Quantum Ransomware Operators Carried Out the Attack in Less Than 4 Hours

The Quantum ransomware, first discovered in August 2021, was used in a fast network attack.

The attackers used the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption with Quantum.

By the way, our website has instructions on how to remove malware and decrypt files after exposure to such ransomware as: DMAY, MSJD, NUHB and others.

The DFIR Report analysed Quantum ransomware attacks. The attack lasted only 3 hours and 44 minutes from the initial infection to the completion of device encryption.

The attack used the IcedID malware as initial access to the victim’s system. Presumably, the malware was installed by attackers via a phishing email containing an attached ISO file.

IcedID is a modular banking Trojan that has been used over the past five years primarily to deploy stage 2 payloads, downloaders, and ransomware. The combination of IcedID and ISO archives is often used in cyberattacks because such files can bypass email security solutions.

Two hours after the initial infection, the attackers injected Cobalt Strike into the C:\Windows\SysWOW64\cmd.exe process to avoid detection.

This activity included using AdFind through a batch script called adfind.bat to perform discovery of the target organizations active directory structure. The threat actors gathered host based network information by running a batch script named ns.bat, which ran nslookup for each host in the environment.Quantum experts write.

At this point, the criminals stole Windows domain credentials by dumping LSASS memory and spread through the network. The hackers then proceeded to establish RDP connections to other servers in the environment.

Once the criminals had a grasp of the domain structure, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each system via the C$ share. The attackers eventually used WMI and PsExec to deploy the Quantum ransomware payload and encrypt devices.

Quantum ransomware attack
Timeline of the attack

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.