Ransomware Turns to Triple Threat

A notorious ransomware group has engaged in a "triple threat" attack. As well as locking files and threatening to expose data, the Qilin group has been spotted trying to steal saved passwords from Chrome.

The Qilin group appears to have been operating for at least two years but came to wider attention in 2022 when it attacked British hospitals. The group's origins and membership aren't known for certain, but it has communicated in Russian.

As is becoming more common, Qilin doesn't simply restrict itself to encrypting files and systems and then demanding a ransom payment to restore access. It also searches through the files for any sensitive data and threatens to publicly expose it if the victim doesn't pay up. That's a despicable but understandable tactic when dealing with particularly sensitive information such as medical details.

Chaos Multiplier

Now researchers at security company Sophos says they've spotted a third element to the attacks, which they've described as "a bonus multiplier for the chaos already inherent in ransomware situations." (Source: sophos.com)

In simple terms, the group is searching through all machines and accounts that are part of the victim's networks. It looks specifically for the Chrome browser's list of stored passwords. The snooping was automated and set to run every time a user logged in to a machine. (Source: computerweekly.com)

Corporate Networks Compromised

Had such an attack been carried out among home users, it would have been severely limited by the fact Chrome - as a minimum security setting - requires users to type in their Windows password or PIN to access stored passwords.

The attack appears to have been far more effective on a corporate network as the attackers were able to edit network group settings to reduce such limitations. Sophos highlighted the potential impact by citing a recent survey that said the average person has 87 work-related passwords and 168 personal passwords. Of course, far from every person stores all their passwords in Google Chrome, and some may also use third-party password managers such as Roboform rather than the browser itself.

What's Your Opinion?

Do you store passwords in Chrome? Do you use a dedicated password manager tool? Are you surprised ransomware attackers took so long to adopt this tactic?