Researchers have observed Quantum ransomware carrying out fast-paced attacks. The attackers are using the IcedID malware as one of their initial access vectors.
What happens in attacks
The DFIR Report laid bare the details of the Quantum ransomware attacks.
- The attacks reportedly lasted only 3 hours and 44 minutes from initial infection to encryption of the devices.
- The attack used IcedID malware that was believed to be sent via phishing email laden with an ISO file attachment. After two hours, Cobalt Strike was injected into a cmd[.]exe process to avoid detection.
- Later, the malware steals Windows domain credentials by dumping LSASS memory to move laterally inside the network.
- Soon, the payload proceeds to make connections to other servers in the environment via RDP.
Quantum deployment
- Once attackers have a handle on the layout of the domain, they deploy Quantum ransomware by copying the ransomware (ttsel[.]exe) to each host using the C$ share folder.
- They use WMI and PsExec to deploy the payload and encrypt devices.
About Quantum ransomware
- Quantum Locker is a rebrand of the MountLocker ransomware operation, which was spotted in September 2020.
- The rebrand to Quantum happened in August 2021, when the ransomware started appending the .quantum file extension.
- The ransom demands are based on the victim, with some attacks demanding $150,000 and others multimillion dollars.
Conclusion
The Quantum ransomware is not as active at present as other ransomware. Notably, these attacks were being pulled off late at night or over the weekend. However, rapid attacks are concerning as they offer less time for analysts to defend their systems.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dd02_shutterstock_1465728548.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_362747861.jpg)
