Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

4-Hour Time-to-Ransom Seen in Quantum Attack as Accelerated Ransomware Increasingly Common

As part of a recent cyberattack, threat actors deployed ransomware less than four hours after compromising the victim’s environment, according to researchers with The DFIR Report.

As part of a recent cyberattack, threat actors deployed ransomware less than four hours after compromising the victim’s environment, according to researchers with The DFIR Report.

The attack started with an IcedID payload being deployed on a user endpoint and led to the execution of Quantum ransomware only three hours and 44 minutes later. DFIR Report researchers described it as one of the fastest ransomware attacks they have observed to date.

In a Ryuk ransomware attack in October 2020, the threat actors started encrypting the victim’s data only 29 hours after the initial breach, but the median global dwell time for ransomware is roughly 5 days, according to Mandiant’s M-Trends 2022 report.

Once the ransomware has been executed, however, the victim’s data may be encrypted within minutes. A recent report from Splunk shows that ransomware needs an average of 43 minutes to encrypt data, while the fastest encryption time is less than 6 minutes.

The IcedID payload in the analyzed Quantum ransomware incident was contained within an ISO image that was likely delivered via email. The malware was hidden in the form of a file named “document,” which was a LNK file designed to execute a DLL (IcedID).

Once the DLL was executed, numerous discovery tasks ran leveraging various built-in Windows utilities, and a scheduled task was created to achieve persistence.

[ READ: FBI Shares Information on BlackCat Ransomware Attacks ]

Advertisement. Scroll to continue reading.

Roughly two hours after the initial compromise, Cobalt Strike was deployed within the victim environment, which allowed the attackers to begin ‘hands-on-keyboard’ activity.

Next, the cybercriminals started performing network reconnaissance, including identifying each host within the environment and the victim organization’s active directory structure.

The attackers also employed Cobalt Strike to extract credentials and tested them to run remote WMI discovery tasks. The credentials allowed the adversary to establish remote desktop protocol (RDP) connections to a target server, on which they attempted to deploy Cobalt Strike Beacon.

The threat actor then connected to other servers within the environment, also using RDP, after which they prepared the deployment of Quantum ransomware to each host. WMI and PsExec were used to execute the ransomware remotely.

The threat actor dropped a ransom note in which they claimed that data was stolen from the environment, but The DFIR Report’s researchers found no evidence of overt data exfiltration. However, IcedID or Cobalt Strike might have been used for data transmission, they say.

Nasser Fattah, North America Steering Committee Chair at Shared Assessments, noted that “the speed at which the adversary was able to take advantage of a compromised machine is mind-blowingly fast.” However, others pointed out that these types of attacks are increasingly common.

“Unfortunately, this type of accelerated ransomware is becoming increasingly common,” the threat intelligence team at Tanium told SecurityWeek. “In fact, Conti leveraged a similar technique three weeks ago, using ISO images, as well as the IcedID malware as an initial infection vector. While it is concerning, this recent Quantum ransomware attack isn’t breaking any records and won’t be the first, or last, time we see something similar.”

Related: Conti Ransomware Gang Claims Cyberattack on Wind Turbine Giant Nordex

Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps

Related: Nations Vow to Combat Ransomware at US-Led Summit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...