The Quantum ransomware, a strain first discovered in August 2021, were seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react.
The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.
The technical details of a Quantum ransomware attack were analyzed by security researchers at The DFIR Report, who says the attack lasted only 3 hours and 44 minutes from initial infection to the completion of encrypting devices.
Using IcedID as initial access
The attack seen by The DFIR Report used the IcedID malware as the initial access to the target's machine, which they believe arrived via a phishing email containing an ISO file attachment.
IcedID is a modular banking trojan used for the past five years, primarily for second-stage payload deployment, loaders, and ransomware.
The combination of IcedID and ISO archives has been used in other attacks recently, as these files are excellent for passing through email security controls.
Two hours after the initial infection, the threat actors inject Cobalt Strike into a C:WindowsSysWOW64cmd.exe process to evade detection.
The first steps of the infection chain (DFIR)
At this phase, the intruders stole Windows domain credentials by dumping the memory of LSASS, which allowed them to spread laterally through the network.
"For the next hour, the threat actor proceeded to make RDP connections to other servers in the environment," details DFIR in quantum ransomware deployed rapid network attacks
