The threat actors behind the recently observed Qilin ransomware attack stole credentials stored in Google Chrome browsers on a small set of compromised endpoints.
The use of credential harvesting in connection with ransomware infections marks an unusual twist that could have cascading effects, cybersecurity firm Sophos said in a report on Thursday.
The attack, discovered in July 2024, involved infiltrating the target network via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA), with threat actors conducting post-exploitation activities 18 days after initial access.
“Once the attacker reached the domain controller in question, he edited the default domain policy to inject a login-based Group Policy Object (GPO) containing two elements,” Researchers Lee Kirkpatrick, Paul Jacobs, Harshal Ghazalia and Robert Weiland said.
The first one is a PowerShell script called “IPScanner.ps1” which is designed to harvest the credentials stored in the Chrome browser. The second element is a batch script (“logon.bat”) that calls the commands to execute the first script.
“The attacker left this GPO active on the network for more than three days,” the researchers added.
“This gave users ample opportunity to log in on their devices and unknowingly run a credential harvesting script on their systems. Again, since this was all done using a login GPO, every user experienced this credential deletion every time they logged in.”
The attackers then stole the stolen credentials and took steps to erase evidence of the activity before encrypting the files and dropping a ransom note into every directory on the system.
The theft of credentials stored in the Chrome browser means that affected users must now change their username and password combinations for each third-party site.
“As you might expect, ransomware groups continue to change tactics and expand their repertoire of methods,” the researchers note.
“If they or other attackers decide to also mine the identity data stored on the endpoints — which could give access to the next target, or reams of information about important targets to be exploited by other means — a new chapter in the ongoing story of cybercrime may have opened.” “.
Ransomware trends are constantly evolving
The development is according to ransomware groups Mad Liberator and Facial expression the use of AnyDesk spam requests to steal data and the use of Microsoft SQL servers exposed on the Internet for initial access were observed, respectively.
Mad Liberator attacks are also characterized by threat actors abusing access rights to transfer and run a binary file called “Microsoft Windows Update” that shows the victim a fake Windows Update splash screen, giving the impression that software updates are being installed and data is being robbed.
The abuse of legitimate remote desktop toolsunlike custom-made malware, offers attackers the perfect cloak to hide their malicious activities in plain sight, allowing them to blend in with normal network traffic and remain undetected.
Ransomware continues to be a lucrative business for cybercriminals, despite a number of law enforcement actions, and 2024 will be the most profitable year yet. The year also saw largest ransomware payout ever recorded at around $75 million Dark angels ransomware group.
“The average ransom paid for the most serious ransomware strains rose from just under $200,000 in early 2023 to $1.5 million in mid-June 2024, indicating that these strains favor large enterprises and critical infrastructure providers, who are likely to pay high ransoms because of their deep pockets and systemic importance.” – analyst firm Chainalysis said.
Ransomware victims paid an estimated $459.8 million to cybercriminals in the first half of the year, up from $449.1 million for the year. However, the total number of ransomware payments measured on-chain decreased by 27.29% year-over-year, indicating a decrease in payment rates.
Moreover, Russian-speaking groups are a threat taken into account at least 69% of all cryptocurrency revenue linked to ransomware in the past year, exceeding $500 million.
According to data shared by NCC Group, the number of ransomware attacks recorded in July 2024 increased from 331 to 395 compared to the previous month, but was down from 502 reported last year. The most active ransomware families were RansomHub, LockBit, and Akira. Sectors most frequently attacked include industrials, consumer durables, hotels and entertainment.
Industrial organizations are a a profitable target for ransomware groups due to the mission-critical nature of their operations and the significant impact of disruptions, which increases the likelihood that victims can pay the ransom amount demanded by attackers.
“Criminals are concentrated where they can cause the most pain and disruption, so the public will demand quick solutions and they hope that paying the ransom will help restore services more quickly.” said Chester Wisniewski, Global CTO, Sophos.
“This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, today’s society requires them to recover quickly and with minimal disruption.”
Ransomware attacks targeting this sector nearly doubled in Q2 2024 compared to Q1, from 169 to 312 incidents per Dragos. North America (187) had the most attacks, followed by Europe (82), Asia (29) and South America (6).
“Ransomware strategically times its attacks around peak holiday periods in certain regions to maximize disruption and force organizations to pay” – NCC Group said.
Malwarebytes in its own State of Ransomware 2024 report. highlighted three trends in ransomware tactics over the past year, including a surge in attacks on weekends and early mornings between 1 and 5 a.m., and a reduction in the time from initial access to encryption.
Another noticeable shift is the increased use of edge services and a focus on small and medium-sized businesses, WithSecure saidadding that the dismantling of LockBit and ALPHV (aka BlackCat) has eroded trust in the cybercriminal community, causing affiliates to move away from major brands.
Indeed, Coveware said more than 10% of the incidents handled by the company in Q2 2024 were unaffiliated, meaning they were “attributed to attackers who were deliberately operating independently of a specific brand and what we commonly refer to as ‘lone wolves’.”
“Continuous takedowns of cybercriminal forums and marketplaces have shortened the life cycle of criminal sites as site administrators try to avoid attracting the attention of law enforcement,” Europol said. said in an assessment published last month.
“This uncertainty is coupled with a surge exit fraudcontributed to the continued fragmentation of criminal markets. Recent LE operations and leaked ransomware source codes (such as Conti, LockBit, and HelloKitty) have fragmented active ransomware groups and available options.”
