A small group of compromised endpoints fell victim to a Qilin ransomware offensive wherein threat actors made away with credentials stored in Google Chrome browsers.
An unconventional turn of events, the fusion of credential extraction with a ransomware strike holds grave implications, as stated by cybersecurity company Sophos in a report released on Thursday.
The incursion, unearthed in July 2024, entailed breaching the target network through compromised VPN portal credentials lacking multi-factor authentication (MFA), with the threat actors commencing post-exploitation maneuvers 18 days post initial breach.
“Following their infiltration of the specific domain controller, the attacker manipulated the default domain policy to introduce a logon-oriented Group Policy Object (GPO) incorporating two elements,” remarked researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland mentioned.
The first of these elements is a PowerShell script christened “IPScanner.ps1” fashioned to siphon off credential data ensconced within the Chrome browser. The other element is a batch script (“logon.bat”) issuing commands to trigger the prior script.
“The assailant maintained this GPO operational on the network for a span exceeding three days,” the researchers appended.
“This extended window granted users the inadvertent triggering of the credential-harvesting script on their systems upon login, unbeknownst to them. The logon GPO method ensured each user underwent the credential acquisition process with every login.
Subsequently, the attackers exfiltrated the purloined credentials and undertook measures to eradicate traces of their actions before encrypting files and depositing a ransom note in every directory on the system.
The pilferage of credentials housed within the Chrome browser necessitates that affected users reset their username-password pairings for each external platform.
“Ransomware factions persist in tweaking their strategies and diversifying their skill sets,” remarked the researchers.
“Should they, or other malefactors, opt to delve into endpoint-stored credentials – a potential gateway at a subsequent destination or a source of valuable intelligence on high-profile targets for alternative exploitation – a shadowy chapter may have revealed itself in the ongoing narrative of cybercrime.”
Dynamic Trends in Ransomware Landscape
This development emerges alongside ransomware factions like Mad Liberator and Mimic resorting to unsolicited AnyDesk requests for data exfiltration and leveraging publicly accessible Microsoft SQL servers for initial entry, respectively.
The Mad Liberator assaults are further characterized by the trespassers exploiting this access to transfer and run a binary labeled “Microsoft Windows Update” that projects a fake Windows Update screen to the victim, simulating software updates while siphoning data.
The exploitation of authentic remote desktop utilities, as opposed to custom malware, furnishes assailants with the perfect guise to cloak their malicious deeds in plain sight, helping them blend in with regular network traffic and avoid detection.
Despite law enforcement actions, ransomware operations remain a lucrative pursuit for cybercriminals, with 2024 poised to be the most financially rewarding year yet. This year also witnessed the highest ransom payment on record at around $75 million to the Dark Angels ransomware syndicate.
“The median ransom received by the most severe ransomware strains soared from just below $200,000 in early 2023 to $1.5 million in mid-June 2024, indicating a preference for targeting larger enterprises and vital infrastructure entities more likely to acquiesce to substantial ransoms due to their substantial resources and systemic significance,” blockchain analytics enterprise Chainalysis stated.
Ransomware victims are believed to have disbursed $459.8 million to cybercriminals in the initial six months of the year, up from $449.1 million year-over-year. Nevertheless, the overall count of ransomware payment incidents as recorded on the blockchain has decreased by 27.29% YoY, denoting a reduction in payment frequency.
Furthermore, Russian-speaking threat factions dominated at least 69% of all cryptocurrency gains associated with ransomware in the preceding year, surpassing $500 million.
Data shared by NCC Group indicates a rise in ransomware succumbing to decryption measures, resulting in…incidents identified in July 2024 surged by 19.9%, rising from 331 to 395, yet decreased from the 502 cases reported the previous year. The most active ransomware groups were RansomHub, LockBit, and Akira. Sectors that experienced the highest number of attacks included industrials, consumer cyclicals, as well as hotels and entertainment.
Industrial entities are a profitable target for ransomware collectives due to the critical importance of their operations and the significant impact of disruptions. This increases the chances of victims complying with ransom demands.
“Cybercriminals focus on areas where they can inflict the most harm and turmoil to elicit rapid resolutions from the public and, ideally, ransom payments for a quicker service restoration,” Chester Wisniewski, the global field chief technology officer at Sophos, remarked.
“Utilities stand as primary targets for ransomware threats. Given their indispensable services, society demands swift recovery from them with minimal disruption.”
Occurrences of ransomware activity directed at this sector almost doubled in Q2 2024 compared to Q1, escalating from 169 to 312 cases, in accordance with Dragos. A significant number of these attacks targeted North America (187), trailed by Europe (82), Asia (29), and South America (6).
“Ransomware perpetrators strategically time their assaults to align with peak holiday periods in specific regions to maximize chaos and prompt organizations towards making payments,” stated NCC Group.
According to Malwarebytes’ 2024 State of Ransomware report, ransomware tactics exhibited three prominent trends over the last year, including a surge in attacks during weekends and the early hours of the morning between 1 a.m. and 5 a.m., along with a shrinking time frame between initial access and encryption.
One noticeable change is the heightened focus on edge service exploitation and the targeting of small and medium-sized enterprises, as highlighted by WithSecure, who also mentioned the breakdown of groups like LockBit and ALPHV has led to a loss of trust within the cybercriminal community, prompting affiliates to distance themselves from major entities.
Moreover, Coveware reported that over 10% of incidents dealt with in Q2 2024 were unaffiliated, implying they were linked to attackers acting independently, termed as ‘lone wolves.’
“Continual crackdowns on cybercriminal forums and platforms have shortened the lifespan of illicit websites, as administrators seek to evade law enforcement attention,” outlined Europol in a recent assessment.
“This uncertainty, combined with a surge in exit scams, have contributed to the continued fracturing of illicit markets. Recent law enforcement activities and the exposure of ransomware source codes, such as Conti, LockBit, and HelloKitty, have resulted in the disintegration of active ransomware groups and available strains.”
About Author
