Watch out — Google Chrome details can be stolen by this clever new ransomware

Qilin ransomware can pull Chrome data from network-connected endpointsResearchers from Sophos have identified Qilin ransomware successfully extracting sensitive data stored in Google Chrome browsers.

In a report, Sophos described how cybercriminals accessed an unnamed organization’s IT infrastructure using previously compromised credentials for a Virtual Private Network (VPN) portal. This portal lacked multi-factor authentication (MFA), making it easier to breach.

Whether the initial intrusion was conducted by an Initial Access Broker (IAB) and subsequently handed over to ransomware operators, or accomplished by the same entity, remains unknown.

Credential theft on a large scaleThe cybercriminals operated for 18 days, moving laterally to a domain controller using the compromised credentials. They managed to infect other domain controllers in the Active Directory domain, although the impact varied.

Qilin follows a traditional double-extortion method: first stealing data, then encrypting devices, and demanding a ransom for decryption. What sets this attack apart is its specific targeting of Google Chrome.

"During a recent Qilin ransomware investigation, the Sophos X-Ops team observed attackers exfiltrate credentials from Google Chrome browsers on multiple network endpoints—a tactic that could amplify the disruption inherent in ransomware attacks," explained the researchers.

Simply put, Qilin harvested credentials saved in Chrome browsers on devices connected to the compromised network.

According to Sophos, the evolving tactics of cybercriminals necessitate organizations’ reliance on password managers and the implementation of MFA to mitigate risks.

Earlier, SSP wrote that major firms were targeted by emerging cybercrime campaign.