions. Quick, reliable solutions inside!
Master troubleshooting Microsoft Teams Breakout Rooms license errors with this step-by-step guide. Quick fixes for common license issues, admin checks, and prevention tips to get your meetings running smoothly.
Struggling with Microsoft Teams "Version History" Error? Discover proven, step-by-step fixes to restore access instantly. Clear cache, update Teams, and more—no tech skills needed!
Tired of the frustrating Microsoft Teams Joining Error: Meeting ID Not Found? Get step-by-step fixes to rejoin meetings fast. Updated with the latest Teams patches for seamless collaboration. Solve it now!
Struggling with Microsoft Teams "Video Error" green screen? Discover proven, step-by-step troubleshooting fixes for seamless video calls. Quick solutions inside!
Struggling with the Microsoft Teams "How Teams Works" Tutorial Error? Discover proven, step-by-step fixes to resolve it quickly. Clear cache, update, and more for seamless onboarding. Works on latest versions!
Tired of the frustrating Microsoft Teams "Error Today" on Windows 10? Discover proven, step-by-step fixes to resolve it quickly and restore smooth teamwork. No tech skills needed!
