A new ransomware known as Quantum Locker has been observed in the wild recently. This ransomware is a rebranded version of the MountLocker ransomware campaign that first launched in September of 2020. The DFIR Report recently detailed a case involving this variant. In under four hours, threat actors went from initial access to a domain-wide encryption event.
The initial access vector was an IcedID payload believed to have been delivered via an email. IcedID is a modular banking trojan that consists of DLL files which can be loaded into memory by rundll32.exe. This initial payload has been commonly used by other ransomware gangs, such as REvil, XingLocker and Conti.
Once in, the attacker(s) ran a batch file that executed “nslookup” against every host in the environment. They proceeded to access LSASS memory and extract credentials, which were later used to execute WMI discovery tasks on servers within the victim environment.
In the next hour, the threat actor made remote desktop connections to other servers and copied the ransomware to the admin share (c$) on each host discovered. The payloads were then executed using a combination of three methods: scheduled task, WMI, or PsExec.
The speed and sophistication of this attack suggests it isn’t the first time we will see it. For a detailed analysis and breakdown of the attack, visit: https://thedfirreport.com/2022/04/25/quantum-ransomware/.
