2022-07-14 Update: A breach of 657 providers totalling over 1.9 million patient records from an attack in February of this year was just reported. Quantum Ransomware has been attributed / implicated in this breach. Read on for how to disrupt the TTPs known to be part of this attack.
Getting its name from the .quantum extension appended to the filenames it encrypts, and its data leak TOR website - “Quantum Blog”, the Quantum Locker ransomware has been around since July 2021. Like other ransomware families like Conti, and REvil, Quantum uses attack tools like IcedID and Cobalt Strike to gain its foothold. One of the factors that makes it both interesting, and insidious, is that it appears to proceed with a live hacker at the keyboard conducting much of its attack. This means that as one attack element is blocked, the human active attacker will attempt to pivot to new attack tools until all defenses have been evaded – IPS, AV, Firewall. All great systems, but automated defenses struggle against human-at-keyboard active attackers.
In this blog I’ll discuss some of the techniques we at ActZero use to confirm that our service will be effective against multi-tiered, human-at-keyboard threats, such as we have seen with Quantum. I examine the particular elements of the attack, list the tactics, techniques and procedures (TTPs) leveraged in the context of the MITRE ATT&CK framework, and explain why precautions beyond automated detection are requisite when facing an active human adversary.
We aren't a detection engine vendor, and the solution to these hacker-at-keyboard attacks can't be just a detection engine. As an MDR provider, ActZero uses several threat protection technologies on behalf of our customers. As we deploy these solutions, it is important to constantly test that we are delivering the most protection possible against each new threat campaign. This means taking measures beyond alerting, either via automation (made possible through the use of machine learning models with an extremely high signal-to-noise ratio) or human intervention from our threat hunters. To do the testing required, we use a combination of live malware, internally created exploits and threat simulations to ensure that a given threat campaign would be prevented early enough to prevent the attack.
The Quantum ransomware often arrives as an email attachment, which once clicked mounts an .iso file on the affected host which in turn launches the malicious file containing IcedID malware.
The following steps are usually conducted soon thereafter:
To validate our coverage against this specific threat, we test against overarching methodologies of an attacker rather than individual attack instances such as file hashes, or IPs used in one attack. These individual attack instances, called Indicators of Compromise (IOCs) are great when one knows what they are looking for, but are far too easy for the attacker to change to be used as the basis for any detection evaluation.
Detections need to stand the test of time, and efficacy testing of a security provider needs to evaluate this.
One of the ways we at ActZero like to go about evaluating if a security offering will stand the test of time is to decompose known attacks into all their subcomponents and confirm that we block each individual component. This way, I know that an attacker would have to alter a lot of their methodology to evade us. Often the collection of attack components is referred to as Tactics, Techniques, and Procedures (TTPs). And we want to thwart the attacker’s techniques whenever possible by denying the attacker their available TTPs.
In the Quantum ransomware, the decomposition of TTPs will look something like this when aligned with the MITRE ATT&CK framework:
| Attack Element |
MITRE ATT&CK Technique |
| Email attachment with .iso loader |
T1204.002 User Execution: Malicious File |
| IcedID: Execute a DLL via Rundll32 over LNK File |
T1218.011 System Binary Proxy Execution: Rundll32 |
| IcedID: Process hollowing |
T1055.012 Process Injection: Process Hollowing |
| IcedID: Reconnaissance |
T1082 System Information Discovery |
| Perform System Discovery for Quantum Ransomware |
T1082 System Information Discovery |
| Gather Information about Target Domain using Adfind.bat |
T1018 Remote System Discovery |
| Create a Scheduled Task for Quantum Ransomware Persistence |
T1053 Scheduled Task/Job |
| Cobalt Strike loader |
T1587.001 Develop Capabilities: Malware |
| Cobalt Strike: Create Cobalt Strike Default Named Pipes |
T1218.009 System Binary Proxy Execution: Regsvcs/Regasm |
| Cobalt Strike: Mimikatz |
T1003 OS Credential Dumping |
| Cobalt Strike: Malleable C2 |
