Cyber Heist: Inside the Qilin Ransomware Group's Clever Password Theft Scheme - Minneapolis Cloud Services and Managed Service Provider Verus Corporation

Cyber Heist: Inside the Qilin Ransomware Group’s Clever Password Theft Scheme

Posted September 3, 2024

The Qilin ransomware group recently carried out a sophisticated cyber attack that targeted Google Chrome passwords. They did this by cleverly manipulating something called Group Policy Objects (GPOs) in computer networks. This attack is particularly concerning because it shows how cybercriminals are becoming more advanced in their methods.

Key Terms:

Ransomware: A type of malicious software that encrypts a victim’s files. The attackers then demand a ransom from the victim to restore access to the data upon payment.
Group Policy Objects (GPOs): A feature in Windows networks that administrators use to manage and configure computer and user settings across an organization.

Attack Phases

The Qilin group’s attack was carried out in several stages. Let’s break down each phase to understand how they operated:

Initial Access
The attackers first gained access to the network by using stolen VPN (Virtual Private Network) credentials. Importantly, these credentials didn’t have Multi-Factor Authentication (MFA) enabled, which made the initial break-in easier. After gaining access, they waited for 18 days before making their next move. This waiting period, known as a dormancy period, allowed them to secretly observe the network and plan their next steps without being detected.
Key Terms:
- VPN: A service that allows users to securely access a private network from outside locations.
- Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication to verify the user’s identity for a login or other transaction.
Lateral Movement and Credential Harvesting
Once inside the network, the attackers moved to a critical part of the system called a domain controller. This is essentially the brain of the network, controlling access and security policies. They then modified the default domain policy to include their own malicious scripts. These scripts were designed to collect (or “harvest”) Google Chrome passwords from users’ computers.

Here’s how it worked:
- Every time a user logged into their computer, the malicious script would run automatically.
- The script would collect any passwords saved in Google Chrome.
- These stolen passwords were then saved into files named ‘LD’ or ‘temp.log’ in a part of the network called SYSVOL, which is accessible to all users.
Key Terms:
- Domain Controller: A server that responds to security authentication requests in a Windows domain network.
- SYSVOL: A folder on Windows domain controllers that stores group policy data and scripts that need to be accessed by all users in the domain.
Execution and Exfiltration
After collecting the passwords, the attackers took two important steps:
- They sent (or “exfiltrated”) the stolen passwords to their own server, which they could access and control.
- To cover their tracks, they deleted the local copies of the stolen password files and cleared the event logs, which are records of activities on the computer.
Key Terms:
- Exfiltration: The unauthorized transfer of data from a computer or network to another location.
- Event Logs: Records of system activities in a computer, useful for tracking what has happened on the system.
Ransomware Deployment
In the final stage, the attackers used another Group Policy Object to schedule the actual ransomware attack. When executed, this ransomware encrypted important data on the network, making it inaccessible to the rightful owners. The attackers then left ransom notes, typically demanding payment in exchange for decrypting the data.

Implications and Recommendations

This attack is significant because it shows that cybercriminals are not just focusing on encrypting data for ransom, but are also stealing valuable credentials. This two-pronged approach can cause even more damage to organizations.

To protect against such attacks, experts recommend the following measures:

Implement Multi-Factor Authentication (MFA): This adds an extra layer of security beyond just a password, making it much harder for attackers to use stolen credentials.
Restrict credential storage in browsers: While convenient, storing passwords in web browsers like Chrome can be risky. Organizations should consider password management alternatives.
Employ least privilege and network segmentation: This means giving users only the access they need to do their jobs and dividing the network into smaller, protected segments. This can limit an attacker’s ability to move freely within a network if they do gain access.

By understanding how these attacks work and implementing strong security measures, organizations can better protect themselves against sophisticated cyber threats like the Qilin ransomware attack.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.