Quantum ransomware Strikes
April 26th, 2022 - Written By CyberLabs
The Quantum ransomware, 1st discovered in August of 2021 was seen spreading fast attacks that escalate quickly, leaving defenders little time to patch or react. The attackers use the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data and information theft and encryption using Quantum Locker. The technical details of a Quantum ransomware attack has been analyzed by a team of security researchers at The DFIR Report, who states the attack lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting attacked devices.
Believed to be arriving via a phishing email that contains an ISO file attachment, the DFIR Report used the IcedID Malware as initial access to the target’s device. IcedID is a modular banking trojan used for the past 5 years, mainly for the 2nd stage payload deployment, loaders and ransomware. Unfortunately the collaboration of IcedID and ISO archives has been used in other attacks recently, since these files are great for passing through email security controls.
It has been stated that the attack took only 4 hours, which was quite fast and they commonly occur late night or over a weekend and it does not provide a large window for network and security admins to detect and respond to the threat. For more information about the TTPs used by Quantum Locker, The DFIR Report has provided an extensive list of indicators of compromise as well as C2 addresses that IcedID and Cobalt Strike connected to for communication.