Dirty App: Agenda (Qilin) Ransomware Now Known for Stealing Credentials from Google Chrome Web Browsers
The Qilin ransomware group, also associated with the Agenda Ransomware threat, has recently adopted a new and alarming tactic that involves using a custom stealer to harvest account credentials stored in Google Chrome browsers. This development, uncovered by the Sophos X-Ops team during incident response investigations, represents a significant shift in the ransomware landscape, making these attacks increasingly difficult to defend against.
Attack Overview and The Evolution of Qilin Ransomware
In a recent incident analyzed by Sophos researchers, Qilin gained access to a network through compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). Following the breach, there was an 18-day period of dormancy, suggesting that Qilin may have purchased network access from an initial access broker (IAB). During this time, the attackers likely mapped the network, identified critical assets, and conducted detailed reconnaissance.
Automatically Detect and Remove Ransomware Threats from Your Computer with SpyHunter
Is Your Computer Infected with Ransomware? Automatically Remove Ransomware Threats for FREE and Protect Your Computer with SpyHunter.
After this reconnaissance phase, the attackers moved laterally within the network, reaching a domain controller where they modified Group Policy Objects (GPOs) to execute a PowerShell script known as ‘IPScanner.ps1’ on all machines logged into the domain network. This script, executed by a batch file (‘logon.bat’), was designed to collect credentials stored in Google Chrome.
Credential Harvesting and Its Consequences
The batch script was configured to run every time a user logged into their machine, triggering the PowerShell script and saving stolen credentials on the ‘SYSVOL’ share under filenames like ‘LD’ or ‘temp.log.’ These files were then transmitted to Qilin’s command and control (C2) server, after which the local copies and related event logs were deleted to cover the attackers’ tracks. Once the credentials were harvested, Qilin deployed its ransomware payload, encrypting data across the compromised machines. Another GPO and batch file (‘run.bat’) were used to download and execute the ransomware on all machines within the domain.
This method of targeting Chrome credentials is particularly concerning because the GPO applied to all machines in the domain, meaning every device a user logged into was vulnerable to credential theft. This extensive credential harvesting could lead to further attacks, widespread breaches across multiple platforms and services, and significantly complicate response efforts. Moreover, it introduces a lingering threat that could persist even after the initial ransomware incident is resolved.
Understanding Agenda (Qilin) Ransomware – File Encryption and Ransom Demands
Agenda ransomware not only steals credentials but also encrypts files, appending a string of random characters as a file extension. It also drops a ransom note file, typically named “[random_string]-RECOVER-README.txt,” with the same random string included in the filenames of the encrypted files. For example, the ransomware might rename “1.jpg” to “1.jpg.OnHnnBvUej” or “3.exe” to “3.exe.OnHnnBvUej.”
The ransom note warns victims that their data has been encrypted and downloaded to a remote server. It threatens to publish this data if the ransom is not paid, and it instructs victims not to modify files or use third-party decryption tools, as this could render the files irrecoverable. Victims are directed to use provided credentials to access a Tor website where they can communicate with the attackers.
Example of the Agenda (Qilin) Ransomware note:
— Agenda
Your network/system was encrypted.
Encrypted files have new extension.— Compromising and sensitive data
We have downloaded compromising and sensitive data from you system/network
If you refuse to communicate with us and we do not come to an agreementyour data will be published.
Data includes:
– Employees personal dataCVsDLSSN.
– Complete network map including credentials for local and remote services.
– Financial information including clients databillsbudgetsannual reportsbank statements.
– Complete datagrams/schemas/drawings for manufacturing in solidworks format
– And more…— Warning
1) If you modify files – our decrypt software won’t able to recover data
2) If you use third party software – you can damage/modify files (see item 1)
3) You need cipher key / our decrypt software to restore you files.
4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions.— Recovery
1) Download tor browser: hxxps://www.torproject.org/download/
2) Go to domain
3) Enter credentials— Credentials
Extension: –
Domain:
login: –
password: -(EXTRA string=same as login)
Case Studies: Successfully Combatting Agenda Ransomware
Despite the severity of Agenda ransomware, there have been proven case studies where computer users successfully stopped and removed the threat using anti-malware programs like SpyHunter. These programs can identify and eliminate the ransomware, preventing further encryption of files and removing the malicious software from the system.
It’s important to note that decrypting files encrypted by ransomware is rarely possible without the attackers’ involvement. Even paying the ransom does not guarantee that the attackers will provide a decryption tool. The best way to avoid paying a ransom is to have a reliable data backup or find a third-party decryption tool online.
Prevention: Protecting Yourself from Ransomware Attacks
To protect against ransomware infections, it’s crucial to follow best practices in cybersecurity. This includes downloading files and software from official websites only, avoiding untrustworthy sources, and being cautious of suspicious emails from unknown senders, as they often contain malicious attachments or links.
Using reputable antivirus and anti-malware programs like SpyHunter is essential for computer protection. Regular system scans can help detect and eliminate threats before they cause significant damage. If your computer is already infected with Agenda ransomware, running a scan with SpyHunter or a similar program is recommended to automatically remove the malware and protect your data from further harm.
Conclusion: The Persistent Threat of Qilin and Agenda Ransomware
As ransomware groups like Qilin continue to evolve and adopt new tactics, the threat they pose to organizations and individuals becomes ever more serious. The shift towards credential theft, coupled with file encryption and ransom demands, represents a dangerous escalation that requires robust security measures and vigilance. By understanding the nature of these threats and taking proactive steps to protect your systems, you can reduce the risk of falling victim to ransomware and ensure a swift recovery in case of an attack.
HOW TO REMOVE RANSOMWARE
Automatically Detect & Remove Ransomware Threats for FREE with SpyHunter.