The cybercriminals responsible for a recent Qilin ransomware attack have successfully extracted credentials stored in Google Chrome browsers from a limited number of compromised endpoints.
This integration of credential theft within a ransomware attack is an uncommon tactic and one with potentially far-reaching implications, cybersecurity firm Sophos noted in a report on Thursday.
The attack, identified in July 2024, began when the threat actors infiltrated the target’s network by exploiting compromised VPN credentials that lacked multi-factor authentication (MFA). Post-exploitation actions were initiated 18 days after the initial access.
“Once the attacker accessed the domain controller, they modified the default domain policy to deploy a logon-based Group Policy Object (GPO) containing two elements,” researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland explained.
The first element was a PowerShell script, “IPScanner.ps1,” designed to collect credentials stored in the Chrome browser. The second element, a batch script (“logon.bat”), executed the PowerShell script.
“The attacker left this GPO active in the network for over three days,” the researchers stated.
“This gave ample time for users to unknowingly trigger the credential-harvesting script simply by logging into their devices. Since this was executed via a logon GPO, the credential theft occurred with every login.”
After exfiltrating the stolen credentials, the attackers wiped traces of their activity before encrypting files and deploying ransom notes in every directory on the affected systems.
The compromise of credentials stored in Chrome now forces impacted users to reset their login details for all third-party accounts.
“Ransomware operators are continuously evolving their methods and broadening their range of techniques,” the researchers remarked.
“Should they, or other cybercriminals, choose to increasingly target endpoint-stored credentials – which could be leveraged to breach other targets or harvest valuable information on high-profile entities – this could signal a disturbing new phase in the landscape of cybercrime.”
Ever-evolving Trends in Ransomware
The latest developments reveal that ransomware groups such as Mad Liberator and Mimic have adopted new tactics, with Mad Liberator employing unsolicited AnyDesk requests for data exfiltration and Mimic exploiting internet-exposed Microsoft SQL servers for initial access.
In Mad Liberator’s attacks, threat actors use their access to deploy and execute a binary named “Microsoft Windows Update,” which presents a fake Windows Update splash screen to the victim. This deception convinces victims that software updates are in progress, while their data is covertly being stolen.
The use of legitimate remote desktop tools, rather than custom malware, enables attackers to blend in with normal network traffic, allowing them to carry out their malicious activities unnoticed and evade detection.
Despite intensified law enforcement efforts, ransomware remains highly profitable, with 2024 poised to set a new record for revenue. The year also witnessed the highest-ever ransomware payment, amounting to approximately $75 million, made to the Dark Angels ransomware group.
According to blockchain analytics firm Chainalysis, “The median ransom payment to the most severe ransomware strains has spiked from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, suggesting that these strains are prioritizing targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance”
Ransomware victims are estimated to have paid $459.8 million in the first half of 2024, up from $449.1 million year-over-year. However, on-chain data reveals a 27.29% decline in the total number of ransomware payment events, suggesting that fewer victims are choosing to pay the ransom.
Notably, Russian-speaking threat groups were responsible for at least 69% of all cryptocurrency proceeds linked to ransomware in 2023, amassing over $500 million.
Data from NCC Group shows that ransomware attacks in July 2024 increased month-over-month, rising from 331 to 395, though this figure is down from the 502 attacks recorded in the same period last year. The most active ransomware groups were RansomHub, LockBit, and Akira, with industrials, consumer cyclicals, and hotels and entertainment being the most frequently targeted sectors.
Industrial organizations remain prime targets for ransomware groups, as the mission-critical nature of their operations heightens the pressure to meet ransom demands in order to minimize disruptions.
“Criminals target sectors where they can inflict maximum pain and disruption, anticipating that the public’s demand for swift resolutions will pressure victims into paying ransoms to restore services faster,” said Chester Wisniewski, global field chief technology officer at Sophos.
“This makes utilities particularly vulnerable to ransomware attacks. Given the critical nature of their services, modern society expects them to recover rapidly with minimal disruption.”
Ransomware attacks on the utility sector nearly doubled in Q2 2024 compared to Q1, surging from 169 to 312 incidents, according to Dragos. Most of the attacks targeted North America (187), followed by Europe (82), Asia (29), and South America (6).
“Ransomware operators are carefully timing their attacks to coincide with peak holiday periods in certain regions, aiming to maximize disruption and increase pressure on organizations to make payments,” noted NCC Group.
Malwarebytes, in its 2024 State of Ransomware report, outlined three key trends in ransomware tactics over the past year. These include an increase in attacks during weekends and early morning hours (between 1 a.m. and 5 a.m.) and a reduction in the time between initial access and file encryption.
Additionally, WithSecure observed a growing exploitation of edge services and a shift towards targeting small and medium-sized businesses. The takedowns of LockBit and ALPHV (also known as BlackCat) have further fragmented the cybercriminal landscape, leading affiliates to distance themselves from major brands due to waning trust within the community.
Indeed, Coveware reported that over 10% of the ransomware incidents it handled in Q2 2024 were carried out by unaffiliated attackers, often referred to as ‘lone wolves,’ who deliberately operated independently of established ransomware groups.
Europol, in a recent assessment, noted that ongoing takedowns of cybercriminal forums and marketplaces have reduced the lifespan of criminal sites as administrators work to avoid attracting law enforcement attention.
“This volatility, coupled with a surge in exit scams, has accelerated the fragmentation of criminal marketplaces,” Europol stated. “Recent law enforcement actions, along with the leaks of ransomware source codes—such as Conti, LockBit, and HelloKitty—have splintered the landscape of active ransomware groups and the variants they deploy.”
Source: TheHackerNews
