Threat actors behind the recently observed Qilin ransomware attacks stole credentials stored in Google Chrome browsers on a small number of compromised endpoints.
Cybersecurity firm Sophos said in a report on Thursday that the use of credential harvesting in connection with a ransomware infection is an unusual development that could have cascading effects.
The attack, detected in July 2024, involved compromised credentials for a VPN portal that lacked multi-factor authentication (MFA) to gain entry into the target’s network, with threat actors carrying out post-attack actions 18 days after initial access was gained.
“Once the attackers reached the affected domain controller, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) that contained two items,” said researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia and Robert Weiland.
The first is a PowerShell script named “IPScanner.ps1” designed to gather credential data stored within the Chrome browser, and the second item is a batch script (“logon.bat”) that has command access to run the first script.
“The attackers left this GPO active on the network for more than three days,” the researchers added.
“This gave users ample opportunity to log onto a device and unknowingly trigger a credential harvesting script on their system. Again, this was all done using a logon GPO, so each user would experience this credential harvesting every time they logged in.”
The attackers then leaked the stolen credentials and took steps to erase evidence of their activity, before encrypting files and dropping ransom notes in every directory on the system.
Because the credentials stored in the Chrome browser were stolen, affected users will need to change their username and password combinations for each third-party site.
“As expected, ransomware groups continue to change their tactics and expand their range of techniques,” the researchers said.
“If they, or other attackers, decide to also harvest credentials stored on endpoints, that could provide a stepping stone to the next target or a wealth of information about high-value targets to exploit in other ways, opening a dark new chapter in the ongoing saga of cybercrime.”
Ransomware’s evolving trends
This development comes after ransomware groups such as Mad Liberator and Mimic were spotted using unsolicited AnyDesk requests to exfiltrate data and internet-exposed Microsoft SQL servers for initial access, respectively.
A further feature of the Mad Liberator attack is that the threat actors exploit the access to transfer and launch a binary called “Microsoft Windows Update”, displaying a fake Windows Update splash screen to the victim, giving them the impression that software updates are being installed while their data is being plundered.
As opposed to customized malware, the use of legitimate remote desktop tools gives attackers the perfect disguise to hide their malicious activity in plain sight, allowing them to blend in with normal network traffic and avoid detection.
Despite a series of law enforcement actions, ransomware remains a lucrative business for cybercriminals, with 2024 expected to be their most profitable year ever. The year also saw the largest ransomware payout ever recorded, around $75 million paid to the Dark Angels ransomware group.
“The median ransom payment for the most severe ransomware attacks has skyrocketed from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting that these strains are prioritizing targeting large enterprises and critical infrastructure providers who are more likely to pay higher ransoms due to their financial resources and systemic importance,” blockchain analytics firm Chainalysis said.
Ransomware victims are estimated to have paid $459.8 million to cybercriminals in the first half of the year, up from $449.1 million in the same period last year. However, total ransomware payment events measured on-chain were down 27.29% year-over-year, indicating a slowing payment rate.
Additionally, Russian-speaking threat groups were responsible for at least 69% of all cryptocurrency revenue related to ransomware throughout last year, exceeding $500 million.
According to data shared by NCC Group, the number of ransomware attacks observed in July 2024 surged month-on-month from 331 to 395, but was down from the 502 registered last year. The most active ransomware families were RansomHub, LockBit, and Akira. The most frequently targeted sectors include industrial, consumer circular, and hotel and entertainment.
Industrial organizations are attractive targets for ransomware groups due to the mission-critical nature of their operations and the impact of disruptions, making victims more likely to pay the ransom demanded by attackers.
“Criminals will focus on where they can cause the most pain and disruption, and ordinary people will demand quick resolution and expect to pay ransom to restore service more quickly,” said Chester Wisniewski, Sophos’ global field chief technology officer.
“This makes utilities an attractive target for ransomware attacks. Due to the critical functions that utilities provide, modern society requires that they be restored quickly and with minimal disruption.”
According to Dragos, ransomware attacks targeting this sector almost doubled in Q2 2024 compared to Q1, from 169 to 312. The majority of attacks were concentrated in North America (187), followed by Europe (82), Asia (29) and South America (6).
“Ransomware attackers are strategically timing their attacks to coincide with peak holiday seasons in some regions in order to maximize disruption and pressure organizations into paying up,” NCC Group said.
In its own State of Ransomware 2024 report, Malwarebytes highlighted three trends in ransomware tactics over the past year, including a surge in attacks on weekends and early morning hours between 1am and 5am, as well as a shortening of the time from initial access to encryption.
Another notable change has been the increased abuse of edge services and attacks on small and medium-sized businesses, according to WithSecure, adding that the takedown of LockBit and ALPHV (aka BlackCat) has eroded trust within the cybercriminal community, leading associated businesses to move away from larger brands.
In fact, Coveware said that more than 10% of the incidents it handled in the second quarter of 2024 were unrelated, meaning they were “the result of attackers who were intentionally operating independently from any specific brand — so-called ‘lone wolves.'”
“The ongoing shutdown of cybercriminal forums and marketplaces has shortened the life cycle of criminal sites as site operators seek to avoid the attention of law enforcement agencies,” Europol said in an assessment published last month.
“This uncertainty, combined with the proliferation of exit scams, is leading to the continued fragmentation of the criminal market. Recent law enforcement activity and ransomware source code leaks (e.g., Conti, LockBit, HelloKitty) have led to an increased fragmentation of active ransomware groups and available variants.”
