May 17, 2022

Quantum Ransomware Analyzed by Cybereason

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021). The latest rebrand to Quantum ransomware appeared to have occurred in July 2021. The ransomware group’s data leak TOR site is named “Quantum Blog,” and as of April 2022 there are 20 victims identified and of the 20 victims listed, 7 are new. The ransomware group follows a double extortion model. The gang moves quickly and impatiently, as not only was Time-to-Ransom (TTR) measured under 4 hours, but only allows the victim 72 hours to respond, or otherwise, the victim’s stolen data is leaked. The initial infection vector was the utilization of IcedID malware. The IcedID DLL file is distributed in the email contained within an ISO file along with an LNK file masquerading as a document to lure victims. The execution of the LNK file runs the DLL file with rundll32. System reconnaissance commences within two hours of the LNK file execution and Cobalt Strike is utilized to further the intrusion. After the initial activity, attackers conduct additional reconnaissance of the victim network with Adfind, gather credentials with lsass, and use the compromised credentials to move laterally. The credentials stolen are used by connecting via RDP across the environment, and ransomware deployment is prepared with PsExec or WMI to spread the ransomware binary to shared folder c$\windows\temp\.

Anvilogic Scenario:

  • Quantum Ransomware Attack within Four Hours

Anvilogic Use Cases:

  • Rundll32 Command Line
  • Common Reconnaissance Commands
  • Executable Create Script Process
  • Adfind Execution
  • Adfind Commands
  • Utility Archive Data
  • Common LSASS Memory Dump Behavior
  • Command Line lsass request
  • RDP Connection
  • RDP Logon/Logoff Event
  • WinRM Tools