Quantum Ransomware | Intel 471 Skip to content

Quantum Ransomware

May 10, 2022
Homepage Hero

OVERVIEW

Quantum Ransomware is a variant that was first discovered in August 2021, linked to the Quantum Locker operation and is observed as a rebrand of the MountLocker, AstroLocker, and XingLocker operations.

Most recently, a newly released DFIR Report was released on April 25,2022 to present technical details that their security researchers analyzed about the variant. It was observed to be "one of the fastest ransomware cases" they had observed, being clocked in at under four hours from initial access to encryption.

This information is credited to the DFIR Report, which includes TTPs and IOCs associated with the variant

TARGETING

Due to the Ransomware as a Service model that Quantum operates with, no confirmed target country or industry has been defined as of yet.

DELIVERY

Initial access is achieved similarly to other Ransomware groups, by utilizing IcedID for reconnaissance tasks such as ipconfig, net and systeminfo. It is also used to achieve persistence, creating scheduled tasks on the victim's machine. The IcedID payload has been most likely (but not confirmed) delivered via malicious e-mail attachment or link.

QUANTUM INSTALLATION

After initial access, Quantum has been observed Cobalt Strike is injected into the cmd.exe process. Direct interaction from the threat actors begins, abusing AdFind to map out the active directory structure and abusing nslookup as well to gather network information of hosts. The Cobalt Strike process was then utilized to extract credentials from LSASS memory and tested using WMI discovery, and the actor subsequently connected via RDP and tried to drop a Cobalt Strike DLL beacon on the discovered host. Continuation of this RDP connection and drop of beacon continued throughout the environment.

The next step is the copying of the ransomware payload, identified by DFIR researchers as 'ttsel.exe' to hosts through the C$ share folder - executed remotely via WMI and PsExec. The ransom note with the filename 'README_TO_DECRYPT.html' was dropped into each infected host, with a portal to reach out and contact the threat actors for negotiation purposes.

QUANTUM PERSISTENCE

Persistence is achieved with the encryption of files/folders on the victim's system.

Quantum Threat Update

Quantum Ransomware is a variant that was first discovered in August 2021, linked to the Quantum Locker operation and is observed as a rebrand of the MountLocker, AstroLocker, and XingLocker operations. This is a continuation with the "Franchise" RaaS business model that the group has used with these rebrands, acting as a "supplier" instead of distributing under its previous naming convention. Ransom demands observed have varied between sums of $150,000 to multi-million dollars, varying between the victims afflicted.

Most recently, a DFIR Report was released on April 25, 2022, to present technical details that their security researchers analyzed about the variant. It was observed to be "one of the fastest ransomware cases" they had observed, being clocked in at under four hours from initial access to encryption. Otherwise, the behavior of the ransomware utilizes malware such as IcedID and Cobalt Strike - as well as tools that have been abused maliciously, such as WMI and PsExec. Quantum Locker is not an incredibly active operation currently, with BleepingComputer citing only a handful of attacks each month since its discovery, but still poses a risk that should be ascertained and prepared for due to the prevalence of Ransomware and the speed that it is able to execute.