T1071.001 Application Layer Protocol: Web Protocols |
| Inject Cmd.exe by using Process Hollowing Technique |
T1055.012 Process Injection: Process Hollowing |
| Dump Lsass Process Memory by using Procdump |
T1003.001 OS Credential Dumping: LSASS Memory |
| RDP propagation |
T1021.001 Remote Services: Remote Desktop Protocol |
| Data warehousing and data exfiltration |
T1567 Exfiltration Over Web Service |
| Ransomware Encryption |
T1486 Data Encrypted for Impact |
Before we go further into the efficacy results against the attack chain, ActZero is a protection-first managed detection and response (MDR) service. This distinction in approach is important when dealing with Quantum Locker ransomware, and human-at-keyboard-based attacks more generally. We aim to both block attacks and to equip our threat hunters with the best possible telemetry for analysis and action across the customer’s endpoints, network and cloud. On the endpoint, we start with a top-shelf, blocking-mode endpoint detection and response (EDR) agent. We then train our threat hunters to investigate each detection, using a comprehensive in house security event review process, as if it were a component of an attack tree that will also contain misses. When we are conducting these scenario-based efficacy evaluations, we assume that there will be some misses as the attacker has the ability to cycle through their toolkit until a miss is attained.
The reason for treating each detection as one event in an attack tree that will contain misses is that 62% of attacks are human-at-keyboard. What this means is that the live human attacker will notice that an attack element is blocked and pivot from each blocked attack technique until they get through. Because of this, our threat hunters are trained to treat each blocked attack element as a component of an active attack until proven otherwise. Our block-rate (against both individual components of attacks, and against attacker campaign objectives more broadly) is a critical indicator, against which we evaluate our performance (and that of our competitors).
With this in mind, back to the attack chain used by Quantum, and how we would respond to each element:
| Attack Element |
ActZero Response |
| Email attachment with .iso loader |
Event telemetry available for threat hunting. |
| IcedID: Execute a DLL via Rundll32 over LNK File |
Natively Blocked, Event telemetry available for threat hunting. |
| IcedID: Process hollowing |
Natively Blocked, Event telemetry available for threat hunting. |
| IcedID: Reconnaissance |
Event telemetry available for threat hunting. |
| Perform System Discovery for Quantum Ransomware |
Natively Blocked, Event telemetry available for threat hunting. |
| Gather Information about Target Domain using Adfind.bat |
Natively Blocked, Event telemetry available for threat hunting. |
| Create a Scheduled Task for Quantum Ransomware Persistence |
Natively Blocked, Event telemetry available for threat hunting. |
| Cobalt Strike loader |
Natively Blocked, Event telemetry available for threat hunting. |
| Cobalt Strike: Create CobaltStrike Default Named Pipes |
Event telemetry available for threat hunting. |
| Cobalt Strike: Mimikatz |
Natively Blocked, Event telemetry available for threat hunting. |
| Cobalt Strike: Malleable C2 |
Event telemetry available for threat hunting. |
| Inject Cmd.exe by using Process Hollowing Technique |
Natively Blocked, Event telemetry available for threat hunting. |
| Dump Lsass Process Memory by using Procdump |
Natively Blocked, Event telemetry available for threat hunting. |
| RDP propagation |
Event telemetry available for threat hunting. |
| Data warehousing and data exfiltration |
SOC and Customer automatically alerted |
| Ransomware Encryption |
Natively Blocked, Event telemetry available for threat hunting. |
Leveraging the analysis above, I can conclude that anticipated variants of the Quantum family of ransomware would be prevented at several stages by a combination of our automated tooling and security experts. In addition, this validates the directives to our threat hunters in our endpoint threat-hunting guide, and that our threat hunters have the required expertise to counter a novel human-at-keyboard-attack event following this lineage.
Allow us to prove that this approach blocks the elements we described above. For a detailed look at whether Quantum Locker, or other ransomware families, are blocked by your present solution, or ours - try our Ransomware Readiness Assessment. It takes less than an hour, and includes detailed attack simulations against simulated malware including current threats such as Quantum ransomware.