Our Blog | ActZero

How to Disrupt Quantum Locker Ransomware TTPs | ActZero

Written by Sean Hittel | Jun 22, 2022 4:00:00 AM

2022-07-14 Update: A breach of 657 providers totalling over 1.9 million patient records from an attack in February of this year was just reported. Quantum Ransomware has been attributed / implicated in this breach. Read on for how to disrupt the TTPs known to be part of this attack. 

Getting its name from the .quantum extension appended to the filenames it encrypts, and its data leak TOR website - “Quantum Blog”, the Quantum Locker ransomware has been around since July 2021. Like other ransomware families like Conti, and REvil, Quantum uses attack tools like IcedID and Cobalt Strike to gain its foothold. One of the factors that makes it both interesting, and insidious, is that it appears to proceed with a live hacker at the keyboard conducting much of its attack. This means that as one attack element is blocked, the human active attacker will attempt to pivot to new attack tools until all defenses have been evaded – IPS, AV, Firewall. All great systems, but automated defenses struggle against human-at-keyboard active attackers.

In this blog I’ll discuss some of the techniques we at ActZero use to confirm that our service will be effective against multi-tiered, human-at-keyboard threats, such as we have seen with Quantum. I examine the particular elements of the attack, list the tactics, techniques and procedures (TTPs) leveraged in the context of the MITRE ATT&CK framework, and explain why precautions beyond automated detection are requisite when facing an active human adversary.

Unique Perspective on Quantum: Detections are Necessary, but Not Sufficient

We aren't a detection engine vendor, and the solution to these hacker-at-keyboard attacks can't be just a detection engine. As an MDR provider, ActZero uses several threat protection technologies on behalf of our customers. As we deploy these solutions, it is important to constantly test that we are delivering the most protection possible against each new threat campaign. This means taking measures beyond alerting, either via automation (made possible through the use of machine learning models with an extremely high signal-to-noise ratio) or human intervention from our threat hunters. To do the testing required, we use a combination of live malware, internally created exploits and threat simulations to ensure that a given threat campaign would be prevented early enough to prevent the attack.

The Quantum Ransomware Process

The Quantum ransomware often arrives as an email attachment, which once clicked mounts an .iso file on the affected host which in turn launches the malicious file containing IcedID malware.

The following steps are usually conducted soon thereafter: 

  • Persistence and Discovery:

    IcedID discovery commands are executed and ultimately persistence is attained using a scheduled task.

  • Execution:

    Next, cmd.exe is executed and hollowed out to house CobaltStrike (a dual use offensive security solution normally used in red-team exercises).

  • Reconnaissance:

    Then tools such as ADFind are used to reconnoiter the active directory installation. Local Security Authority Subsystem Service (LSASS) is dumped on the local host to gather credentials, and lateral movement begins targeting Remote Desktop Protocol (RDP) available systems

  • Lateral Movement:

    Each newly accessed system has a similar lateral movement executed until Domain Controllers and file servers are identified, made reachable and ultimately breached.

  • Data Exfiltration:

    At this point, data is exfiltrated, and the ransomware payload is pushed to all endpoints from the Domain Controller. Finally, file encryption is conducted on all endpoints.

Validating Protection Against Quantum Ransomware

To validate our coverage against this specific threat, we test against overarching methodologies of an attacker rather than individual attack instances such as file hashes, or IPs used in one attack. These individual attack instances, called Indicators of Compromise (IOCs) are great when one knows what they are looking for, but are far too easy for the attacker to change to be used as the basis for any detection evaluation.

Detections need to stand the test of time, and efficacy testing of a security provider needs to evaluate this.

One of the ways we at ActZero like to go about evaluating if a security offering will stand the test of time is to decompose known attacks into all their subcomponents and confirm that we block each individual component. This way, I know that an attacker would have to alter a lot of their methodology to evade us. Often the collection of attack components is referred to as Tactics, Techniques, and Procedures (TTPs). And we want to thwart the attacker’s techniques whenever possible by denying the attacker their available TTPs.

