Quantum Ransomware Attack Detection: Malware Deployed at Lightning Speed

Quantum ransomware has been in the limelight since late summer 2021, being involved in high-speed and dynamically escalating intrusions that left cyber defenders only a short window to timely detect and mitigate threats. According to the DFIR cybersecurity research, the latest Quantum ransomware attack observed ranks as one of the fastest cases that has taken less than 4 hours to deploy ransomware after compromising the targeted environment.

Detect Quantum Ransomware: Sigma Rules

To proactively reveal the notorious Quantum attacks against your organizational environment, you can leverage a set of curated Sigma rules provided by our keen Threat Bounty developers Emir Erdogan and Nattatorn Chuensangarun.

Quantum Ransomware Uses Cobalt Strike Beacon (via pipe_event)

Suspicious Quantum Ransomware Behaviour Detection (via process_creation)

Possible Quantum Ransomware Persistence by Created Scheduled Tasks (via process_creation)

Possible Quantum Ransomware Execution with IcedID Payload (via file_event)

Possible Quantum Ransomware by Transfer Ransomware to Host Across Domain (via process_creation)

Possible Quantum Ransomware use PsExec and WMI to Execute Ransomware (via process_creation)

In a view that the latest Quantum routine presumes leveraging IcedID samples to trigger the infection chain, we encourage you to check the detection content aimed at identifying IcedID-related attacks. The full list of relevant Sigma rules can be accessed in the SOC Prime platform via the following link. 

To track the Sigma rules updates and access the comprehensive batch of detections for Quatum ransomware, hit the View Detections button below. Eager to help the cybersecurity community withstand the nasty cyber-attacks and enrich the content library with your own Sigma-based content? Join our Threat Bounty program and get recurrent rewards for your input.

View Detections Join Threat Bounty

Quantum Ransomware Attack Analysis

The latest attack displays the record time-to-ransom overall covering less than 4 hours. The ransomware attack started with the deployment of the IceID payload on the targeted instance distirbuted via a phishing email. Particularly, ransomware operators hid the IcedID withing the malicious ISO file to pass the email security protections and ensure successful infection.In a couple of hours since the initial attack stage, adversaries triggered the hands-on-keyboard activity dropping  Cobalt Strike malware used for remote access and information stealing. To establish the hassle-free lateral propagation, threat actors dumped Windows Domain creds with the help of LSASS creating RDP connections to accessible servers within the network. Finally, hackers pushed the Quantum payload using WMI and PsExec utilities to encrypt the assets of interest.

Who Is Quantum Locker? 

Quantum Ransomware (aka Quantum Locker) is a successor of the MountLocker RaaS initially revealed in late 2020. Since then, the operators frequently switched their malicious product under such titles as AstroLocker or XingLocker. In summer 2021, Quantum Locker sample started to make rounds on the web. As per reports, the ransom demands for decryption significantly varies, ranging from $150,000 up to $3-4 million payments. Additionally, adversaries apply the double-extortion approach to add even more pressure on Quantum Locker victims.

To reinforce proactive cyber defense capabilities, progressive organizations rely on a collaborative cyber defense approach. Join SOC Prime’s Detection as Code platform to constantly keep up with the growing attack volume and address the latest threats in less than 24 hours.