The New Era of Quantum Ransomware

One of the fastest ransomware cases, in under four hours the threat actors went from initial access to domain wide ransomware. It all started with an email containing an attachment or link to an ISO image containing the IceID payload ?tactic that has lately been?very successful?at fooling security controls. The email used in this attack has not been found, but the name of the weaponized ISO file (docs_invoice_173.iso) gives a general idea of its subject.

After the unfortunate user opened the file, upon this execution of the IcedID DLL, a battery of discovery tasks were executed using built-in Windows utilities like ipconfig, systeminfo, nltest, net, and chcp. It also created a scheduled task as a means of persistence on the beachhead host.

The clock is ticking, around two hours later, Cobalt Strike was deployed using process hollowing and injection techniques. This marked the start of “hands-on-keyboard” activity by the threat actors. This activity included using AdFind through a batch script called?adfind.bat?to perform discovery of the target organizations active directory structure. The threat actors gathered host-based network information by running a batch script named?ns.bat, which ran nslookup for each host in the environment.

After a Cobalt Strike beacon was deployed, the threat actor “tuned in” to continue the attack and to:

·????????Discover the target organizations active directory structure (via Active Directory enumeration tool AdFind)

·????????Gather host-based network information (via nslookup)

·????????Extract admin credentials from LSASS memory

·????????Use the credentials to RDP into a server

·????????Execute a PowerShell Cobalt Strike Beacon on that server

·????????Make RDP connections to other servers in the environment

·????????Deploy the ransomware by copying it to each host through the C$ share folder

·????????Remotely detonate the Quantum Locker ransomware binary via WMI or PsExec from the Domain Controller

The ransom note left by the malware directs victims to a portal where they can contact and negotiate with the gang.

All in all, the tactics, techniques, and procedures (TTPs) used by the threat actor are not innovative, but the speed with which they managed to go from initial compromise to ransomware deployment is unsettling and extremely unfavorable for defenders. And, unfortunately, this group is?not the only one?to occasionally exhibit such devastating speediness.

While The DFIR Report states that they saw no data exfiltration activity in the attack they analyzed, Bleeping Computer has confirmed in the past that they do steal data during attacks and leak it in double-extortion schemes. The ransom demands for this gang vary depending on the victim, with some attacks demanding $150,000 to receive a decryptor.

Source: DFIR Report

Who is Quantum Locker?

The Quantum Locker ransomware is a rebrand of the?MountLocker ransomware operation, which launched in September 2020.

Since then, the ransomware gang has?rebranded its operation to various names, including AstroLocker, XingLocker, and now in its current phase, Quantum Locker.

The rebrand to Quantum occurred in August 2021, when the ransomware encryptor began appending the?.quantum?file extension to encrypted file names and dropping ransom notes named?README_TO_DECRYPT.html.

Hackers are like Chameleons, changing places and colors - So organizations get ready for unknown battles.