Quantum Ransomware TTPs via MITRE

In the Quantum ransomware, the decomposition of TTPs will look something like this when aligned with the MITRE ATT&CK framework:

Attack Element

MITRE ATT&CK Technique

Email attachment with .iso loader

T1204.002 User Execution: Malicious File

IcedID: Execute a DLL via Rundll32 over LNK File

T1218.011 System Binary Proxy Execution: Rundll32

IcedID: Process hollowing

T1055.012 Process Injection: Process Hollowing

IcedID: Reconnaissance

T1082 System Information Discovery

Perform System Discovery for Quantum Ransomware

T1082 System Information Discovery

Gather Information about Target Domain using Adfind.bat

T1018 Remote System Discovery

Create a Scheduled Task for Quantum Ransomware Persistence

T1053 Scheduled Task/Job

Cobalt Strike loader

T1587.001 Develop Capabilities: Malware

Cobalt Strike: Create Cobalt Strike Default Named Pipes

T1218.009 System Binary Proxy Execution: Regsvcs/Regasm

Cobalt Strike: Mimikatz

T1003 OS Credential Dumping

Cobalt Strike: Malleable C2

T1071.001 Application Layer Protocol: Web Protocols

Inject Cmd.exe by using Process Hollowing Technique

T1055.012 Process Injection: Process Hollowing

Dump Lsass Process Memory by using Procdump

T1003.001 OS Credential Dumping: LSASS Memory

RDP propagation

T1021.001 Remote Services: Remote Desktop Protocol

Data warehousing and data exfiltration

T1567 Exfiltration Over Web Service

Ransomware Encryption

T1486 Data Encrypted for Impact

Framing Each Detection as Part of an Attack Chain

Before we go further into the efficacy results against the attack chain, ActZero is a protection-first managed detection and response (MDR) service. This distinction in approach is important when dealing with Quantum Locker ransomware, and human-at-keyboard-based attacks more generally. We aim to both block attacks and to equip our threat hunters with the best possible telemetry for analysis and action across the customer’s endpoints, network and cloud. On the endpoint, we start with a top-shelf, blocking-mode endpoint detection and response (EDR) agent. We then train our threat hunters to investigate each detection, using a comprehensive in house security event review process, as if it were a component of an attack tree that will also contain misses. When we are conducting these scenario-based efficacy evaluations, we assume that there will be some misses as the attacker has the ability to cycle through their toolkit until a miss is attained.

The reason for treating each detection as one event in an attack tree that will contain misses is that 62% of attacks are human-at-keyboard. What this means is that the live human attacker will notice that an attack element is blocked and pivot from each blocked attack technique until they get through. Because of this, our threat hunters are trained to treat each blocked attack element as a component of an active attack until proven otherwise. Our block-rate (against both individual components of attacks, and against attacker campaign objectives more broadly) is a critical indicator, against which we evaluate our performance (and that of our competitors).

Responses to Quantum Ransomware TTPs

With this in mind, back to the attack chain used by Quantum, and how we would respond to each element:

Attack Element

ActZero Response

Email attachment with .iso loader

Event telemetry available for threat hunting.

IcedID: Execute a DLL via Rundll32 over LNK File

Natively Blocked, Event telemetry available for threat hunting.

IcedID: Process hollowing

Natively Blocked, Event telemetry available for threat hunting.

IcedID: Reconnaissance

Event telemetry available for threat hunting.

Perform System Discovery for Quantum Ransomware

Natively Blocked, Event telemetry available for threat hunting.

Gather Information about Target Domain using Adfind.bat

Natively Blocked, Event telemetry available for threat hunting.

Create a Scheduled Task for Quantum Ransomware Persistence

Natively Blocked, Event telemetry available for threat hunting.

Cobalt Strike loader

Natively Blocked, Event telemetry available for threat hunting.

Cobalt Strike: Create CobaltStrike Default Named Pipes

Event telemetry available for threat hunting.

Cobalt Strike: Mimikatz

Natively Blocked, Event telemetry available for threat hunting.

Cobalt Strike: Malleable C2

Event telemetry available for threat hunting.

Inject Cmd.exe by using Process Hollowing Technique

Natively Blocked, Event telemetry available for threat hunting.

Dump Lsass Process Memory by using Procdump

Natively Blocked, Event telemetry available for threat hunting.

RDP propagation

Event telemetry available for threat hunting.

Data warehousing and data exfiltration

SOC and Customer automatically alerted

Ransomware Encryption

Natively Blocked, Event telemetry available for threat hunting.

ActZero MDR vs Quantum Ransomware

Leveraging the analysis above, I can conclude that anticipated variants of the Quantum family of ransomware would be prevented at several stages by a combination of our automated tooling and security experts. In addition, this validates the directives to our threat hunters in our endpoint threat-hunting guide, and that our threat hunters have the required expertise to counter a novel human-at-keyboard-attack event following this lineage.

Assess Your Own Environment

Allow us to prove that this approach blocks the elements we described above. For a detailed look at whether Quantum Locker, or other ransomware families, are blocked by your present solution, or ours - try our Ransomware Readiness Assessment. It takes less than an hour, and includes detailed attack simulations against simulated malware including current threats such as Quantum ransomware.