Chris Swagler | April 27th, 2022

Since its discovery in August 2021, the Quantum ransomware strain has been carrying out speedy attacks that quickly escalate, leaving defenders little time to react. Using the IcedID malware as one of the initial access vectors, the threat actors operating Quantum ransomware deploy Cobalt Strike to remotely access networks and use Quantum Locker to steal and encrypt data. According to security researchers’ analysis of a Quantum ransomware attack, it lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting devices.

The IcedID malware was delivered through phishing emails containing ISO file attachments, which provided initial access. IcedID, a modular banking trojan, is primarily used for second-stage payload deployment, loaders, and ransomware. The IcedID combined with the ISO archives was used in other recent attacks as these files effectively pass-through email security controls. The threat actors inject Cobalt Strike two hours after the initial infection into a C:\Windows\SysWOW64\cmd.exe process to avoid detection. The operators then steal Windows domain credentials by dumping the memory of LSASS, allowing them to spread laterally through the network. The threat actors proceed to make RDP connections to other servers in the environment and, once they handle the layout of the domain, deploy the ransomware named ttsel.exe by copying it to each host through the C$ share folder.

The threat actors eventually use WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices. The attacks, which take less than 4 hours, usually occur late at night or over the weekend, which minimizes the window for network and security admins to detect and respond to the attack. This is one of many reasons why partnering with a 24/7 Security Operations Center, like that operated by SpearTip, is necessary. Even on nights and weekends, we have a team of certified engineers who continuously engage in threat hunting to identify and remediate threats before they are able to take a foothold within an environment. The report provides more details about the TTPs used by Quantum Locker, including an extensive list of indicators of compromise and C2 addresses that IcedID and Cobalt Strike connected to for communications.

Launched in September 2020, the Quantum Locker is a rebrand of the MountLocker ransomware operation, which rebranded under various names. In August 2021, the operation rebranded itself to Quantum when the ransomware encryptor began appending the ‘.quantum’ file extension to encrypted files names and dropping notes named “README_TO_DECRYPT.html.” The notes contain a link to a TOR ransom negotiation site and a unique ID associated with the victim. Additionally, the ransom notes explain that during the attack the data was stolen and the operators will publish the data if victims don’t pay the ransom.

Even though the researchers saw no data exfiltration activity in the attack they analyzed, it’s confirmed that threat operators do steal data during attacks and use double-extortion schemes to leak the data. Depending on the victim, ransom demands from the group can vary, ranging from $150,000 to multi-million dollars in exchange for a decryptor. Quantum Locker is not an active operation like its previous incarnations, with a handful of attacks each month.

Even though Quantum Locker may not be as active as other ransomware operations, they still present a significant risk. It’s important for companies to remain vigilant on the current threat landscape and for network defenders to be aware of the TTPs related to their attacks. At SpearTip, you can trust our certified engineers’ ability to quickly respond to rapid network attacks from ransomware with one of the fastest response times in the industry. Within minutes of engagement, SpearTip responds to data breaches, reclaims networks in a matter of hours, and restores companies’ operations. Our engineers are working 24/7/365 in a continuous investigative cycle at our Security Operations Centers monitoring companies’ networks for potential ransomware threats like Quantum ransomware. ShadowSpear Platform is a cutting-edge technology with comprehensive insights using unparalleled data normalization and visualization to detect sophisticated unknown and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.