What is Quantum Ransomware?

Quantum ransomware, a strain that has garnered significant attention since its discovery in July 2021, has proven to be an especially malicious and rapidly evolving form of ransomware. As cybersecurity professionals strive to stay one step ahead of cybercriminals, understanding the intricacies and potential impact of Quantum ransomware becomes imperative. It is a sub-variant of MountLocker ransomware, along with AstroLocker and XingLocker. Despite being less active than its sibling strains, it demands ransom payments ranging from $150,000 to multi-million dollars, which is on par with the parent strain.

One of the most striking features of Quantum ransomware is that it is used in outstandingly speedy attacks. Victims typically have only a few hours between the initial infection and the encryption of their files. Exploiting the element of surprise, attackers frequently strike during off-hours. The Quantum group includes members of Conti, another notorious cybercrime group that recently voluntarily closed its ransomware operations to reemerge as part of other ransomware subgroups encompassing distinct motivations and operational strategies.

The adversaries have established an operational TOR platform specifically designed for ransom negotiation alongside a data-leak platform named “Quantum Blog.” 

A prime target of Quantum ransomware in the past year was actors in the healthcare industry. The group successfully infiltrated a network of 657 healthcare providers, resulting in the theft of the personal information of over 1.9 million victims.

As part of their initial infiltration methods, adversaries employed the IcedID malware (delivered via email) as a means of gaining access, leveraging Cobalt Strike for remote control. This ultimately resulted in the illicit acquisition of sensitive information and the implementation of Quantum Locker for data encryption.

What is Quantum Locker?

Over the course of the last two years, the Quantum Locker ransomware has gained notoriety for its rapid and decisive attacks, granting security operations center teams a narrow timeframe to enact effective response measures. In certain instances, adversaries have managed to deploy the ransomware within a mere four hours of the attack.

Upon falling victim to the breach, targeted companies and individuals are allotted a limited 72-hour window to establish communication with the perpetrators. Failure to do so results in the stolen data being made available on a public website mentioned above in this article, accessible for free downloads by anyone.

To streamline the encryption process, Quantum ransomware identifies and halts database service processes, eliminating their access restrictions to valuable database content and enabling the ransomware to encrypt it. Quantum’s primary encryption procedure employs a .dll or .exe executable, utilizing a hybrid cryptography scheme that employs ChaCha20 for symmetric file encryption and an RSA-2048 public key for encrypting the single ChaCha20 symmetric encryption key.

Using IcedID as Initial Access

Quantum ransomware is distributed through targeted email phishing campaigns, utilizing initial-stage malware such as IcedID or BumbleBee loader. Written in C++, BumbleBee operates as a loader, encompassing a singular function responsible for initialization, response handling, and request transmission. Upon execution on a compromised device, the malware diligently collects the victim’s data and communicates it to the command-and-control (C2) server. IcedID (also known as BokBot) represents a relatively recent variant of malware classified as both a banking trojan and a remote access trojan (RAT). Noteworthy for its capabilities, IcedID stands on par with other advanced banking trojans like Zeus, Gozi, and Dridex. As a second-stage malware, IcedID depends on preceding first-stage malware to establish initial access and facilitate its deployment. Recent discoveries have unveiled new variants of IcedID that deviate from their typical online banking fraud functionality. Instead, these variants prioritize the installation of additional malware onto compromised systems. In a notable departure from its traditional modus operandi, IcedID has undergone significant evolution, showcasing a shift in its objectives. Rather than solely targeting online banking fraud, these new iterations place a heightened emphasis on establishing a foothold within compromised systems to facilitate the deployment of other malicious payloads.

These payloads import the primary Quantum Locker ransomware and supplementary tools onto compromised systems.

The malicious email comprises an .iso image file, housing the IcedID loader in the format of a DLL (dar.dll). Additionally, the email includes a deceptive .LNK shortcut file designed to appear as a legitimate document while actually targeting the IcedID payload.

