In a recent investigation of a Qilin ransomware breach, the Sophos X-Ops team detected attacker activity that led to a massive theft of credentials stored in Google Chrome browsers on a portion of the network’s endpoints. This unusual tactic of credential harvesting could have implications far beyond the original victim’s organization, adding another layer of chaos to ransomware scenarios.
What is Qilin?
The Qilin ransomware group has been operating for just over two years and made headlines in June 2024 due to an attack on Synnovis, a government service provider for various UK healthcare providers and hospitals. Prior to the activities described in this post, Qilin attacks often involved “double extortion,” wherein the attacker steals the victim’s data, encrypts their systems, and threatens to disclose or sell the stolen data if the ransom isn’t paid. We further discussed this tactic in our “Turning the Screws” research.
The Sophos IR team detected the activities mentioned in this post in July 2024. To give some context, the team spotted this activity on a single domain controller within the target’s Active Directory domain. Other domain controllers in the same AD domain were infected but affected differently by Qilin.
The opening maneuvers
The attacker gained initial access to the network via compromised credentials, a common approach not only for Qilin but also for other ransomware groups. Our investigation revealed that the network’s VPN portal lacked multifactor authentication (MFA) protection.
The attacker remained dormant for eighteen days before becoming more active on the network, indicating that an Initial Access Broker (IAB) could have been involved. After this period, the system showed signs of increased attacker activity, with artifacts suggesting lateral movement to a domain controller using compromised credentials.
Once the attacker accessed the domain controller, they altered the default domain policy to introduce a log