During a recent investigation into a Qilin ransomware breach, the Sophos X-Ops team identified attacker activity leading to the mass theft of credentials stored in Google Chrome browsers on a subset of the network’s endpoints – a credential harvesting technique with potential implications far beyond the original victim’s organization. It’s an unusual tactic, and one that could provide a bonus multiplier to the chaos already inherent in ransomware situations.

What is Qilin?

The Qilin ransomware group has been active for just over two years. In June 2024, it made headlines for an attack on Synnovis, a government service provider for several UK healthcare providers and hospitals. Prior to the activities described in this post, Qilin attacks often involved “double extortion”: stealing the victim’s data, encrypting their systems, and then threatening to release or sell the stolen data if the victim doesn’t pay for the encryption key, a tactic we recently discussed in our “Turning the Screws” investigation

The Sophos IR team observed the activity described in this post in July 2024. To provide some context, this activity was noted on a single domain controller within the target’s Active Directory domain; other domain controllers in that AD domain were infected, but impacted by Qilin in a different way.

Opening maneuvers

The attacker gained initial access to the environment via compromised credentials. Unfortunately, this method of initial access is not new to Qilin (or other ransomware gangs). Our research indicated that the VPN portal did not have multi-factor authentication (MFA) protection.

The attacker’s dwell time between initial network access and subsequent movement was eighteen days, which may or may not indicate that an Initial Access Broker (IAB) initiated the actual compromise. Regardless, eighteen days after initial access, attacker activity on the system increased, with artifacts showing lateral movement to a domain controller using compromised credentials.

Once the attacker reached the affected domain controller, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two entries. The first, a PowerShell script named IPScanner.ps1, was written to a temporary directory within the SYSVOL (SYStem VOLume) share (the shared NTFS directory on every domain controller within an Active Directory domain) on the specific affected domain controller. It contained a 19-line script that attempted to collect credentials stored in the Chrome browser.

The second item, a batch script named logon.bat, contained the commands to execute the first script. This combination resulted in the collection of credentials stored in Chrome browsers on machines connected to the network. Because these two scripts were in a logon GPO, they were executed on each client machine as it logged in.

At the end points

Whenever a logon occurred on an endpoint, logon.bat would execute the IPScanner.ps1 script, which in turn created two files: a SQLite database file named LD and a text file named temp.log, as seen in Figure 1.

Image 1: We call this demo device Hemlock because it is poisonous: The two files created by the boot script on an infected machine

These files were written back to a newly created directory on the domain’s SYSVOL share and were named with the hostname of the device(s) they were running on (in our example, Hemlock).

The LD database file contains the structure shown in Figure 2.

Image 2: Within LD, the SQLite database file is placed in SYSVOL

In a show of confidence that they would not be caught or lose their access to the network, the attacker left this GPO active on the network for over three days. This gave users ample opportunity to log into their devices and, unbeknownst to them, trigger the credential harvesting script on their systems. Since this was all done using a logon GPO, every user would experience this credential scarfing every time they logged in.

To make it harder to assess the scope of the breach, the attacker deleted all files and wiped the event logs for both the domain controller and the infected machines after the files containing the harvested credentials were stolen and exfiltrated. After deleting the evidence, they proceeded to encrypt files and drop the ransom note, as shown in Figure 3. This ransomware leaves a copy of the note in every directory on the machine it runs on.

Figure 3: A Qilin ransom note

The Qilin group again used GPO as a mechanism to influence the network by creating a scheduled task to execute a batch file named run.bat, which downloaded and executed the ransomware.

Influence

In this attack, the IPScanner.ps1 script targeted Chrome browsers—statistically the choice most likely to yield a bountiful password harvest, as Chrome currently holds just over 65 percent of the browser market. The success of each attempt would depend on exactly what credentials each user stored in the browser. (As for how many passwords could be harvested from each infected machine, a recent study suggests that the average user has 87 work-related passwords and about twice that many personal passwords.)

A successful compromise of this sort would require defenders to not only change all Active Directory passwords; they would also (in theory) have to require end users to change passwords for dozens, possibly hundreds, of third-party sites whose users have saved their username/password combinations in the Chrome browser. Of course, defenders would have no way of forcing users to do that. In terms of the end-user experience, while virtually every Internet user at this point has received at least one “your information has been breached” notification from a site that has lost control of its users’ data, in this situation it’s the other way around — one user, dozens or hundreds of separate breaches.

It may be interesting to note that in this particular attack, other domain controllers in the same Active Directory domain were encrypted, but the domain controller where this particular GPO was originally configured was not encrypted by the ransomware. What this could have been – a misfire, a mistake, A/B testing by the attacker – is beyond the scope of our investigation (and this post).

Conclusion

As expected, ransomware groups continue to change tactics and expand their repertoire of techniques. The Qilin ransomware group may have decided that by only targeting the network assets of their target organizations, they were missing something.

If they, or other attackers, also decided to mine for credentials stored on endpoints – which could mean a foot in the door to a next target, or a treasure trove of information about high-value targets that can be exploited in other ways – then a new, dark chapter in the ongoing saga of cybercrime could have begun.

Acknowledgements

Anand Ajjan of SophosLabs and Ollie Jones and Alexander Giles of the Incident Response team contributed to this analysis.

Response and recovery

Organizations and individuals should rely on password managers that use industry best practices for software development and are regularly tested by an independent third party. Using a browser-based password manager has been proven unsafe time and time again, and this article is the latest proof.

Multi-factor authentication would have been an effective preventative measure in this situation, as we’ve discussed elsewhere. While MFA adoption continues to grow, a 2024 Lastpass study indicates that while MFA adoption among companies with 10,000+ employees is a not-terrible 87%, that adoption rate drops precipitously – from 78% for companies with 1,001-1,000 employees to a 27% adoption rate for companies with 25 employees or less. To put it bluntly, companies need to do better, for their own security – and in this case, for the security of other companies as well.

Our own Powershell.01 query was instrumental in identifying suspicious PowerShell comments executed during the attack. That query is freely available on our Github, along with many others.

Sophos detects Qilin ransomware as Troj/Qilin-B and with behavioral detections such as Impact_6a & Lateral_8aThe script described above is detected as Trojan/Ransom HDV.