Cybercriminals behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small group of compromised endpoints.

The use of credential harvesting in connection with a ransomware infection is an unusual development that could have far-reaching implications, cybersecurity firm Sophos said in a report on Thursday.

The attack, detected in July 2024, consisted of infiltrating the target network via compromised credentials for a VPN portal without multi-factor authentication (MFA). The malicious actors performed post-exploitation actions 18 days after initial access.

“Once the attacker reached the affected domain controller, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two entries,” said researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland.

The first is a PowerShell script named “IPScanner.ps1” that is designed to collect credentials stored in the Chrome browser. The second item is a batch script (“logon.bat”) that processes contact commands to execute the first script.

“The attacker left this GPO active on the network for more than three days,” the researchers added.

“This provided ample opportunity for users to log into their devices and, without their knowledge, trigger the credential harvesting script on their systems. Again, since this was all done using a logon GPO, every user would experience this credential scarfing every time they logged in.”

The attackers then captured the stolen credentials and took steps to erase evidence of the activity. They then encrypted the files and placed the ransom note in every folder in the system.

Due to the theft of credentials stored in the Chrome browser, affected users are now required to change their username/password combination for each third-party site.

“It is expected that ransomware groups will continue to change their tactics and expand their repertoire of techniques,” the researchers said.

“If they, or other attackers, also decided to mine for endpoint-stored credentials – which could mean a foot in the door to a next target, or a treasure trove of information about high-value targets that could be exploited in other ways – then a new, dark chapter could have begun in the continuing saga of cybercrime.”

Ever-changing trends in ransomware

The development comes as ransomware groups such as Mad Liberator and Mimic have been found to be using unsolicited AnyDesk requests for data exfiltration and leveraging internet-exposed Microsoft SQL servers for initial access, respectively.

Another feature of the Mad Liberator attacks is that the attackers abuse the access to transfer and launch a binary file called ‘Microsoft Windows Update’. This file displays a fake Windows Update welcome screen to the victim to give the impression that software updates are being installed, while stealing data at the same time.

Abusing legitimate remote desktop tools, as opposed to custom malware, provides attackers with the perfect disguise to visibly camouflage their malicious activity, allowing them to blend in with normal network traffic and evade detection.

Ransomware remains a profitable business for cybercriminals despite a series of law enforcement actions, with 2024 set to be the most profitable year yet. The year also saw the largest ransomware payment ever recorded, around $75 million to the Dark Angels ransomware group.

“The average ransom payment for the most severe ransomware variants has increased from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting these variants are primarily targeting larger enterprises and critical infrastructure providers, which may be more willing to pay high ransoms due to their deep pockets and systemic importance,” according to blockchain analytics firm Chainalysis.

Ransomware victims paid an estimated $459.8 million to cybercriminals in the first half of the year, up from $449.1 million year over year. However, the total number of ransomware payment events measured on-chain decreased by 27.29% YoY, indicating a decline in payment rates.

Additionally, Russian-speaking cybercriminals accounted for at least 69% of all cryptocurrency-related ransomware revenues last year, amounting to over $500 million.

According to data shared by NCC Group, the number of ransomware attacks observed in July 2024 increased from 331 to 395 compared to the previous month, but decreased from 502 recorded last year. The most active ransomware families were RansomHub, LockBit and Akira. The most frequently attacked sectors include industrials, consumer cyclicals and hotels and entertainment.

Industrial organizations are a lucrative target for ransomware groups due to the mission-critical nature of their operations and the high impact of disruptions, making victims more likely to pay the ransoms demanded by the attackers.

“Criminals are targeting where they can cause the most pain and disruption, so the public is demanding quick resolutions and hoping for ransom payments to restore service more quickly,” said Chester Wisniewski, Global Field Chief Technology Officer at Sophos.

“This makes utilities prime targets for ransomware attacks. Due to the essential functions they provide, modern society demands that they recover quickly and with minimal disruption.”

Ransomware attacks on the sector nearly doubled in Q2 2024 compared to Q1, from 169 to 312 incidents, according to Dragos. A majority of attacks targeted North America (187), followed by Europe (82), Asia (29) and South America (6).

“Ransomware actors strategically time their attacks to coincide with peak holiday periods in certain regions to maximize disruption and pressure organizations to pay up,” NCC Group said.

In its own 2024 State of Ransomware report, Malwarebytes highlighted three trends in ransomware tactics over the past year, including a spike in attacks on weekends and in the early morning hours between 1 a.m. and 5 a.m., and a shortening of the time between first access and encryption.

Another notable shift is the increased exploitation of edge services and the increasing targeting of small and medium-sized businesses, according to WithSecure. The takedowns of LockBit and ALPHV (also known as BlackCat) have led to a decline in trust within the cybercriminal community, causing affiliates to turn away from big brands.

Coveware said that more than 10% of the incidents it handled in the second quarter of 2024 were unrelated to attackers. That is, they were “attributed to attackers who deliberately operated independently of a specific brand, and are commonly referred to as ‘lone wolves.’”

“The increasing number of cybercriminal forums and marketplaces being taken offline is shortening the lifespan of criminal sites, as operators of these sites attempt to avoid the attention of law enforcement,” Europol said in an assessment published last month.

“This uncertainty, combined with an increase in exit scams, has contributed to the continued fragmentation of criminal marketplaces. Recent LE operations and ransomware source code leaks (e.g., Conti, LockBit, and HelloKitty) have led to a fragmentation of active ransomware groups and available variants.”