This New Ransomware Steals Data Saved in Google Chrome

This New Ransomware Steals Data Saved in Google Chrome

Qilin, a new and dangerous ransomware, targets personal data stored in Google Chrome, including login credentials. Even more alarming, it can infect all devices on the same network.

Despite constant improvements and upgrades, Google Chrome is not immune to the vulnerabilities inherent in all software, including well-known security flaws—those "small defects" that slip past developers' vigilance. As the most widely used web browser in the world, it is a prime target for cybercriminals, who are increasingly ingenious in their efforts to infect users' devices and steal personal data. The latest threat is the Qilin ransomware, which introduces a concerning new tactic: the deployment of a customized stealer. According to the Sophos X-Ops teams, this development allows the malware not only to steal data from victims but also to harvest the credentials stored in Google Chrome on their devices—something that has not been observed before.

Qilin: A New Way to Harvest Chrome Credentials

To recap, ransomware is malicious software developed by hackers to extort money from victims. Once installed on a computer, the malware holds the data hostage by encrypting all or part of the device's content, including critical elements of the operating system and, most importantly, personal data and files (documents, photos, videos, messages, etc.). These files are locked and inaccessible to their owner. To regain access, the victim is typically required to pay a ransom, usually in cryptocurrency to leave no trace of the transaction. After payment, the hacker is supposed to provide the decryption key to restore the data, though there's no guarantee they will keep their word.

The hackers first gained access to an organization's IT infrastructure via compromised credentials harvested from a VPN portal that lacked two-factor authentication. Eighteen days later, they began accessing data stored in the browser, including login credentials and other sensitive information. Qilin's technique is particularly alarming because it affects every machine on the network, meaning every device a user logs into is subjected to the credential-harvesting process. As a result, the threat persists even after the initial ransomware incident has been resolved. The stolen information can then be used to gain access to other systems or be resold on the dark web.

To protect against this new threat, security experts recommend adopting two-factor authentication (2FA), which likely would have prevented Qilin from accessing the system in the case studied here. A password manager can also be useful, provided it is not hacked or affected by a bug. Recently, millions of Chrome users lost access to the passwords they had saved in Google's browser due to a major bug in the password manager.