Quantum Locker, a rebrand of Mount Locker ransomware, appeared with its new brand in August 2021. Ransomware attacks usually begin with threat actors obtaining access to victim machines by deploying Tactics, Techniques and Procedures (TTPs) to advance in the kill chain before ransomware is executed.
What sets Quantum Locker apart from other ransomware strains is its speed of attack, in taking less than 4 hours from initial access to the victim machine before executing Quantum Locker ransomware domain-wide. This was noted in The DFIR Report as “one of the fastest ransomware cases observed.”
Typically, there are often significant delays, sometimes in terms of days, weeks, or even months, between a given threat actor first gaining access to a target machine and detonation of the ransomware. Threat actors must employ varying TTPs to gain access, conduct lateral movement, and escalate privileges before ransomware can be effectively deployed.
According to the investigation by DFIR researchers on a Quantum Locker incident, threat actors first gained access to a victim’s machine through an ISO image used as a malicious lure. DFIR researchers believe the lure was likely sent via email. The use of ISO images as lures is becoming an increasingly popular method used by threat actors. Upon opening the image, the user of the target machine sees a shortcut (LNK file) that loads the IceID trojan after it is clicked. Threat actors then make use of IceID to deploy a CobaltStrike beacon for follow-on activity such as discovery and lateral movement before deploying Quantum Locker.
Immediately after infection, the Quantum ransomware starts encrypting files before adding the .quantum to file names, using a strong encryption algorithm and takes over the network while compromising servers.
After successful infection, victims are then presented with the following ransomware note:
Running the attack
IBM Security QRadar EDR, formerly known as ReaQta, immediately detects the threat and provides full visibility of all attacker tactics and techniques via a graphical behavioral tree at the very same moment when the Quantum ransomware is executed on the endpoint.
QRadar EDR's behavioral tree maps all processes and behaviors involved in the infection to MITRE’s Attack Tactics and Techniques framework.
The relatively rapid deployment of Quantum Locker from initial access highlights the necessity of an effective EDR platform that can provide efficient threat hunting tools. While oftentimes ransomware operators may take extended periods of time before deploying ransomware, Quantum Locker defenders only had a few short hours to detect anomalies before the ransomware began encrypting files.
Automatic detection & protection from binaries with high threat scores
Thanks to its AI algorithms, IBM Security QRadar EDR was able to stop this ransomware threat immediately, without Quantum Locker being able to do harm by encrypting files and causing serious business interruptions.
Once the threat was neutralized, the alert was autonomously closed off by QRadar EDR, reducing any extra actions required by the security team.
With the accelerated rate of attacks, it is important that automation is part of an organization’s response and remediation plan for defenders to automatically take actions against malicious artifacts.
QRadar EDR associates threat scores to artifacts in a given infrastructure and can be enabled to take action, should these threat scores be higher than a specified value. This defensive mechanism works as an additional layer of autonomous detection and response, while significantly reducing time and effort needed to manage endpoint environments.
By default, all applications and platforms should be built with security in mind. This includes having a security design in the organization’s processes in order to protect both the company and consumers’ data. Organizations should also conduct checks: are the security solutions that they use able to keep up with the pace of threats today? Are employees aware of potential threats encountered?
QRadar EDR's clients stay protected from threats like Quantum Locker ransomware, among others.
To learn more about what makes IBM Security QRadar EDR unique, please visit our website.