Beware of Qilin: Ransomware Now Targets Your Chrome Passwords

Researchers at Sophos have uncovered an attack involving the Qilin ransomware, during which cybercriminals stole account credentials stored in the Google Chrome browser on a number of compromised devices.

The incident, discovered in July 2024, caught the attention of experts due to its unusual combination of tactics—credential theft followed by a ransomware infection, which could have severe consequences.

The attack began with the penetration of the target organization’s network through compromised credentials used to access a VPN portal that was not protected by multi-factor authentication (MFA). The attackers waited 18 days after the initial breach before taking further action.

Once the criminals gained access to the domain controller, they altered the domain policy by adding two Group Policy Objects (GPO). The first was a PowerShell script named “IPScanner.ps1,” designed to harvest account credentials stored in the Chrome browser. The second was a batch script (“logon.bat”) that triggered the execution of the first script.

According to the investigation, this Group Policy Object remained active in the network for more than three days. During this time, users, unaware of the ongoing intrusion, unknowingly executed the script with each login, leading to the collection of their credentials.

The attackers then exfiltrated the stolen data, erased traces of their activity, and encrypted files on the system, leaving a ransom note in every folder. The theft of credentials means that affected users must now change their passwords for all external services where the compromised credentials were used.

Sophos experts note that ransomware groups continue to adapt their methods and expand their arsenal of techniques. Should criminals begin systematically harvesting credentials stored on endpoint devices, it could herald a dangerous new chapter in the history of cybercrime.