Qilin, a new and deadly ransomware, targets personal data stored in Google Chrome, including login credentials. Worse still, it can infect all devices on the same network.
Even though it is constantly being upgraded and improved, Google Chrome is not immune to the problems of all software, and in particular the famous security flaws, those “small defects” that escape the vigilance of developers. And since it is the most widely used web browser in the world, it is a prime target for cybercriminals, who are doubling their ingenuity to infect Internet users’ devices and seize their personal data. The latest threat: the Qilin ransomware, which introduces a new worrying tactic, namely the deployment of a personalized thief. This development, observed by the teams of Sophos X-Opsmeans that the malware can not only steal victims’ data, but also harvest credentials stored in the Google Chrome browser on their devices, something that has never been observed before.
Qilin: A New Way to Harvest Chrome Identifiers
As a reminder, ransomware is malicious software developed by hackers to extort money from victims. Once installed on the computer, the malware takes the data it contains hostage. It encrypts all or part of the device’s content, including key elements of the operating system and, above all, personal data and files (documents, photos, videos, messages, etc.). All of these files are locked and inaccessible to their owner. To regain use of them, the victim is ordered to pay a ransom, generally in cryptocurrency so as to leave no trace of the transaction, failing which their files will be permanently destroyed. Once the ransom is paid, the hacker is supposed to provide the key to decrypt the data and regain control… provided they keep their word!
The hackers first gained access to an organization’s IT infrastructure via compromised credentials harvested from a VPN portal that lacked two-factor authentication. Then, 18 days later, they began moving to access data stored in the browser, including login credentials and other sensitive information. Qilin’s technique is particularly alarming because it applies to every machine on the network. This means that every device a user logs in to is subjected to the credential harvesting process. As a result, the threat persists even after the initial ransomware incident has been resolved. The stolen information can then be used to gain access to other systems or resold on the dark web.
To protect against this new threat, security experts recommend adopting two-factor authentication (2FA), which would likely have been enough to prevent Qilin from accessing the system in the case studied here. A password manager can also be useful, provided that it is not hacked or falls victim to a bug. Recently, millions of Chrome users lost access to the passwords they had saved in Google’s browser due to a major bug in the manager (see our article).