A group wielding the Quantum Locker ransomware is hitting targets in a blitzkrieg-like manner, going from intial compromise to domain-wide deployment and execution in under four hours, researchers with The DFIR Report are warning.
The Quantum ransomware attack
The threat of ransomware continues unabated and attackers are becoming increasingly adept at executing attacks speedily, giving defenders only a small window of opportunity to detect, respond to and mitigate them. In this particular attack, the threat actor’s time-to-ransom was 3 hours and 44 minutes.
The first half was hands-off and the rest of it involved hands-on-keyboard activity by the group, to deploy ransomware on as many systems as possible.
It all started with an email containing an attachment or link to an ISO image containing the IceID payload – a tactic that has lately been very successful at fooling security controls. The particular email used in this attack has not been found, but the name of the weaponized ISO file (docs_invoice_173.iso) gives a general idea of its subject.
After the unfortunate user opened the file, the IceID payload was executed and child processes were spawned to create persistence and start discovering information about the system via built-in Windows utilities. After a Cobalt Strike beacon was deployed, the threat actor “tuned in” to continue the attack and to:
- Discover the target organizations active directory structure (via Active Directory enumeration tool AdFind)
- Gather host-based network information (via nslookup)
- Extract admin credentials from LSASS memory
- Use the credentials to RDP into a server
- Execute a PowerShell Cobalt Strike Beacon on that server
- Make RDP connections to other servers in the environment
- Deploy the ransomware by copying it to each host through the C$ share folder
- Remotely detonate the Quantum Locker ransomware binary via WMI or PsExec from the Domain Controller
“While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data; however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data,” the researchers noted.
The ransom note left by the malware directs victims to a portal where they can contact and negotiate with the gang.
All in all, the tactics, techniques, and procedures (TTPs) used by the threat actor are not innovative, but the speed with which they managed to go from initial compromise to ransomware deployment is unsettling and extremely unfavorable for defenders. And, unfortunately, this group is not the only one to occasionally exhibit such devastating speediness.
BlackCat ransomware alert
Last week, the FBI has released a report on the BlackCat/ALPHV ransomware-as-a-service threat, detailing indicators of compromise and TTPs used by the groups using it.
Once again, the tactics and techniques used by these attackers are not unusual, but there is one thing that is: the ransomware is written in the Rust programming language, which improves performance and safety (especially safe concurrency).
“The use of Rust is significant as it is an attempt at attack obfuscation. This uses existing techniques but is obfuscated by using a new programming language that may go beyond existing security controls,” says Dave Klein, Director of Cyber Evangelism for Cymulate.
As AT&T Alien Labs researchers noted, static analysis tools aren’t usually adapted to all programming languages. “For this same reason, Go Language had become more popular among malware coders during last year,” they added.
Klein also pointed out that the other interesting thing the FBI noted is that former Darkside ransomware group members and affiliates are associated with this campaign.
“Similar to Darknet criminal marketplaces when a marketplace is shut down, the vendors move to a new marketplace. What does that show? When your previous ransomware group gets shut down, the members will take their skill sets and move on to other opportunities,” he concluded.