Quantum Ransomware is a variant that was first discovered in August 2021, linked to the Quantum Locker operation and is observed as a rebrand of the MountLocker, AstroLocker, and XingLocker operations.
Most recently, a newly released DFIR Report was released on April 25,2022 to present technical details that their security researchers analyzed about the variant. It was observed to be "one of the fastest ransomware cases" they had observed, being clocked in at under four hours from initial access to encryption.
This information is credited to the DFIR Report, which includes TTPs and IOCs associated with the variant
Due to the Ransomware as a Service model that Quantum operates with, no confirmed target country or industry has been defined as of yet.
Initial access is achieved similarly to other Ransomware groups, by utilizing IcedID for reconnaissance tasks such as ipconfig, net and systeminfo. It is also used to achieve persistence, creating scheduled tasks on the victim's machine. The IcedID payload has been most likely (but not confirmed) delivered via malicious e-mail attachment or link.
After initial access, Quantum has been observed Cobalt Strike is injected into the cmd.exe process. Direct interaction from the threat actors begins, abusing AdFind to map out the active directory structure and abusing nslookup as well to gather network information of hosts. The Cobalt Strike process was then utilized to extract credentials from LSASS memory and tested using WMI discovery, and the actor subsequently connected via RDP and tried to drop a Cobalt Strike DLL beacon on the discovered host. Continuation of this RDP connection and drop of beacon continued throughout the environment.
The next step is the copying of the ransomware payload, identified by DFIR researchers as 'ttsel.exe' to hosts through the C$ share folder - executed remotely via WMI and PsExec. The ransom note with the filename 'README_TO_DECRYPT.html' was dropped into each infected host, with a portal to reach out and contact the threat actors for negotiation purposes.
Persistence is achieved with the encryption of files/folders on the victim's system.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
Quantum Ransomware is a variant that was first discovered in August 2021, linked to the Quantum Locker operation and is observed as a rebrand of the MountLocker, AstroLocker, and XingLocker operations. This is a continuation with the "Franchise" RaaS business model that the group has used with these rebrands, acting as a "supplier" instead of distributing under its previous naming convention. Ransom demands observed have varied between sums of $150,000 to multi-million dollars, varying between the victims afflicted.
Most recently, a DFIR Report was released on April 25, 2022, to present technical details that their security researchers analyzed about the variant. It was observed to be "one of the fastest ransomware cases" they had observed, being clocked in at under four hours from initial access to encryption. Otherwise, the behavior of the ransomware utilizes malware such as IcedID and Cobalt Strike - as well as tools that have been abused maliciously, such as WMI and PsExec. Quantum Locker is not an incredibly active operation currently, with BleepingComputer citing only a handful of attacks each month since its discovery, but still poses a risk that should be ascertained and prepared for due to the prevalence of Ransomware and the speed that it is able to execute.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.