Quantum Ransomware: How Your Network Can Go from Secure to Fully Encrypted in Under Four Hours
Quantum Ransomware, also known as Quantum Locker, gives organizations limited time to detect and respond to an attack.
Quantum Ransomware can make victim organizations’ networks go from seemingly secure to fully encrypted in less than four hours.
The timeframe from when a user clicks on a phishing email to the ransomware being executed across the entire domain is brief, giving victims a small window of opportunity to detect, respond, and try to mitigate the attack.
Samples of Quantum ransomware were tested against BluVector’s patented Machine Learning Engine (MLE) and were detected. Regression testing shows that BluVector would have detected the Quantum ransomware samples on average 79 months prior to their release.
What Is Quantum Locker?
Recent weeks have seen several different researchers publish their findings related to Quantum ransomware (a.k.a. Quantum Locker), particularly in reference to the speed at which victims have found their networks go from seemingly secure to fully encrypted. In one specific incident, the time that elapsed between a user clicking on a link in a phishing email and when the Quantum ransomware was executed across the entire domain was a mere three hours and 44 minutes. This timeframe gives defenders limited opportunity to detect and respond to the attack, let alone mitigate it. This brief time is all the more impressive, given that Quantum ransomware attacks usually include data exfiltration prior to the ransomware being executed.
In the case of this incident, the initial infection vector was a phishing email with an ISO file attachment. A user clicked on the ISO file to mount it, and then clicked on a Windows link file named “document”. This link file executed a hidden Windows DLL file, which was actually a variant of the IcedID trojan. On execution, the IcedID malware performed numerous network enumeration and reconnaissance commands. Approximately 75 minutes later, the attackers began the interactive phase of their attack. They deployed Cobalt Strike, the commonly misused legitimate penetration testing tool, to extract Windows domain credentials. Using these credentials, over the next hour, the attackers made RDP (Remote Desktop Protocol) connections to numerous servers within the victim organization’s network. Next, they copied Quantum ransomware to the $C shared folder of each endpoint on the network. Finally, using both PsExec and WMI, the Quantum ransomware was remotely executed across each infected system – all in less than four hours.
The precursor to Quantum ransomware, MountLocker, began life in September 2020. It was then successively rebranded as AstroLocker and XingLocker, and finally to Quantum in August of 2021. Though in the incident described here, data exfiltration was not directly observed, it is a part of the Quantum attackers’ normal modus operandi. They run a dark web site named “Quantum Blog”, where they post information on victim organizations, including proof that they have exfiltrated valid data. If the victim does not contact them to begin ransom negotiations within 48 hours, all exfiltrated data is made available on the site. This tactic is known as double extortion and is utilized by most current ransomware attackers. The Quantum Blog site was reviewed for this Threat Report, and it listed 32 different victim organizations with ransom dates beginning in mid-October 2021, including two entries for victim organizations within 24 hours of the date of review of the site. The victim organization’s geographical locations and industry verticals were widely spread, including manufacturing, local government, construction, education, and airlines based in Kuwait and Australia. Information listed for each victim organization includes the amount of data exfiltrated, the name and revenue of the organization, a description of the exfiltrated data, and the number of views the information has received. The files or directory listings provided as examples of proof appear to be genuine.
Figure 1: An example of victim organization information on the Quantum Blog dark web site.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The initial attack vector was a malicious file attachment in a phishing email. The attacker manually deploys Quantum ransomware after moving laterally throughout the network.
When/How Did BluVector Detect It?
A total of six samples of Quantum ransomware were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing shows that BluVector would have detected the Quantum ransomware samples on average 79 months prior to their release.