As part of a recent cyberattack, threat actors deployed ransomware less than four hours after compromising the victim’s environment, according to researchers with The DFIR Report.
The attack started with an IcedID payload being deployed on a user endpoint and led to the execution of Quantum ransomware only three hours and 44 minutes later. DFIR Report researchers described it as one of the fastest ransomware attacks they have observed to date.
In a Ryuk ransomware attack in October 2020, the threat actors started encrypting the victim’s data only 29 hours after the initial breach, but the median global dwell time for ransomware is roughly 5 days, according to Mandiant’s M-Trends 2022 report.
Once the ransomware has been executed, however, the victim’s data may be encrypted within minutes. A recent report from Splunk shows that ransomware needs an average of 43 minutes to encrypt data, while the fastest encryption time is less than 6 minutes.
The IcedID payload in the analyzed Quantum ransomware incident was contained within an ISO image that was likely delivered via email. The malware was hidden in the form of a file named “document,” which was a LNK file designed to execute a DLL (IcedID).
Once the DLL was executed, numerous discovery tasks ran leveraging various built-in Windows utilities, and a scheduled task was created to achieve persistence.
[ READ: FBI Shares Information on BlackCat Ransomware Attacks ]
Roughly two hours after the initial compromise, Cobalt Strike was deployed within the victim environment, which allowed the attackers to begin ‘hands-on-keyboard’ activity.
Next, the cybercriminals started performing network reconnaissance, including identifying each host within the environment and the victim organization’s active directory structure.
The attackers also employed Cobalt Strike to extract credentials and tested them to run remote WMI discovery tasks. The credentials allowed the adversary to establish remote desktop protocol (RDP) connections to a target server, on which they attempted to deploy Cobalt Strike Beacon.
The threat actor then connected to other servers within the environment, also using RDP, after which they prepared the deployment of Quantum ransomware to each host. WMI and PsExec were used to execute the ransomware remotely.
The threat actor dropped a ransom note in which they claimed that data was stolen from the environment, but The DFIR Report’s researchers found no evidence of overt data exfiltration. However, IcedID or Cobalt Strike might have been used for data transmission, they say.
Nasser Fattah, North America Steering Committee Chair at Shared Assessments, noted that “the speed at which the adversary was able to take advantage of a compromised machine is mind-blowingly fast.” However, others pointed out that these types of attacks are increasingly common.
“Unfortunately, this type of accelerated ransomware is becoming increasingly common,” the threat intelligence team at Tanium told SecurityWeek. “In fact, Conti leveraged a similar technique three weeks ago, using ISO images, as well as the IcedID malware as an initial infection vector. While it is concerning, this recent Quantum ransomware attack isn’t breaking any records and won’t be the first, or last, time we see something similar.”
Related: Conti Ransomware Gang Claims Cyberattack on Wind Turbine Giant Nordex
Related: Researchers Find Python-Based Ransomware Targeting Jupyter Notebook Web Apps