A ransomware strain first found in August 2021 called the Quantum ransomware was observed launching attacks that experts described as speedy as its progress seems to escalate quickly in a targeted network before installed security defenders could detect and conduct measures.
According to the research analysis, the described ransomware attack only needs over three hours from its initial infection to process the target device’s encryption. Hence, it is a very rapid infection created by the threat actors.
Using the IcedID malware as an initial access tool allows hackers to deploy Cobalt Strike via remote access, leading to data encryption and theft to be done by the Quantum Locker ransomware.
The IcedID malware was presumed to have been delivered through a phishing email that contained an ISO file. This malware is a modular banking trojan usually utilised during the second-stage payload deployment in an attack.
A couple of hours after the initial infection on a device, the hackers will inject Cobalt Strike to bypass security detection. Furthermore, at this point, they have also stolen Windows domain credentials through memory dumping of Local Security Authority Subsystem Service or LSASS, enabling them to move laterally within the victims’ network.
The following hours of the attack include the hackers making RDP connections to other servers within the environment. Once the threat actors have captured the domain’s layout, they will proceed to set the ransomware by copying it to each host via a C$ share folder.
Using MWI and PsExec, the hackers are now prepared to launch the Quantum ransomware and begin the encryption process.
The entire process only took less than four hours and is usually performed during the weekend or at night when the users are off their devices, allowing defenders and security admins to fail in their detection measures and respond quickly.
Being a rebrand of the MountLocker ransomware, the Quantum Locker is the latest phase used by its operators since August last year. The hackers also leave ransom note files during the attack, which includes a Tor link where they could negotiate with the victims.
Like any other ransomware campaign, the Quantum hackers threaten the victims of publishing their data if they do not agree with the ransom requests.
