Quantum ransomware, initially spotted in August 2021, has been found carrying out rapid attacks that expand swiftly, leaving defenders with little time to respond. One of the very first access vectors used by the threat actors is the IcedID malware, which uses Cobalt Strike for remote access and gives rise to data theft and encryption through Quantum Locker.
Security researchers at The DFIR Report reviewed the technical aspects of a Quantum ransomware operation, claiming that the attack lasted barely 3 hours and 44 minutes from infection to completion of encrypting devices.
The IcedID malware was used as the first entry to the target’s PC in the attack detected by The DFIR Report, which they suspect came via a phishing email including an ISO file attachment. IcedID is a banking trojan that has been used for the past five years, primarily for the deployment of second-stage payloads, loaders, and ransomware. IcedID and ISO archives have lately been employed in additional attacks, as these files are great for getting past email security controls.
The cybercriminals add Cobalt Strike into a C:\Windows\SysWOW64\cmd.exe process two hours after the first infection to avoid detection. The hackers were able to steal Windows domain credentials by dumping the memory of LSASS and propagating laterally via the network.
“For the next hour, the threat actor proceeded to make RDP connections to other servers in the environment,” said DFIR in the report. “Once the threat actor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each host through the C$ share folder.”
Threat actors eventually employed WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices. This attack took only four hours, which is pretty quick, and because these attacks typically happen late at night or on weekends, network and security administrators do not have a broad window to identify and respond to the attack.
The DFIR Report provides a detailed list of signs of penetration as well as C2 addresses that IcedID and Cobalt Strike linked to for communication if you want to learn more about Quantum Locker’s TTPs.