Subsequently, attackers engage in rapid network reconnaissance, particularly aiming to gain remote desktop (RDP) access to other network hosts. If access to adjacent systems is obtained, attackers manually transfer the Quantum encryption binary, ttsel.exe, to each host’s shared folder.

During the early stages of a Quantum attack, a range of toolkits are employed, including Cobalt Strike Beacon, Rclone, the Ligolo tunneling tool, ProcDump, ADFind, and Local Security Authority Subsystem Service (Lsass.exe), for network reconnaissance and lateral movement. NPPSpy is used for pilfering sensitive data while living off the land (LOTL) tools like WMI, PsExec, and PowerShell are leveraged. It’s important to note that Quantum attacks primarily rely on manual exploits conducted by human operators rather than relying on intricate automated scripts or toolkits. One of Quantum’s more sophisticated techniques, known as “process hollowing” involves initiating a cmd.exe process and injecting CobaltStrike into the process’s memory to evade detection. To maintain covert operations, Quantum actively detects and terminates processes associated with malware analysis, such as ProcMon, Wireshark, CND, and task manager.

Quantum Ransomware Seen Deployed in Rapid Network Attacks

What sets Quantum Locker ransomware apart is its unparalleled speed of execution. Within a matter of hours, adversaries successfully execute ransomware, leaving security professionals with minimal time to respond effectively. The consequences can be dire, with critical data held hostage and business operations grinding to a halt. Unlike many automated ransomware attacks, Quantum ransomware is predominantly operated by skilled human operators. This manual approach allows attackers to adapt their techniques and evade traditional security measures, making it even more challenging for organizations to detect and mitigate the threat.

Adversaries have embraced speed as a potent weapon, rapidly exploiting vulnerabilities and infiltrating systems within minutes or even seconds. The element of surprise combined with lightning-quick execution has proven highly effective for cybercrooks. The consequences of swiftly executed cyber attacks are far-reaching. Organizations find themselves grappling with compromised data, disrupted operations, and reputational damage in record time. Furthermore, the accelerated pace of these attacks puts tremendous pressure on security teams, who must swiftly identify and contain the breach to minimize impact.

To help organizations keep up with the growing volumes and increased sophistication of Quantum ransomware attacks, SOC Prime Platform offers a set of curated Sigma rules for proactive detection. By clciking the Explore Detections button, teams can obtain the entire list of relevant Sigma rules mapped to MITRE ATT&CK® v12 and enriched with comprehensive cyber threat context. All Sigma rules are also ready-to-deploy to dozens of security solutions helping organziations to avoid vendor lock-in. 

Explore Detections

Quantum Ransomware Background

While Quantum Locker may not exhibit the same level of activity as other prominent ransomware operations like Conti, LockBit, and AVOS, it remains a significant threat that demands attention from network defenders. It is crucial to understand that the threat landscape is constantly evolving, and ransomware groups like Quantum ransomware can quickly adapt their TTPs to exploit vulnerabilities and evade detection. By maintaining an awareness of Quantum Locker’s techniques, defenders can better anticipate and respond to potential attacks, implementing robust security measures, conducting regular backups, patching vulnerabilities promptly, and educating employees about phishing and other social engineering techniques.

Quantum Locker’s reduced activity could be attributed to various factors, including changes in the attackers’ operational focus, shifting priorities, or heightened efforts from cybersecurity professionals to disrupt their operations. However, it is important to note that even a small number of successful attacks can lead to substantial financial losses, reputational damage, and operational disruptions for targeted entities.Fast cybersecurity attacks have become a troubling new trend, posing significant challenges to organizations worldwide. As adversaries continue to exploit vulnerabilities with lightning speed, it is crucial for businesses to fortify their defenses accordingly.

Explore SOC Prime Platform to arm your team with the best tools each cyber defender should have at hand no matter their maturity level and tech stack in use. Rely on the power of collective industry expertise to benefit from cutting-edge solutions backed by the Sigma language used in combination with the MITRE ATT&CK framework to enable cost-efficient and future-proof cyber defense.