To hide the malicious activities, the local copies and associated event logs were erased when the files were sent to Qilin's command and control (C2) server. In the end, Qilin encrypted the data on the compromised computers and released their ransomware payload. To download and run the ransomware on every system in the domain, a different batch file called "run.bat" and another GPO were employed.

Qilin's strategy of focusing on Chrome credentials sets a concerning precedent that may make thwarting ransomware attacks even more difficult. Every device that a user logged into was susceptible to the credential harvesting procedure because the GPO was implemented on all computers inside the domain. This implies that provided those computers were linked to the domain and users were logging in during the script's active time, the script may have stolen credentials from any computer in the organization.

Such massive credential theft could make it possible for follow-up attacks, result in global breaches affecting several platforms and services, increase the difficulty of response operations, and provide a persistent threat even after the ransomware issue has been resolved.

By enforcing stringent regulations that prohibit the storage of secrets on web browsers, organizations can reduce this danger. Even in the event of compromised credentials, multi-factor authentication must be used to safeguard accounts from account hijacking. Last but not least, dividing the network and putting the least privilege into practice can severely limit a threat actor's capacity to proliferate throughout the infiltrated network. Organizations run a danger from any tactical shift using Qilin since it is an unrestricted, multi-platform threat with connections to the Scattered Spider social engineering specialists.

Impact

• Credential Theft
• Unauthorized Access
• Data Encryption
• Financial Loss

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security.
• Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms.
• Identify and address any vulnerabilities or weaknesses in the systems that were exploited during the breach. Apply security patches and updates to ensure the systems are up-to-date.
• Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.
• Implement strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas.
• Establish ongoing monitoring processes and conduct periodic security assessments to identify and address any evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from the incident.